As I sat down to watch the new James Bond film with my usual supplies of fizzy drinks and sugary sweets, I was very surprised when he decided to take on the cyber terrorist at large and solve the problem single-handedly, physically and without the need for a Security product in sight!
Of course we don’t all have our a secret agent in our organization, driving around eradicating danger. However, security teams can prepare and have clear flexible strategies in place to reduce risk on their network.
The premise of the film (spoiler alert) is a cyber terrorist getting into the British Secret Service network undetected and causing harm to key personnel. The clever methods used to infiltrate the network highlight what is happening on a daily basis to security teams globally, and though a great film, probably made many security personnel squirm slightly in their chairs when seeing the consequences that could occur!
From internal constraints to the rise of Advanced Persistent Threats (an ESG research report highlighted that 59% of enterprise organizations think they have been a target of on APT attack), the role of the security team is becoming ever more complex. The requirement for a clear security strategy, which is able to adapt and be flexible to an organization evolving needs, is vital.
In an exclusive webcast with Dark Reading on 12/13/2012 at 1200 ET Q1 Labs very own James Bond, Michael Applebaum and Jon Oltsik, Senior Principal Analyst at ESG will be presenting “Information Security in Transition: Top things to consider in 2013”. In this must attend event there will be recommendations on how to improve your organizations’ information security model and importantly key issues that you are likely to face in 2013.
If you don’t want to wait for our webcast to get this information, please download Jon Oltsik’s report “Enterprise Information Security in Transition”.
As the news broke that the final trilogy of Star Wars was going to be made, I was excited and intrigued about the plot. However, one question I always ask myself is, “How different would the story have been if the Deathstar were more secure?”
Along with most Star Wars fans, the moment when the rebel alliance flew in on mass to destroy the Deathstar was one of great intrigue. With a power so great and protection around the entire perimeter of the battlestation, how could it ever be penetrated?
Of course the hero, Luke Skywalker, comes to save the day by finding a small gap and, undetected, he flies through to the center of the Deathstar, destroying it and escaping without a single scratch.
When comparing this scenario to what we see everyday in the news regarding cyber attacks, it is very similar- right down to the part where organizations react to the breach far too late. It is of utmost importance for organizations to make sure they are able to see and react instantly when a security breach is happening, no matter how small. As we see with the case of the Deathstar, it only takes one opening for an attacker to slip in and cause a tremendous amount of damage. We only have to see this in the news, where an attacker describes how he stole a database of 150,000 contacts using a SQL injection (more details) without any reaction.
Having a thorough Security Intelligence strategy in place, with a next generation SIEM as the center piece, is vital for an organization. With the advantage of real-time normalization and correlation across your network, any abnormal behavior will be highlighted and notified immediately to your security team, detailing where, when, how, what and why about the attack.
It is just my opinion, but if the Deathstar had an anomaly detection system to highlight immediately when enemies were within its network, Darth Vader would have had a much easier life…. “May the Force be with you”.
To learn more about securing your own “Deathstar,” watch this Dark Reading webcast featuring end user Richard Webster, Senior Manager of Security at Sanofi, and Michael Applebaum, Director of Product Marketing at Q1 Labs, an IBM Company. In it, they discuss real-world lessons about applying Security Intelligence and next-generation SIEM for threat protection.
The worry to organizations however, is the number of these hackers who have never studied computer science but have an ambition to be a software developer and see it as a challenge to try to break into a businesses network undetected. Although this may seem an innocent personal challenge to them, this is ultimately aligned with greed and more often than not these people want to go for bigger and better.
Security teams need to be aware of methods to detect and instantly act upon this type of malicious hacking from so called “amateurs.” The IBM X-Force 2012 Mid-year Trend and Risk Report details the variety of attacks that a business could expect a hacker to use (read more here). A key point highlighted is the complexity of an organization’s network, moving from a traditional office only model to a world of interconnected devices and services. This has made it increasingly difficult to get a clear real-time snapshot of what is happening in the network, making it easier for amateur hackers to get in without raising any alarms.
In a recorded webcast with SCMagazine UK, Chris Poulin, IBM Security Systems Strategist details how to combat these young hackers, through QRadar’s anomaly detection capabilities and advanced forensic analysis, to quickly identify when a breach is occurring on your network. Click here to view.
As we have lately read and seen, the style and sophistication of cyber attacks on organizations’ networks have become ever more complex. One type of attack that has had a lot of media coverage in the UK are DDoS attacks, with hacktivists using multiple IP addresses to attack one IP address within an organization, resulting in critical business services and infrastructure being made unavailable. Although this type of attack may not be new news to people, in the UK there has been a lot of fresh exposure, bringing DDoS top of mind.
When reading through these cases it is not the seriousness of the cyber-attack that is the problem, but the late reaction to the attack. These can occur at any time and in many cases the technology is not in place to detect and highlight these immediately. The consequence? A DDoS attack that happens after people have “finished” work are not being acted upon by the Security team until the next morning when the attack has been successful in its mission. This raises the need for organizations to have an effective threat detection system, highlighting an attack to the security team, regardless the time of the day or a DDoS could be used opportunistically to mask other harmful activities.
Real time correlation and effective rule settings allow this to be combated successfully. With the right technology in place, automated alerts can be sent to the security team immediately when there is a suspicious incident, such as a DDoS attack. This allows an instant reaction to occur and enables the security team to be on top of the problem instead of chasing the issue– when it’s already too late to stop or prevent more damage.
For more information on how a next generation SIEM and Log Management solution like QRadar can bring you total security intelligence, changing your security posture from reactive to proactive, as well as responding to “dumber” brute force attacks such as DDoS, download this white paper “The Business Case for a Next Generation SIEM.”
This past weekend I watched a documentary on More4 that delved into the Wikileaks scandal. “Wikileaks: Secrets & Lies” went into great detail explaining how Julian Assange served as a middleman in this scandal. Although Julian Assange is viewed as the face and spokesperson for Wikileaks, the documentary showed that Assange would not have had any global status if it weren’t for insiders who are willing to send sensitive information to the organization.
This programme was not broadcasting how a hacker could break into a network and steal information; it uncovered a deeper concern of how an insider can revolt, stealing privileged information from inside the network and causing havoc along the way.
This threat is a concern that should be top of mind for organizations. In a report published by Verizon on Business Data Breaches, they found that 48% of total data breaches were caused by insiders and 48% of breaches involved a misuse of an insider’s privileges.
Although identifying the risk of an insider threat was highlighted, the documentary really drove home the need for better security measures, so these incidents can be prevented or halted as they occur and the people responsible can be identified and punished.
For companies without proper security technology, identifying the “rogue insider” is not an easy task. Wikileaks is an excellent example of why traditional perimeter security defenses, such as firewalls and anti-virus software, are no longer sufficient in the “post-perimeter” world. To prevent these types of incidents, organizations should deploy automated technologies that continuously monitor and correlate user activities across various sources (such as network devices, OS logs and applications). This Total Security Intelligence will allow rapid detection of unusual activities such as a large number of sensitive documents being downloaded from a SharePoint server during off-hours or from a remote access location.
To learn more about how Total Security Intelligence can help combat these insider threats and how organizations are using QRadar as the key component for their IT Security, click here.