Archive for January, 2012
Posted by Melissa Stevens in Cybersecurity, Log Management, Security Intelligence, SIEM
This morning I read an article on Computing.co.uk that asked, “How can organizations be prepared for cyber security incidents they can’t predict?”
I think this is a question a lot of CISOs ask themselves – and certainly, they should be. In the recent Data Protection & Breach Readiness Guide, published this January by the Online Trust Association (OTA), a key take away is “If a business collects data it will experience a data loss incident at some point.” That said, maybe you can’t predict how you will be breached, but it’s reasonable to assume that you will. This is the first step in a comprehensive network security strategy.
There are plenty of tools out there that can help analyze network configurations and identify the vulnerabilities that are creating entry points. You can run simulations and tests, hire white-hat hackers to break into your systems, and monitor network activity until you’re blue in the face. There are some breaches you can prevent, and there are some that you will never see coming.
The key is to have capabilities that will help you respond to the breach and limit your organization’s exposure as quickly as possible. How many horror stories have we heard over the past year of high profile breaches that lasted for months before they were spotted? How long did it take to find out what really happened? When breached, you immediately want to know who, what, when and how, so you can brief your constituents (customers, executives, board members, etc) about what has occurred along with your remediation plan. This is where Security Intelligence comes in.
A Security Intelligence solution like QRadar can help keep you safe. It can be a part of your walled fortress, collecting information from across your entire infrastructure and alerting you when anomalies occur or improper configurations create new vulnerabilities. But more importantly, it can act as a stop gap, the tool you use to help stop the ship from sinking. Knowing immediately that you have been breached and what has been compromised; knowing how the breach occurred and where it originated from; seeing where the information has been distributed, in real-time; all of this knowledge can help you respond and stop the threat from spreading further. And since it’s only a matter of time before a breach occurs, better response preparation could be the competitive advantage you’re looking for.
For more information about breach response best practices, please read Five Ways to Prepare for Your Data Breach. As always, share your comments and questions below!
Posted by Heather Howland in In the Industry, Security Intelligence
According to a recent tweet from the well known hacktivist group Anonymous, they are back in action and taking requests. Then again, they never really were out of action, but with all the SOPA, PIPA, and now ACTA debates lately, they are making their voice heard.
Anonymous has always been vocal on many social media sites, but has never actually opened up for requests. This brings the concept of being a “target of choice” to a whole new level, don’t you think? Before the public onslaught of hactivism over the past year or so, it was assumed that these decisions about “who to hack” were taking place covertly in the background via encrypted messages, IRC, forum threads, etc. While it certainly is intimidating for the organizations being called out, it gives others warning that they might not have had before.
Looking back a couple years, would you have predicted hactivist organizations exposing themselves on social sites such as Facebook, Twitter, and YouTube to gain a consensus on who their next target(s) should be?
Posted by Heather Howland in Retail, Security Intelligence, SIEM
Welcome to the final part of our “customer use perspective” series, where one of our biggest retail customers talks about using network flow data to add a whole new dimension to their security posture. When we talk about network flow, it’s not limited to the typical formats – i.e. NetFlow, J-Flow and sFlow. While standard network flow is useful for establishing a general understanding of network conversations, it doesn’t provide deep visibility into network activity beyond basic network characteristics such as IP address and protocol transport.
To help fill this gap, there is QRadar QFlow, which provides Layer 7 visibility (application layer) and stateful classification of applications and protocols such as voice over IP (VoIP), social media, ERP, database, and thousands of other protocols and applications. While this information is powerful on its own, it becomes extremely useful when correlated with network and security events as part of a SIEM and Log Management solution.
Watch the clip to hear how our customer is using QRadar QFlow in their environment:
What can you do with QRadar QFlow?
- Detect zero-day threats through traffic profiling
- Comply with policy and regulatory mandates via deep analysis of application data and protocols
- Monitor social media traffic
- Advanced incident analysis via correlation of flow and event data
- Continuous profiling of assets
Learn more about QRadar QFlow and be sure to listen to the full webcast to hear more about how our customer is utilizing the QRadar Security Intelligence Platform to help meet compliance regulations, centralize logs, correlate network events, and detect anomalies that other solutions might miss.
Related: 80,000 Credit Cards Hacked (Why Authentication Alone is Insufficient)
Posted by Heather Howland in Critical Infrastructure, Security Intelligence
There’s no question that Critical Infrastructure (CI) was a popular topic in IT security media outlets throughout 2011. Everything from Duqu speculation to Black Hat PLC hacking, this past year was a wake-up call for the energy & utilities industry confirming that CI security is more than just a 15-foot high brick wall.
Related: Critical Infrastructure Security: It’s About More than Just Stuxnet.
