Author Archive
Posted by Chris Poulin in Compliance, Federal, Security Intelligence, SIEM
Last week I participated in a panel on Continuous Monitoring at FOSE. Joining me were Mark Crouter from MITRE as the moderator, John “Rick” Walsh, chief of technology and business processes in the Cybersecurity Directorate of the Army’s Office of the CIO, and Angela Orebaugh, Fellow and Senior Associate at Booz Allen Hamilton. Auspicious company indeed.
For those not tuned into the federal government’s cybersecurity initiatives, the concept of continuous monitoring evolved from the previous approach in FISMA (federal information security management act), which mandated annual reviews of federal agencies’ security programs. After a few years of implementation it was widely recognized that the reviews generated rooms full of paper, which were obsolete as soon as they were printed, but didn’t elevate information security plan effectiveness to an acceptable level. Between 2006 and 2010, the number of security incidents rose by over 650%. The resulting strategy is embodied in FISMA 2012 (2.0), which is aimed at continuous monitoring of security controls, determining gaps between current and accepted security baselines, and quantifying risk.
Rick has been facing the challenges of implementing continuous monitoring within the government, and his experience has been that the different business processes, missions, and systems create obstacles, but once overcome, the solution yields financial and process efficiencies, and improved security. One of the biggest challenges is enumerating the assets, but once done is sure to reveal duplication of systems and opportunities to consolidate systems and software licensing.
Angela framed the conversation in her intro, which was appropriate since she co-authored NIST Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations. She has also been involved with the Security Content Automation Protocols (SCAP, pronounced ess-cap) project, which provides a set of standards for describing vulnerabilities (CVE, common vulnerabilities & exposures), systems (CPE, common platform enumeration), and configuration standards (CCE, common configuration enumeration), as well as a scoring system (CVSS), a test definition language (XCCDF), and a vulnerability definition language (OVAL). Angela advocated use of SCAP as a foundation for continuous monitoring.
Questions from the audience mainly focused on how to implement continuous monitoring, including getting buy-off from senior management and budgeting. The key is to show short-term results that are meaningful to business stakeholders. While continuous monitoring is in the process of being mandated, the danger is treating it as a checklist and doing the bare minimum to comply; whereas, when done right continuous monitoring can be the cornerstone for real security improvements, including interrupting the kill chain through early attack detection, provide total visibility to include troubleshooting operational problems, and give management a security dashboard with both technical and business gauges. The State Department was one of the first successful adopters of continuous monitoring and was able to not only ameliorate their high-risk vulnerabilities by 90%, but also slash the cost of certification and accreditation by 62%.
One of the more amorphous questions was how continuous is continuous? Does data need to be analyzed in real-time or near real-time? Does this apply to all systems? The answer is that it depends on each individual agency’s goals and the telemetry that can be collected from the systems. Organizations don’t want to have to retool systems to provide events as they occur–unless the systems are critical enough to warrant that cost and effort and there is no other way to gain the needed visibility. The panel all agreed that some systems only need to report into a central monitoring solution on an occasional basis–vulnerability scanners, for example–while network monitoring should report in near real-time, which means in one-minute intervals for most systems that create NetFlow records. Ultimately, there is no one-size-fits-all answer.
My overall impression from the panel is that continuous monitoring to the federal sector is what we call Security Intelligence in private industry, and both need to be defined and implemented per the enterprise or agency’s specific needs. The primary difference is that continuous monitoring is focused on metrics: quantifying the delta between expected state of assets and the measured states and classifying these differences as vulnerabilities. The scorecard approach provides a common baseline for different organizations to compare themselves against each other, and for management to better understand their organizational security posture at any given moment in time and compare it against past performance.
I was asked at the GTRA conference how the public and private sectors differ. My view is that the government does more up-front analysis and planning, while the private sector sees a need and builds a solution. Between well-considered frameworks, like FISMA 2.0, and tools like QRadar and OpenPages, the federal government and industry have an opportunity to collaborate on a complete Security Intelligence solution incorporating continuous monitoring and meaningful security scorecards and dashboards.
Click here to learn how Security Intelligence can help Federal organizations address continuous monitoring requirements. Find out how QRadar Risk Manager addresses the need for configuration auditing, and assessing the risk of configuration changes, across multi-vendor network environments (switches, routers, firewalls and IDS/IPS).
