Author Archive
Posted by Heather Howland in Federal, Security Intelligence, Webinars
Government agencies, like their private sector brethren, are knee deep in IT security challenges, threats, and regulations. While that’s not much of a shock, this might be – according to the Government Accountability Office, the number of reported security incidents increased by over 650 percent during fiscal years 2006–2010. At the same time, government agencies have widespread deficiencies in security controls, leading to vulnerabilities undetected breaches, and insider fraud.
To help meet these challenges, the federal government is implementing a risk-based IT security strategy based on deploying enterprise continuous monitoring solutions. These solutions will continually assess the actual security state of agencies’ IT networks and systems, while providing scoring information that managers can use to prioritize actions needed to reduce risk and improve their security grades. Continuous monitoring will enable agencies to determine their own security health and compare it to other agencies. Scoring will also allow the different lines of business within an agency to more effectively work together, while enabling agencies to gain the same operating efficiencies from IT investments that Fortune 500 companies have realized.
Recently, along with our friends at 1105 Media and partner Accuvant, we discussed the importance of continuous monitoring and related steps agencies should take while approaching it. Security intelligence plays a critical role in achieving continuous monitoring because of its ability to centralize information into a single console from various data sources.
Most importantly, we talked about how many government agencies are successfully addressing previously disparate functions — including SIEM, risk management, log management, and network behavior analytics — into a total security intelligence solution that fits the constrained budgets and resources of government agencies. The QRadar Security Intelligence Platform enables our customers to leverage existing assets, stabilize budgets, and easily comply with new mandates while maintaining a proactive stance on risk management and security.
If you missed the webinar, or just want to revisit it, watch the whole thing HERE. For a deeper look at how security intelligence helps federal agencies adopt a continuous monitoring security program without requiring additional resources, download this white paper.
Posted by Heather Howland in Network Intelligence, Security Intelligence, Webinars
If you missed our February 22nd webinar with Dark Reading, or attended live but still have questions, this is for you. Of course, you can watch the whole event in its entirety here. During the event, we covered a fair amount of ground, talking through some of the larger attacks of 2011 while noting the varied attack types and motivations that powered them.
Questions started flying when we began talking about security intelligence use cases and strategies to prevent being hacked. We touched on the following use case topics: network activity, application detection and forensic evidence, data leakage, insider fraud, user behavior monitoring, and advanced persistent threats (APT). Not only was network activity flow the common thread between all of these topics, but also in the questions we received.
Since these questions were common amongst all of our attendees, we thought we would share some of the questions and answers with you.
QUESTION: Does network flow capability come with your SIEM? Or is it a separate add-on?
ANSWER: The ability to process flow records from standard formats such as NetFlow, JFlow, and SFlow are supported by default. If you would like to go deeper than the layer4 information of these flow technologies and go to layer 7 with content capture, then QRadar’s QFlow technology provides this functionality. This feature can be built into an appliance or for larger deployments as an optional add-on.
QUESTION: I already monitor NetFlow traffic. How is what you do with flows different?
ANSWER: NetFlow provides useful information such as source and destination IP, source and destination ports, and packet and byte count. QRadar QFlow’s deep packet inspection provides the ability to identify traffic up layer 7 (application layer) and also provides content capture capabilities. This means QRadar can identify applications regardless of port (many applications use dynamically allocated ports or tunnel over port 80). For example, QFlow can detect social applications like Facebook, Myspace, and Twitter; in addition to port-independent applications like VoIP and BitTorrent. QRadar QFlow can also detect traffic over non-standard ports (i.e. SSH over port 5000). QRadar QFlow also provides content capture capabilities. That is, when a flow is session is captured the header information and a user-specifiable amount of content after that is captured. For example, we can detect the file transferred across the network (i.e. customerinfo.doc, creditcard.xls).
QUESTION: Are there some sources that you can’t pull data from in a network? Do we have to manually add in some?
ANSWER: QRadar has the best auto-identification of log sources in the industry and can normalize most major devices automatically. If it creates logs, then QRadar can accept or collect logs from that device. If QRadar does not recognize the device logs a straightforward built-in mechanism within QRadar can be used to create custom parsers.
QUESTION: Do you have any pre-built templates and rules for meeting compliance regulations? Or is scripting required?
ANSWER: QRadar has pre-built compliance templates and reports. Scripting is not required.
If you’re interested in learning more about the value of flows and how to get more out of SIEM, you can watch our on-demand webcast “Getting More out of SIEM: How to Use Flows To Better Detect Threats and Simplify SIEM”. This webcast shows a live demo and talks more about the value of correlating flows.
Have more questions? Need further explanation? Feel free to email us at info@q1labs.com or just post them below.