If you recall, at Black Hat 2011, a researcher was able to hack into a Siemens device because it had SCADA authentication holes. According to a recent article over at Dark Reading, the Siemens team is pushing to release a major security fix this month. While it’s still early January, we haven’t heard of the fix being pushed out yet, so if you have please let us know in the comments.
Quote from Siemens Industrial Security News about the vulnerabilities:
Siemens was notified by IT experts (Billy Rios and Terry McCorke) about vulnerabilities in some of its automation products. These are the WinCC flexible RT versions from 2004 to 2008 SP2 and WinCC Runtime Advanced V11 and multiple Simatic panels (TP, OP, MP, Comfort). We are aware of the reported vulnerabilities, first reported in May 2011. Our development had immediately taken action and addressed these issues. The vulnerabilities will be fixed by security updates, first is planned to be issued in January 2012. In December 2011 further vulnerabilities have been reported which are currently under investigation. We thank Billy Rios and Terry McCorke for reporting the vulnerabilities.
While Siemens is investigating their issues, various government agencies have aligned with leadership in the private sector to try and find a solution to the security woes in the energy and utilities industry.
The “Electric Sector Cybersecurity Risk Management Maturity” project is now in place to help establish a holistic security approach for the nation’s energy infrastructure. The project leaders are of varied backgrounds, which makes this all the better. It’s made up of representatives from the Department of Energy (leading agency), the White House, and DHS, with participants from the private energy and utilities sector. Odds are this project will eventually turn into a single government agency to handle all cyber security concerns, as Massachusetts Institute of Technology (MIT) has already suggested.
What can energy providers do while the aforementioned “maturity model” is put into place? Learn about Security Intelligence and how it can help mitigate many of the IT security concerns in the smart grid and for energy control systems in general.
Related: A Shot Across the Bow: Five Lessons from the Start of the SCADA Attack Era
Posted by Michael Applebaum in Critical Infrastructure, Security Intelligence
Following their widespread adoption, SIEM and log management solutions have become a staple of many organizations’ security and compliance practices. They are relied on to protect against countless security and compliance risks. But there’s a big difference between monitoring the network of a midsize business and those of Fortune 500 organizations. Q1 Labs not only delivers economical solutions for the former, but also scalable and resilient solutions for the latter.
Image attribution: http://bit.ly/xrutn9 under http://bit.ly/r9ywD2
This is no small feat when you’re talking about a magnitude of well over 100,000 events per second, all correlated in real-time – a volume many Q1 Labs customers are achieving with the QRadar Security Intelligence Platform. Run out the math and you find this is billions of events per day. How exactly does QRadar enable success at scale?
Let’s scratch the surface of QRadar’s keys to success:
- Scalability. QRadar’s distributed, federated database architecture allows it to monitor, correlate and store the highest data volumes in real time, without filtering out data or skipping correlation, as some other products do.
- Search Performance. High-performance indexing and search provides incredibly fast access to enterprise networking and security data. Applying Internet search engine technology, QRadar tames big data.
- Customization Ability. Although QRadar ships with thousands of out-of-the-box rules, report templates and dashboards, it is also highly customizable, meeting the needs of multi-divisional and multi-national organizations.
- Expansion and Upgrade Ability. The distributed appliance approach allows an organization to start with a small, mid-sized or large deployment, and add new processing capacity or functional capabilities on the fly. The architecture and size of a QRadar deployment can grow organically and don’t face major constraints.
- High Availability. Q1 Labs provides a turnkey solution for high availability, taking the guesswork, risk and complexity out of HA, so customers can focus on their security operations, not IT infrastructure.
These capabilities are further explained and a series of customer case studies are presented in a new Q1 Labs brochure on “Success at Scale.” As a sneak preview, consider the following portrait of a Fortune 5 energy company:
Business Challenge: This company needed to ensure compliance with PCI-DSS, NERC and numerous regulations in other countries. At the same time, it needed to monitor and analyze an average of 2 billion logs daily to protect itself from numerous security threats.
Q1 Labs Solution: The business addressed its regulatory compliance and security needs by deploying QRadar SIEM and QRadar QFlow using 30 appliances globally. By correlating events, network activity (flows), asset information and configuration data, the solution intelligently identifies 25-50 high priority offenses out of 2 billion daily events, utilizing 40 TB of aggregate storage. It serves 100 security users across four groups, while protecting 10,000 network devices, 10,000 servers and 80,000 user endpoints. Major technologies protected by QRadar include products by Oracle, SAP, Cisco and Juniper. The customer also uses QRadar to monitor 6 million card swipes per day for PCI compliance and ensures the security of SCADA systems for NERC compliance.
Read the brochure today to gain insight on more of the world’s largest and most successful Security Intelligence deployments.
The latest on Cyber Security