Archive for October, 2011
Posted by Melissa Stevens in In the Industry, Q1 Labs, Security Intelligence
Since early October, there’s been a lot of buzz surrounding the IBM acquisition of Q1 Labs and the formation of the new Security Division. Now that the deal has closed, I’d like to share with you a letter from our leader, the former CEO of Q1 Labs and new General Manager of IBM Security Systems, Brendan Hannigan.
“On October 26, the acquisition of Q1 Labs closed, adding industry leading security intelligence products to the newly formed IBM Security Systems division.
This development comes at a critical time; threats have escalated with criminals specifically targeting companies with sophisticated and patient attacks. Attack vectors have increased as criminals target from outside, inside and from a multitude of software bots, trojans and system infections. Companies are overwhelmed with poorly integrated point security products, which, in many cases, are narrowly focused on perimeter protection. Despite significant investments, many companies suffer high profile breeches, targeted theft and espionage.
As IBM Security Systems, we are uniquely qualified to deliver security products that span users, applications, databases and networks. IBM, the leader in delivering business intelligence solutions to the market, can now deliver security intelligence and analytics solutions to clients worldwide. By integrating these capabilities, clients can benefit from broad protection that spans their enterprise. We can now deliver unrivaled security services to help our clients.
The new division will build on IBM’s long-standing focus on delivering security solutions to clients. IBM already operates the world’s broadest security research and development organization, comprising 18 security operations and research centers, 11 software security development labs, and three Institutes for Advanced Security. We employ thousands of security experts globally, hold 3,000 security patents, and monitor billions of security events per day. At inception, IBM Security Systems will be one of the largest security players in the industry.
I hope you share my enthusiasm about the opportunity that lies ahead for the IBM Security Systems division and for Q1 Labs as a part of IBM. Our greatest satisfaction will come from our collective ability to help clients address the pressing security challenges they face today.”
We welcome your thoughts and comments on this news. For more information, visit www.ibm.com/security.
Posted by Melissa Stevens in Cybersecurity, Threat Management
In April 2010, Tom Turner published this post on the business aspects of cyber security risks, and how the more than just the CSO needs to find a seat at the security table. While he references older data, I think this post is still very timely- especially considering that the frequency of attacks seems to be increasing every day, and companies are still struggling to come to terms with what a breach costs both them and their customers (in dollars, and reputation). Even more importantly, as the government is considering enacting legislation that will require breaches to be disclosed, all the stakeholders in a company need to be in agreement as to how they will respond when a breach inevitably does occur.
Read on to see why Tom thinks cyber security needs to move ”from being the sole responsibility of the IT department to a focus on risk management & business intelligence, organization wide integration and streamlined automation across the entire organization…” and how he thinks that can be accomplished.
***
Clearly, CIO’s, CSO’s and CISO’s are concerned about cyber security, but are there other C-Level executives who should be concerned? According to a new report from Internet Security Alliance (ISI) and American National Standards Institute (ANSI) entitled “The Financial Management of Cyber Risk: An Implementation Framework for CFO’s“, CFO’s need to play a leading role in defending their company against cyber attacks as well.
Why? One reason is that American businesses lost more than $1 trillion dollars in intellectual property in 2008 and 2009 due to cyber attacks and the severity and frequency of these attacks is only getting worse – and this number doesn’t include the cost of losing customers and the negative impacts on share value. Yet, despite the threat and potential for loss, only 5% of US companies have a CFO directly involved in protecting their organization from cyber attacks.
In most cases, cyber security is handled by the information technology (IT) department who must then attempt to work across a number of departments in order to secure the organization’s entire network. This creates a significant challenge for IT directors, as they’re often resource constrained departments struggle to keep pace with downsizing and reduced budgets while facing an exponentially growing threat. In addition, this leaves organizations needlessly vulnerable, a notion supported by Verizon’s 2008 Data Breach Investigations Report that shows that 87% of breaches could have been avoided through reasonable security controls. At the same time PricewaterhouseCoopers’ “The Global Information Security Survey” shows that organizations that follow best practices have zero downtime and zero financial impact from cyber attacks.
The report goes into great detail on how to begin the process of engaging the CFO and implementing an organization-wide approach to cyber security: I’ll leave you to discover that on your own. I do, however, want to touch on one of the key issues regarding changing the dynamics within the organization so that cyber security moves from being the sole responsibility of the IT department to a focus on risk management & business intelligence, organization wide integration and streamlinedautomation across the entire organization, or the Intelligent Integrated Automated model.
We know that the IIA (integrated, intelligent and automated) model works because more than 1,000 organizations world-wide have adopted it. We know that it dramatically improves an organization’s security posture because it helps security professionals prevent, defend against, respond to, remediate and analyze policy violations, intrusions & exploits. We also know that IIA both delivers the tools that the IT department needs to protect the organization’s assets while allowing stakeholders to gain access to information that is important to them so that they can make a decision.