Posted by Heather Howland in In the Industry, Security Intelligence
This year, Q1 Labs will be at RSA Conference 2012 as part of the greater IBM Security presence. If you’re attending the event, make sure you take advantage of this great opportunity to meet with us and gain an understanding of IBM’s strategic vision for the future of cybersecurity. You can find us in the IBM booth (#2233) armed with a live demo. Feel free to stop by and see the QRadar Security Intelligence Platform in action and hear more about planned integrations with IBM Security solutions, more third-party product integrations, and other recently introduced features including instant search and virtual appliances.
There are also three opportunities to see IBM speakers:
- Session Title: Security Enters the Boardroom: Evolving the Role of the CISO
Abstract: Due to the increasing importance of security to a company’s brand and financial position, the CISO role is more strategic than ever before. Leveraging her own rich experience, Linda Betz, IBM CISO, will lead a discussion on relevant issues such as reporting structures, budget responsibilities, performance metrics and the increasing influence of CISOs in being transformational business leaders.
Speaker: Kristin Lovejoy, Vice President, IT Risk, IBM Corporation
Time: Tuesday, February 28, 2:40 PM – Room 510
- Session Title: Security Enters the Boardroom: How Does Security Articulate Business Value?
Abstract: Business executives today understand the importance of having a strong security infrastructure. However in today’s challenging economy, CIOs need to see and be able to articulate true business value from their investment in security.
Speaker: Rock Miller, Director, IBM Managed Security Services – Global Technology Services
Time: Wednesday, February 29, 10:40 AM – Room 310
- Session Title: How to Create a Software Security Practice
Abstract: In this presentation IBM’s Ryan Berg and Jack Danahy share best practices and tactical advice for organizations looking to develop software security as an internal or revenue generating expertise.
Speakers: Ryan Berg, Senior Architect Security Research, IBM Corporation – Jack Danahy, Director for Advanced Security & IBM Security Systems, IBM Corporation
Time: Thursday, March 1, 10:40 AM – Room 302
Register for a free expo pass and learn more about IBM Security Solutions at RSA here.
Posted by Heather Howland in Security Intelligence, Webinars
Big data is still big, but looks a heck of a lot different than it has in the past.
For the previous ten years or so, “big data” growth has been defined using the three v’s: volume, velocity, and variety. From an IT security perspective, is there one of these traits that has the most impact? Could it be that the variety of new types of big data is causing most of the headaches for enterprise IT departments? Here are examples of new sources of big data and their impact on IT security departments.
Social Media
According to Q1 Labs’ CSO, Chris Poulin, the social media boom has resulted in two major challenges when it comes to enterprise IT security. In this Forbes article, he states that the first challenge is how to best keep networks safe from hackers utilizing spear-fishing techniques (or similar) to target employees and partners. The second challenge, most applicable to the topic of big data, is how to effectively detect network anomalies, considering the massive quantities and types of data generated by social media applications.
Electronic Health Records
As Healthcare organizations are gradually moving towards electronic patient health records (EHR), it not only demands compliance with HIPAA regulations, but it also presents an immediate leap of data volume and complexity. Why is it complex? Before EHR, patient data was stored in a room, in folders, on shelves. Usually only a handful of administrators would directly access the data for physicians. Now, with EHR in the mix, that same data is available to more people and regularly exchanged between partner health organizations. The chance of sensitive data loss and exposure is exponentially higher.
Given new types of big data resulting from sources including social media applications, credit card data storage (across many locations and providers), and electronic health records, IT departments everywhere are trying to wrap their heads around the best way to monitor and protect it all from internal and external threats.
QRadar operates at a big data scale, with real-time security analytics pin-pointing risks and providing actionable security intelligence. For example, one of our customers operates at a trance inducing 6 billion events per day and is able to isolate critical security information from the noise. Another customer, who happens to be a Fortune 100 energy company, uses QRadar to monitor 6 million card swipes per day and is able to detect 25-50 high priority offenses out of 2 billion daily events.
If I was big data, I’d feel a bit humbled right now.
Read more about security intelligence and be sure to register for our upcoming webcast on Febrary 22, with Dark Reading, titled “No One is Immune to Being Hacked. Strategies for Staying Out of the Headlines”.
Posted by Heather Howland in In the Industry, Security Intelligence
According to a recent tweet from the well known hacktivist group Anonymous, they are back in action and taking requests. Then again, they never really were out of action, but with all the SOPA, PIPA, and now ACTA debates lately, they are making their voice heard.
Anonymous has always been vocal on many social media sites, but has never actually opened up for requests. This brings the concept of being a “target of choice” to a whole new level, don’t you think? Before the public onslaught of hactivism over the past year or so, it was assumed that these decisions about “who to hack” were taking place covertly in the background via encrypted messages, IRC, forum threads, etc. While it certainly is intimidating for the organizations being called out, it gives others warning that they might not have had before.
Looking back a couple years, would you have predicted hactivist organizations exposing themselves on social sites such as Facebook, Twitter, and YouTube to gain a consensus on who their next target(s) should be?
The latest on Cyber Security