Author Archive
Posted by John Burnham in Threat Management
According to a UK news website, the CEO of a large, really large, hardware vendor just noticed that the world is being ravaged by terrorists, and warned that a ”cyber-attack of 9/11 scale” is likely to take place in the near future. So now the terrorists are using cyber attacks. Hhmmm…selling security with FUD is not even old school: it’s irrelevant. And when delivered by a CEO, well it just smacks of over the top chest thumping. Nowhere in the entire article did she discuss how they solve their customers’ complex security problems. Instead, more defensive posturing: “We will darken the skies with our agenda to help organisations (sic).”
Oh wait: “We are offering customers differentiated products in security. They (sic) are about applying actionable intelligence and compliance (sic).” Uhh, how does one “apply” compliance?
Okay, I am being snarky, Ya got me, guilty as charged. But, we are not talking about trivial matters here. And our leaders need to take this just as seriously as our customers do. It’s not just about offering “differentiated products” to help their customers “protect their infrastructure.” Yes, the perimeter is essential, but not sufficient in dealing with Advanced Persistent Threats, insider attacks and fraud. Keeping the Bad Guys Out and Letting the Good Guys in means telemetry from all sources, applications, mobile devices, cloud platforms and and cloud services. It means partnering with your customers and their chosen suppliers.
It means applying analytics to all the data, constantly. It means Total Security Intelligence.
***
Learn more about security intelligence in this webinar from the IBM Institute for Advanced Security, featuring Chris Poulin, “Defining Security Intelligence for the Enterprise: What today’s CISOs Need to Know.”
Posted by John Burnham in Cybersecurity, In the Industry, SIEM
This is the traditional time of year for Predictions of all sorts. One of my favorites was from the late, great George Carlin, AKA “The Hippy Dippy Weatherman“: “Today’s weather forecast is for gradual brightening in the morning, increasing throughout the day, with gradual darkening through the evening into late night, when the pattern repeats itself.”
In security, it could go something like: “The forecast is for continued escalation of targeted attacks by nation states, professionals, insiders and hacktivists. Occupy Data today announced…”
Here are a few excerpts from real forecasts.
ABC News: “Big companies and government agencies likely will have to rethink their approach to tech security in the wake of the disbanding of hacktivist group LulzSec, security analysts say. Spending on information technology security already is growing faster than spending on general technology. And corporate and government tech buyers will have to dole out even more to defend against profit-minded cyber thieves and spies looking to swipe state and corporate secrets. In fact, global spending on security products and services is expected to reach $71 billion by 2014, up from $55 billion today, according to Lawrence Pingree, research director for Gartner.”
And the professional prognosticators forecast increased investment in tools, solutions, services and systems as a result:
Canalys ended 2011 by announcing the results of its latest enterprise security forecast, indicating that total investment is expected to grow 8.7% year-on-year in 2012 to reach a market value of $22.9 billion worldwide.
- Eighteen percent of respondents say they are not PCI-compliant, even though the data suggests they should be.
- Thirty-three percent of respondents are expecting their overall IT budgets to increase this year.
- Spending on personnel has decreased by 3% this year, which will result in higher expectations by organizations for better integration and automation from their technology purchases.
- In this year’s survey, IT security-specific budget allocations have climbed by 4% to a mean of 10.52% of the total IT budget.
We see all of this as evidence that technologies such as data loss prevention (DLP), device control, database activity monitoring (DAM), security information and event management (SIEM) and IT governance, risk and compliance management (GRCM) tools stand poised for strong growth as respondents have indicated they rank them as priorities.
The numbers might be various, but they are all big and getting bigger.
Share your predictions in the comments below.