The primary barrier to changing the dynamics in the organization and begin to work toward total security intelligence (operationalizing security management into your business or organization) is that the business case is difficult to make to, what technology experts are calling, digital immigrants – ie. those who don’t speak technology as a primary language – and this barrier can be even more difficult in organizations where compliance mandates – ie. PCI, FISMA, etc. – do not force the issue. IIA makes the business case for you as it helps non-technology executives understand what to do before an attack, during an attack and after an attack – and then shows them how it gets implemented & scaled and how it can take a complex network that generates over 2 billion logs a day and reduces that down to 25 high priority offenses that can be remediated.
In order to get the IIA message through to digital immigrants, cyber security professionals need to be able to break down the risks and potential losses that the company could incur due to a cyber attack and show what proactive measures are currently in place, what steps are in place if an attack does occur and what to do in a post-exploit environment.
Maybe the best message to engage other non-technology C-Level executives in the cyber security conversation is that it is not just about compliance, it’s about protecting the company financially from the growing risk of cyber attacks by putting in place the best people, superior technology and a template to ensure best practices are followed, as PricewaterhouseCoopers’ report shows, to work to achieve zero downtime and zero financial impact from cyber attacks.
Posted by Melissa Stevens in Security Intelligence, SIEM
ComputerWorld recently posed the question, “Where’s the Steve Jobs of IT Security?” and it really got me thinking. What was life like before Steve Jobs came along and brought us the Macbook, the iPod, the iPad and best of all, the iPhone? Clunky. That’s the best way I can describe it.
I remember seeing my grandfather whip out his “first gen” mobile phone when I was a kid and thinking “WOW!”. It still
had a cord and was the size of our home phone- but you could use it in the CAR! Talk about mind blowing… And don’t even get me started on his PDA (which more or less resembled my old graphing calculator). Imagine never having to remember another phone number again!
Fast forward 20 years and now we’re searching the web, connecting with friends on Facebook, sending text messages and getting help from our personal assistant, Siri. All on a light, portable phone (but hopefully not while driving) that fits in a pocket. Technology sure is a lot sleeker!
Is it possible that this is what it was like using SIEM before Security Intelligence?
Sure, having a first gen SIEM let security professionals do their job better than before. But it soon gained a reputation for being expensive, complex, and requiring lots of staffing and add-ons to do the job that was expected. You couldn’t just take it out of the box and plug it in. It was a tool kit, requiring every deployment to be a custom solution with a heavy dose of professional services. Vendors defended this by saying that every customer’s needs were different, and dismissing the idea there could be any commonality in requirements. But let’s get real; those vendors were just being lazy.
Today, we have the QRadar Security Intelligence Platform. QRadar is the iPhone of the Security Intelligence world – and while security pros might not queue up around the block to get the latest version, they’re still amazed by what each new release delivers. Like with an iPhone, customers are impressed by its ease of use and intelligence. The platform comes ready with hundreds of reports, correlation rules, dashboard views and third-party device integrations, meaning you don’t have to wait long to get value from your SIEM investment. It can start collecting data as soon as you plug it in, just like Adobe Systems found. Next-gen SIEM solutions were designed with the end user in mind- much like the iPhone, which was revolutionary for its time with its touch screen technology, built-in apps and integrated media platform.
Now, all of these comparisons might seem far fetched, but I hope it has you thinking. The ComputerWorld article attributes some of Jobs’ success to the simple design and user interfaces he adopted. Meaning, people liked his products because they were easy to use, didn’t take much to get going, and had the user experience in mind when they were created. This is what our developers had in mind when they created QRadar, an intelligent, integrated and automated next-gen SIEM and Security Intelligence solution. They delivered an offering that is easy on the eyes, highly automated and delivers an intuitive experience to the user. Jobs-esque indeed!
***
To read more about the difference between first gen and next gen SIEM, click here.
Posted by Michael Applebaum in Cybersecurity, Security Intelligence, Threat Management
Give up the façade of control. Trust no one. Verify everything. Resistance is futile.
Image attribution: http://bit.ly/r3Wnre under http://bit.ly/r9ywD2
Okay, I added the last statement, but the first three come straight from a recent Forrester Research report, “Applying Zero Trust to the Extended Enterprise” by John Kindervag. In today’s zero-trust environment – driven by mobile computing, cloud computing, social media and partner collaboration – it’s impossible to control the network perimeter, the number of users accessing the network or the configuration of devices connecting to the network. It’s also impossible to predict when an employee will attempt insider theft or fraud, rendering the notion of a trusted insider obsolete.
As John first wrote last year:
“The concept that there are trusted and un-trusted users is errant and dangerous. This is something we call Zero Trust. … Some of the key components of Zero Trust are that all users are un-trusted and that all traffic, both internal and external, must be inspected and logged.”
This blurring of profiles between internal and external networks means organizations must perform comprehensive monitoring and analysis of all their networks, all the time.