Posted by Chris Poulin in In the Industry, Security Intelligence, SIEM, Threat Management
Security Intelligence is about enriching events with context data and ending up with smart information to give enterprises not only total visibility, but to laser in on incidents such as fraud that support business use cases.
That’s the conclusion of a panel of experts at IBM Pulse 2012, held in Las Vegas the week of 5 March. The panel consisted of security managers and consultants from finance, health care, and energy and utility companies, as well as a seasoned and respected consultant from one of Q1 Labs’ trusted partners. When asked to define what security intelligence means to each of them and the organizations they serve, the answer was unanimous: adding context to the data that’s traditionally considered under the purview of log management and SIEM to make correlation, prioritization of incidents, and forensics smarter.
The focus of the panel was to define security intelligence, a term defined broadly by analysts and vendors, and what it means from a practical standpoint. Most of the panelists have worked with multiple log management and SIEM solutions, and agreed that despite the differences across products, the goal of security intelligence is to create actionable results and reduce false-positives, while providing more data to accomplish advanced use cases.
In the finance industry, our panelist used security intelligence in QRadar to detect fraud in addition to traditional internet-born and insider threats. By using anomaly detection to baseline normal activity on their credit history web sites, his company was able to detect fraud by alerting on a significant increase in credit history requests from an individual or an organization as a whole, such as a car dealership.
Fraud is also a huge concern in the health care field, and it’s critical to apply context to system events in the form of caregiver roles, for example. A log entry means one thing when applied to a cardiac surgeon, but has an entirely different meaning for a neonatal clinician. And with the controversy over the US health care law and recent debates over contraception mandates, health care organizations are concerned that they’ve become targets of choice for hacktivists and other outraged individuals, both external and internal. Detecting intrusion attempts early enough to arrest the exploit before it becomes a full compromise and having comprehensive forensics capability to quickly and accurately perform impact analysis is table stakes for security intelligence.
The panelist representing a major oil company pointed out that E&U customers are largely focused on detecting advanced persistent threats (APTs). Critical infrastructure is a tasty target for foreign enemies, and there are many stories of nation state infiltration of electric, water and sewer, and government organizations, for espionnage and sabotage. Stuxnet is the de rigueur poster child, but there are credible reports—and some urban legends—of mass infiltration of US critical infrastructure; the 2007 attack on the Brazilian power grid is believed by many in the security community to have been caused by hackers rather than dirty insulators, as the official report claims. Geo-location of IP addresses, threat source databases, and current information on recent exploit activity, are all key elements to APT detection, and add context to traditional log and network activity monitoring.
The consultant panelist, who has been deploying SIEM solutions for over five (5) years to a wide variety of organizations across industries, has observed the evolution of SIEM from its initial incarnation as log management with correlation bolted on, through first generation integrated solutions, to today’s security intelligence. One of the litmus tests he looks at is whether there is sufficient volume and variety in events: a solid base of events is important to create an accurate representation of activity over time, but without capturing a wide variety of event types, the view is skewed. Similarly, even with a wide variety of event types, if there isn’t sufficient volume to create a solid baseline, it’s impossible to gain context. Once you have volume and variety of events and network activity, he agreed that the next step, which elevates analytics to security intelligence, is to add context data to the mix.
The best quote of the day, in my opinion, came from our health care panelist, although in a separate presentation on the benefits of security intelligence as they were rolling out their QRadar deployment: “Context and correlation can drive deep insight”. She elaborated on the benefits as:
- [The ability to] Detect, notify and respond to threats missed by other security solutions with isolated visibility
- Contextual and actionable surveillance across an entire IT infrastructure
- Ability to detect and remediate threats such as: inappropriate use of applications, insider fraud, threats that could be lost in the noise of millions of events, and more.
- Identify what’s normal and not normal
- Human beings can’t know the whole environment given the size and complexity
- Important for emerging threats
- QRadar deployed in 30 days and in production in 60 using 37 professional services days and 2 weeks of training
So, how do you define security intelligence?
To hear more about what our customers are saying in the conversation about Security Intelligence, watch these videos.
Posted by Chris Poulin in Log Management, Security Intelligence, SIEM
Last Sunday I was watching football (American football this time) as usual, when an advertisement played for a pizza tracker app. When you place an order with the pizza delivery service, they track the progress of the pizza’s ontogeny and progress toward your maw. I see this as a widget in a larger Football Intelligence dashboard.