Posted by John Burnham in Cybersecurity, Security Intelligence, SIEM, Threat Management
Not too long ago, in fact just a few weeks or months back, you couldn’t refresh your browser without a new headline about a breach exposing critical data to attack, leakage, etc. Nowadays, the news is full of other topics, but this does not mean the cyber-threat has been diminished or that these hacks of the week aren’t still occurring. Below is a sampling of the steady stream of security concerns the IBM X-Force has been reporting on:
November 16, 2011: Self Cross Site Scripting Behind Facebook Shock Spam For the past day now Facebook has been the victim of an attack causing pornographic and other shocking photos to show up in people’s newsfeeds. A statement released by Facebook says that the attackers are using a browser vulnerability which allows a sort of self cross site scripting. Facebook states that users are being tricked into copying and pasting malicious JavaScript into their browser address bar. So far Facebook has yet to determine the browser in question that has this vulnerability. If it is this easy to trick users into pasting JavaScript into their browser, then Facebook may only be the first stop. Companies should communicate with their users to help them understand how pasting JavaScript into their browser can compromise their security. Something like a simple fake contest or prize offering may be enough to entice people to do just about anything from their computer. Remind users that such things are often a scam. Read More Here and Here >
November 15, 2011: DoS Vulnerability Announced in ISC DNS
A new vulnerability in BIND 9 is being actively exploited, causing DNS servers to crash all across the Internet. According to a release from ISC, “Affected servers crash after logging an error in query.c with the following message: ‘INSIST(! dns_rdataset_isassociated(sigrdataset))’”. Multiple versions of BIND 9 are reported to be vulnerable, ISC is still investigating specific version numbers at the time of writing. Currently no workaround or patch is available, however it is under development. We will continue to monitor this situation and update things once a patch is available. Read More >
November 15, 2011: Operation Ghost Click
Recently the FBI announced details on a two year investigation resulting in the arrest of 6 individuals involved in a massive cyber-theft ring. This ring is reported to have infected over 4 million computers through means of a brand of malware dubbed DNSChanger. DNSChanger works by pointing a user’s computer to a rogue DNS server. When the user attempts to visit popular websites, the DNS server sends back a bogus address, sending the user to a malicious site instead. The cyber ring used this vast network of machines to manipulate internet advertising, bringing in over $14 million. The FBI has published the blocks of IPs involved with this activity and advised people to ensure they have no traffic destined to them. Read More >
The fact that these breaches and vulnerabilities aren’t getting the coverage they once were has me a little concerned. It’s not that we want to see these fear-inspiring headlines every day, but keeping security top of mind for even the general public means that more people are thinking like we do. You have to stay ahead of the threat to be safe, and that’s what you get with Security Intelligence.
Register for IBM X-Force Threat Reports to get access to the latest information concerning cyber-threats and security trends. Learn more about protecting your organization from a breach with this white paper, “5 Practical Steps to Protecting Your Organization Against Breach.”
Posted by John Burnham in In the Industry, Security Intelligence
I recently returned from the Gartner Security Summit in London, an annual
affair. While it was moved back to the stodgy Hotel Lancaster (it was in a shiny new hotel on the Thames last year), it was highly attended and very, very active. Since last year, the news has been all about prominently disclosed attacks, internal and external, so the over-arching theme was sophisticated attacks. That awareness of risk and threat is solidly at the BoD level with Gartner clients, and the edict from on high: get our house in order, as it is only a matter of time and in fact we probably have already been breached to some extent.
Enterprise Security Intelligence is a pervasive theme with Gartner Security and Risk Management teams, and so it was at the event as well. But similar to the Washington DC event this past summer, there were far more sessions on “how to…” define your needs relative to your unique environment. And compliance has become table stakes, checklist tactics rather than an end in itself. And of course this prioritization is spot on: compliance does not equal a measurable, defensible security and risk posture.
One of the best sessions was on risks associated with cloud-sourced services. The content was pragmatic, focused on specifics, such as:
–Diverse tenancy is a new world, versus controlled environment. Your competitors could be using same cloud platform, for example.
–Public access: where are the controls?
