Archive for September, 2011
Last week I shared part one of John Burnham’s discussion of the INSA study released earlier this month. In this post, we continue the conversation and move onto the role of Security Intelligence as a cloud and how it could be used as part of a comprehensive cyber-strategy.
John cites a QRadar Security Intelligence customer, The Salt River Project (the nation’s third largest public power and utility company), as an example of an organization who has used next-gen SIEM to cross organizational divides. He explains that the federal government could deploy Security Intelligence across all organizations under the umbrella of the Department of Homeland Security (DHS) to collect and report data securely and confidentially to DHS, much like The Salt River Project has done to collect intelligence across its several internal agencies.
Watch the video to hear what else John thinks the Federal Government could be doing to strengthen their strategy for preventing cyber-threats.
I recently returned from the Gartner Security Summit in London, an annual affair. While it was moved back to the stodgy Hotel Lancaster (it was in a shiny new hotel on the Thames last year), it was highly attended and very, very active. Since last year, the news has been all about prominently disclosed attacks, internal and external, so the over-arching theme was sophisticated attacks. That awareness of risk and threat is solidly at the BoD level with Gartner clients, and the edict from on high: get our house in order, as it is only a matter of time and in fact we probably have already been breached to some extent.
Enterprise Security Intelligence is a pervasive theme with Gartner Security and Risk Management teams, and so it was at the event as well. But similar to the Washington DC event this past summer, there were far more sessions on “how to…” define your needs relative to your unique environment. And compliance has become table stakes, checklist tactics rather than an end in itself. And of course this prioritization is spot on: compliance does not equal a measurable, defensible security and risk posture.
One of the best sessions was on risks associated with cloud-sourced services. The content was pragmatic, focused on specifics, such as:
–Diverse tenancy is a new world, versus controlled environment. Your competitors could be using same cloud platform, for example.
–Public access: where are the controls?
–Economic Denial of Service: newly coined term meaning a targeted attack designed to spin up gobs of storage = gobs of cost, billed to you!
Some bits of note (can you spot my Brit vernacular?):
–Security monitoring is essential for any use cases within cloud services, be they hosted, on-prem, or MSSP-driven
–Cloud was primarily Public Cloud, versus virtual datacenter in the sessions I attended
–In one session on Security Monitoring, a definition of Security Intelligence was put forth:
- data is gathered: more is better
- reasoning is applied, in the form of analytics
- actionable information drives a decision
Pretty high level in my view, but maybe less is more.
The recent trading fraud at UBS by a rogue employee bears a lot of similarity (not least in the amount of money lost) to a similar occurrence at Societe General in 2008. In both cases the alleged perpetrators were exchange-traded fund specialists, they both had back office experience prior to joining a trading desk (experience that helped them cover their tracks), and while they both had triggered internal trading alarms over the years, it was finally the turbulence in the markets of 2008 and 2011 that ultimately exposed their fraud and associated losses.
Now I am certainly not claiming that SIEM solutions would have caught these complex trade patterns and anomalies today, though there is some interesting research being conducted to extend correlation to trading patterns and there are specific fraud detection technologies for financial applications. What I am pointing out is the analogy- a very powerful analogy if you are trying to sell the value of implementing SIEM and Security Intelligence within your environment.
Before the world recognized them as rogue traders, these were trusted employees with sophisticated knowledge of the internal workings of company systems. Their trading activities had raised a number of alarms over the years, but these alarms lacked context about associated actions (the other trades they made to cover their tracks) and were likely lost in the noise of all the other alarms that may occur across a large trading desk. Does this sound familiar?
I believe the analogy is apt. Increasingly we see our customers wanting to monitor the actions of users and detect the anomalies in their interactions with applications and systems. The Wall Street Journal recently posted an interesting article about the challenge that users or trusted insiders present from a security standpoint. You don’t have to look much further than UBS or SocGen to understand the ramifications of fraud by trusted employees.
This is part 3 of an ongoing series of posts that answer “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask.”
In previous posts, we examined what Security Intelligence (SI) is and how modern SI solutions differ from the previous generation of products. Now let’s look at some practical questions about Security Intelligence products.