What is Football Intelligence? It’s whatever makes your football viewing a successful experience. It includes not only the status of your pizza delivery, but the coldness of the beer and soft drinks; a running status of scores, standing and statistics of other teams in your conference, division, and the league; the amount of snacks per guest, total and remaining—in real-time; and whether the game will run over time and clip your significant other’s scheduled recording of The Good Wife.
The same way Business Intelligence supports better analytics and operational health at the business level, and Security Intelligence provides a real-time view of your current security posture and threats, Football Intelligence gives you a 360 degree view of the convergence of all football-related factors. The goal of all three is to allow you to identify obstacles to success and make informed and timely decisions to keep your business finances, operations, and risk in line with expectations, and your football party on track to keep your friends coming back to your man cave.
What impressed me about the Pizza Tracker is that meaningful telemetry must be fed into the system to provide near-realtime updates to the web dashboard, as well as email and text alerts. I’m guessing the pizza artists press a button when they start to fulfill your order and when it goes into the oven; the driver presses a button when s/he slides it into the stay-warm delivery bag and again when they pull up to your door. There’s room for improvement (and there are claims that the whole application is flawed): edible RFID in the crust to track the pizza through dough tossing and its trip through the oven, and geolocation tracking as the car wends its way toward your front door. And yet there are many data center applications in use by enterprise companies and government that don’t provide events with as much utility.
The point is there’s no dearth of logged events from most applications, but the use cases that employ them don’t always address business needs. It’s relatively easy to create SIEM rules to solve technical problems, e.g., identify brute force password guessing attacks, and those use cases are certainly useful. But the real value comes from giving business stakeholders useful visibility that they wouldn’t otherwise have.
On a side note, here’s an interesting look into the future of the convergence of pizza delivery and information acquisition. Social benefit or invasion of privacy? You choose.
Posted by Chris Poulin in Threat Management
INT CAR — MORNING
A man is stuck in traffic on his way to work. His mind wanders and his OCD kicks in: Did I leave the toaster plugged in? He pulls out his smart phone and taps the app labeled “Home Automation”, then taps “Kitchen” and “Toaster” from another list including “Stove”, “Lights”, and “Refrigerator”. The screen shows that the toaster is off and the temperature is 70°, the same as the ambient temperature of the kitchen. The man rolls his eyes and grins at his obsessive concern.
INT. KITCHEN — SAME DAY & TIME
PAN AROUND KITCHEN
Pandemonium.
The refrigerator is shooting ice cubes across the room into the glassware rack. The freezer is off and food is thawing; the refrigeration section’s temperatures is cranked up to disco and is turning into an iceberg.
The dishwasher is overflowing and suds are 10″ deep on the kitchen floor.
A ZoomBot bumps against the pastry rack, sending the smoking toaster inch by inch toward the towel rack and curtains.
That’s the scene I painted at the RSA Conference Europe in London and will be presenting at the Energy & Utility Cyber Security Summit in Amsterdam in November. Okay, so the scenario is a disaster straight from a movie plot, but is it Stephen King’s “Maximum Overdrive”, where you have to suspend disbelief as animated trucks take over the world, or a Jules Verne future prediction?
There are plenty of utility system compromises to alarm not only consumers, but security experts and government agencies:
- In 2000, when Vitek Boden was turned down for a job at an Australian water services company, he hacked into the Maroochy Shire SCADA system and released raw sewage into rivers, parks, and the grounds of a Hyatt Regency hotel.
- In 2005 and 2007, two (2) wide-spread electric outages in Brazil are blamed on hackers by the CIA. While the official explanation for one of the outages was sooty insulators, many believe the story to be a cover-up.
- In 2009, an informal report, including testimony from current and former CIA and DHS officials, claims the US electrical grid has been surreptitiously penetrated by foreign countries, notably China and Russia, over the last 5 years. Purported evidence includes time-bomb software.
And let’s not forget Stuxnet
More to the point of smart grid security, IOActive, a security research firm, reverse-engineered the smart meters from a particular manufacturer and created a worm that spread throughout a simulated smart grid infrastructure, compromising 15,000 smart meters. In real life, a similar worm or bot would give the herder the ability to wreak havoc on consumers, and possibly even the electric grid itself. Imagine if the worm/bot sent false usage information demanding more power to an electric sector and caused an overload leading to a cascading failure.