–Economic Denial of Service: newly coined term meaning a targeted attack designed to spin up gobs of storage = gobs of cost, billed to you!
Some bits of note (can you spot my Brit vernacular?):
–Security monitoring is essential for any use cases within cloud services, be they hosted, on-prem, or MSSP-driven
–Cloud was primarily Public Cloud, versus virtual datacenter in the sessions I attended
–In one session on Security Monitoring, a definition of Security Intelligence was put forth:
- data is gathered: more is better
- reasoning is applied, in the form of analytics
- actionable information drives a decision
Pretty high level in my view, but maybe less is more.
Posted by John Burnham in Critical Infrastructure, Q1 Labs, Security Intelligence, SIEM
Recently, Gartner published a new report titled “Strategies for Dealing With Advanced Targeted Threats”. The message in this report is how to strategically deal with ATTs (Advanced Targeted Threats), which is Gartner’s expanded definition of APTs (Advanced Persistent Threats) in order to emphasize the focused nature of these high-magnitude attacks. A lot of emphasis is placed on the need for network activity monitoring, to the extent of even calling out “flows”, as we also saw in this year’s SIEM Magic Quadrant report.
Below is a breakdown of the report, beginning with The Problem definition:
- The term “advanced persistent threat” (APT) has been overhyped in the press and is distracting organizations from a very real problem. Targeted attacks are penetrating standard levels of security controls and causing significant business damage to enterprises that do not evolve their security controls. Gartner estimates that, for the average enterprise, 4% to 8% of executables that pass through antivirus and other defenses are malicious. Enterprises need to focus on reducing vulnerabilities and increasing monitoring capabilities to deter or more quickly react to evolving threats, and not focus on what country the attacks are coming from.
A major point that supports SIEM in general, and flows/behavior anomaly detection in particular, is in the analyst’s portrayal of “lean-forward” planning. This approach is especially needed in Critical Infrastructure, as the recent Ponemon survey pointed out the discrepancy in spending between physical and IT security, which is in fact evolving due to the potential for APT/ATTs.
Here are some more highlights from the Gartner report:
- Advanced attacks (often called “advanced persistent threats”) are using techniques that demand an evolution of existing defenses, and an introduction of new security controls and processes. Enterprises need to focus on the effectiveness and efficiency of their infrastructure protection approaches.
- Simply adding more layers of defense does not necessarily increase security against targeted threats — security controls need to evolve.
- Gartner estimates that, for the average enterprise, 4% to 8% of executables that pass through antivirus and other defenses are malicious.
- Enterprises need to focus on reducing vulnerabilities and increasing monitoring capabilities to deter or more quickly react to evolving threats, and not focus on what country the attacks are coming from.
- All the innovative techniques used in these attacks are detectable. One key to preventing their success is to focus on avoiding, minimizing or shielding the vulnerabilities they are exploiting.
- security information and event management (SIEM) products or other approaches that correlate information across defense “silos” should be used to gain better exception monitoring capabilities
- A lean-forward, continuous monitoring process includes the following steps:
1. Establish a baseline.
2. Update threat information.
3. Monitor and inspect network traffic and host logs.
4. Investigate possible threat activity.
5. Activate an incident response process, or update defenses or work-arounds.
6. Go to Step 1.
- Some SIEM and next-generation firewall products have added some of the flow analysis features of network behavior analysis.
- You must be prepared to invest in and staff lean-forward processes
Bottom line: Advanced Targeted Threats are front and center in our minds, and this report emphasizes important elements of a responsive strategy for dealing with these threats. It is a must read for all information security professionals concerned with staying ahead of these threats, especially in Critical Infrastructure.
Read more about how Q1 Labs’ Security Intelligence has been protecting Critical Infrastructure customers in our recent release, “A Year on from Stuxnet, More than 100 Critical Infrastructure Customers Rely on Q1 Labs for Security Intelligence.”
The latest on Cyber Security