Many IT professionals and business executives have a skewed perception of what SI solutions – with SIEM as the anchor tenant – deliver, and what they require. Unlike first-generation SIEM and log management products, which earned a reputation for high complexity and cost, today’s Security Intelligence offerings are designed for rapid implementation, a short learning curve and low ongoing staffing requirements.
A fundamental difference between first-gen products and modern ones is whether they are built as toolkits or more finished solutions. Early SIEM vendors advanced the false claim that every deployment needed to be so customized that it made little sense to provide any out-of-the-box value. Everything useful would be built from scratch using the toolkit and a massive dose of professional services. Current solutions, however, prove that pre-packaged functionality and extensive customizability are not mutually exclusive. Let’s examine what today’s SI offerings bring.
While any user will benefit from some network security experience, successful solutions have innovated around the three tenets of Security Intelligence – Intelligence, Integration and Automation – to make it easier for all users to get productive quickly. Here’s how:
- Writing correlation rules used to be a complex endeavor, and still is with legacy SIEM products. But modern Security Intelligence products boil this down. If you’ve filtered email in your favorite email client or Web app, you can write correlation rules in a respectable SI product. And you can still build sophisticated, multi-step rules for global and local correlation.
- SI solutions also save users time by allowing them to define value lists (e.g., IP addresses or user names) that are used as variables within rules, filters and reports – saving them from having to manually update lists in many places. The more innovative products even allow these lists to be populated programmatically.
- The integration capabilities delivered out-of-the-box today are a huge enabler of end user productivity. Normalization of the data from hundreds of sources prevents customers (and consultants) from having to become experts in each third-party vendor’s data schema. For example, a compliance mandate might require documenting authentication events (failed login’s, successful login’s, successful login’s followed by a privilege escalation, etc.). With Security Intelligence, customers no longer have to track that manually across dozens of assets, each with its own data schema.
- Security Intelligence solutions also automate many of the tedious manual tasks that used to take so much time and drive up the total cost of ownership. They can auto-discover network resources, auto-tune settings, and offer appliance form factors for easy deployment.
- Numerous out-of-the-box reports are provided for different audiences, including senior executives and auditors. Security and networking staff no longer need to spend excessive time just building reports.
One large customer, a Fortune 200 financial institution, uses only four people to manage a worldwide SI deployment that monitors billions of daily events, and those individuals also manage several other security products. The company has dramatically improved its security and risk posture without adding any security headcount.
Another customer, Arkansas Children’s Hospital, saw an increase in the speed and efficiency of its two person security response team after deploying a modern SI solution. Watch the video to hear directly from Chris Wilkins.
Ultimately, any Security Intelligence user will need some training and time to make full and effective use of the software. SI solutions, after all, are sophisticated enterprise software. But a modern Security Intelligence product lowers the bar for new users and ultimately becomes a force multiplier – enabling order-of-magnitude productivity increases in security operations.
What do you think? What have you observed with regard to staffing requirements for SI products?
SIEM has come a long way over the years, evolving from a relatively simple point solution, to a more intelligent, integrated and automated enterprise IT security solution. We thought it would be interesting – and fun – to put together an infographic to try and make sense of it all.
Why bother creating an infographic on SIEM? It has an interesting history. SIEM was originally plagued by a somewhat painful implementation process, difficult to integrate data sources, limited scalability, and an intensely manual reporting process requiring analysts to do the heavy lifting. Reporting and analytics have greatly improved along with scalability, collection, and integration of third party data sources. Not only does this evolution make day-to-day life easier for IT Security professionals, but it decreases breach response time, remediation time, and the total cost of a breach.
In fact, this infographic is about more than just SIEM. It’s about the evolution of SIEM, expanding into adjacent solutions, to add essential contextual data and achieve total security intelligence. Considering recent announcements by other vendors, security intelligence has become more than just a popular term. As one of my colleagues explained in his post last month, security intelligence is “a holistic approach to viewing and managing the security and risk posture of an organization.”
How did we do? Let us know in the comments below if we left anything out. Of course, as the industry progresses, so will this Infographic. We are excited to see how SIEM, and security intelligence, further evolves.