Granted, a systemic failure is theoretical, as is the kitchen pandemonium scene. In truth no one really knows what the smart grid will eventually look like or what the specific threats may be. The smart grid is like The Cloud: still evolving and amorphous.
What we do know, however, is that utility companies are not used to thinking in terms of data security; they’ve been historically concerned with the protection of hardware like transformer stations, utility poles, and electric wires, as well as consumer fraud. Now they’ll have to change their mindset to protecting not only billing information and traditional PII, but surveillance information that can let burglars know to target homes where the electric consumption drops for a few days, a clue that the homeowners are away on holiday or visiting sick Aunt Bertha, or even when you run your electric shaver or what you watch on television.
One way or another, your electricity provider or 3rd party monitoring company will have access to your home area network to monitor and control your smart appliances. It won’t be long before attackers discover this path into your house and that your home automation system is connected to everything: it dims the lights and closes the blinds when you turn on the television and lights up the gas fireplace when you play soft rock. Perhaps you have one of those fancy Japanese toilets jacked in, the ones that automatically raise the toilet seat and activate a bidet arm after you flush.
Or maybe you just have your dishwasher, toaster, and refrigerator connected.
Posted by Chris Poulin in Cybersecurity, Security Intelligence, Threat Management
(Note: I grew up in a European colonized country. Football to me is European football, soccer to most Americans. I love American football too, but Europeans were calling it football long before we were.)
You would never man a football team with just a goaltender and backs. But in security that’s exactly what we do: deploy defensive technology such as firewalls, IPSes, and endpoint security. As the bad guys attack us, the best we can hope for is a draw.
Football and information security differ in offensive tactics. Our opponents’ (the bad guys) objectives, whether stealing intellectual property, conducting cyber espionage or cyber war, destroying manufacturing capability by controlling our SCADA systems, or just vandalizing our data, starts with invading our side of the field; whereas, our goal as information security professionals is simply to conduct business on our own side of the field.
Or perhaps a more apt metaphor is that our game of football is conducted on a field occupied by our business and our competitors, and the threats are from the stands. Whereas in real life football, we endure the taunts and jeers of the crowd, and occasionally an overzealous fan racing through the field naked, we’re being attacked with gunfire and bombs in the cyber arena.
Ethically we can’t fire back: that’s the job of law enforcement. But we can’t turn turtle either. Our best strategy is to identify the bad guys as they enter the stadium, or arrest them in their flats.
In fact, Scotland Yard did just that with the 24 men who had planned to take down a number of airplanes with liquid explosives. Through old fashioned intelligence gathering, they correlated suspicious purchases to a potential terrorist plot and stopped the men before they even got to the airport.
When it comes to information security, it’s unlikely that any of us has the resources or jurisdiction to conduct covert operations on the open internet. However, every one of our information infrastructures contains a wealth of data that, if mined and analyzed, equates to information security intelligence. The defense-in-depth technology we invested in years ago, and even operational technology that may not be employed in a security context—web, email, and database services, operating system audit logs, switches, and even printers—shed light into all corners of our information infrastructure and paint a complete security intelligence picture. There’s an opportunity to take advantage of our technology infrastructure toward an offensive end.
One benefit of an offensive play is gaining an advantage through early detection. If we can catch an exploit in the discovery and footprinting phase, we can defend ourselves from the imminent compromise. Or we can detect anomalous user behavior that precedes data theft. But that’s only part of the benefit. Security intelligence also provides advance context about our own environments—what are the assets and are they vulnerable? how is my infrastructure segmented and defended? what kind of information normally flows across my network?—and is critical in prioritizing defense and response efforts, as well as determining the potential consequences of attacks and the impact of a compromise.
For the more civic-minded, there are forums to share information between organizations and gain a wider view of the threat landscape, going beyond the borders of our individual perimeters. Those organizations include ISSA, ISACA, and InfraGard. Joining and sharing gets closer to changing the game and creating an offensive strategy.
We cannot continue to do what we’re currently doing: if the entire game is played on our side of the field, the opposition will quickly discover the weaknesses in our defenses and exploit them. Our strategy needs to shift to repelling attackers before they rush our goal en-masse.
The latest on Cyber Security