John’s absolutely correct in my view (he was a security systems integrator before joining Forrester), but how do you do it?
Let’s consider three of the report’s recommendations, and apply practical Security Intelligence solutions for implementing them:
- Monitor what users are doing on the network. Forrester advises companies to monitor their employees’ activity on the network, because as the 2011 Verizon Data Breach Investigations Report notes, “insiders were at least three times more likely to steal IP [intellectual property] than outsiders.” This can be accomplished with a user activity monitoring solution that establishes baseline patterns of activity for each user, and then creates alerts when anomalous behavior is observed – applications/systems accessed, volumes of data sent/received, and so on. Security Intelligence solutions today provide a 360-degree view into what users are actually doing and the potential impact of their activities – by collecting and correlating not only log data, but also Layer 7 network flows, asset data, configuration information and vulnerability data to cover the pre-threat exposures.
- Inspect and log all traffic. As if you needed another reason to collect and analyze logs, Forrester highlights one of the Verizon breach report’s more striking observations – that good evidence of breaches usually exists in the victims’ log files. John therefore recommends “inspect[ing] and log[ging] all traffic… [using] threat mitigation controls such as firewalls and network IPSes, security information management (SIM) solutions, and network analysis and visibility (NAV) tools.” Logging is already well understood and commonly performed, but inspecting all traffic? That’s a whole other animal. One of the key points I take from this report is the importance of triangulating intelligence on risks and threats through multiple types of network data – logs from firewalls and IPSes, network flows from NAV solutions, and much more, all correlated and analyzed by a SIM/SIEM solution. Logs, even from multiple sources, aren’t enough any longer; deeper network insight is required. Security Intelligence technologies are equipped to provide just that through Layer 7 flow analysis which is incorporated into a holistic and strategic security solution.
- Deploy NAV tools to watch data flows and user behaviors. This recommendation elaborates on the need for situational awareness via proactive monitoring of internal networks. Would you know if an employee were stealing valuable product plans? Or downloading customer data to take to a competitor? Or if his system had been silently compromised by a bot? These are often difficult to detect until well after the fact, if ever. But a modern Security Intelligence solution will consume and correlate all the data you need to identify these scenarios in real time, by taking a 360-degree view of suspected incidents and ruling out false positives. That may sound like a tall order given the frequently massive data volumes involved, but current solutions are architected for just this kind of scale.
Ultimately, I suspect that most security and networking professionals realize “zero trust” is the right approach to take. The question is how to embrace that view and evolve one’s security operations.
Hopefully the ideas suggested here – and in my “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask” blog series – will provide ideas and inspiration to enhance your own security posture. Please share any thoughts on how you are evolving your organization’s security operations to respond to the new zero-trust reality.
Posted by Melissa Stevens in In the Industry, Log Management, SIEM
“… deployment is not the hard part, at least for modern SIEMs; the trick is deriving continuous value from SIEM and customizing it to your evolving needs.”
Are you seeing real value from your SIEM deployment? Have you gone beyond compliance and started defining use cases your SIEM can help solve? Read this post by Chris Poulin, CSO at Q1 Labs, to understand the phases of a SIEM deployment and how to get the most out of your technology investment.
This article was originally published by Chris Poulin in Security Week on October 18, 2011 in their Experts column. You can read the full post here.
***
Typical SIEM deployment conversation:
Vendor: Ms Customer, now that you’ve purchased our shiny new SIEM, complete with new SIEM smell, what use cases would you like to implement?
Customer: Um, well, I don’t know. What should we do with it?
Vendor: Well, what would you like to do with it?
Ad infinitum…
The reality is most SIEM and Log Management deployments are purchased to satisfy a compliance need: PCI, HIPAA, NERC, FISMA, GPG 13 – the list goes on. And while log management and reporting, which comprise the lion’s share of technical controls prescribed by most regulations and compliance documents, are important, a properly deployed SIEM can add tremendous value to an organization’s security program. Customers know that applying SIEM to the single task of compliance is like stamping a check box with a sledgehammer, but many don’t have a good sense of SIEM’s full potential, so they look for the vendor or VAR to provide guidance.
SIEM, on the other hand, is highly context dependent. Okay, that’s a bit of a lie. There are a number of general use cases that can be applied to just about all customers: botnet detection, excessive authentication failures, traffic from darknets, IDS alerts that a particular attack is targeting an asset that the VA scanner confirms is vulnerable to that exploit. Vendors typically provide these as out-of-the-box content in the form of rules (with alerts), dashboard widgets, reports, and saved searches. Sales reps point to this as proof of how easy it is to deploy their SIEM. Taken literally, that’s true: deployment is not the hard part, at least for modern SIEMs; the trick is deriving continuous value from SIEM and customizing it to your evolving needs.
Continue Reading at SecurityWeek.com
The latest on Cyber Security