Author Archive
Posted by Tom Turner in Cybersecurity, Security Intelligence, Threat Management
I think we can laugh because it was foiled, but we should be chastened that it even exists as a potential threat. What a topical parallel to draw with the daily fight waged by information security professionals. What an analogy to illustrate the need for sophisticated intelligence gathering and analysis — and the reason why traditional signature detection technologies alone are no longer sufficient to address new attacks such as zero-day threats (like this one).
OK, I realize that last sentence is hard to swallow when your eye keeps being drawn to the large blue image to the right, so allow me to borrow from an article in today’s Wall Street Journal to inject the correct tone. In describing how the underwear bomb has evolved (the latest version had dual detonators to compensate for the design flaw thankfully discovered over Detroit) , there is a very relevant comparison to how cyber threats evolve from one version to the next.
The article then went on to describe what aviation security authorities are trying to learn from the most recent generation of this threat. Change a few of the words and it sounds just like the challenge faced by their information security peers who manufacture today’s important perimeter security controls.
“Investigators are closely scrutinizing the construction of the bomb for clues that would lead to its makers and would also help aviation security experts improve and adjust airport detection systems. Investigators say the bomb contained no metal, meaning would have likely evaded detection by airport screeners.”
Most importantly, the threat was evaded not by traditional detection mechanisms (though these will continue to be important) but by the gathering and analysis of intelligence. One can only imagine the sheer amount of intel that is pored over by analysts in connection with suspected terrorist activity. Not unlike the huge volumes of security relevant telemetry that exists within an enterprise network.
The last parallel only just occurred to me, but it is extremely relevant to the conversations we have with security clients today. An important reason this threat was averted appears to have been due to information sharing between different groups….in this case different countries. A more global perspective on the information security landscape is becoming increasingly important to information security pros today as proved by the importance of groups like FS-ISAC and research from experts like the X-Force.
So there are many analogies that can be drawn from this most recent terrorist threat to the cyber threats facing our networks. Intelligence and information sharing are the keys to success in both cases.
Posted by Tom Turner in Security Intelligence, SIEM, Threat Management
The recent trading fraud at UBS by a rogue employee bears a lot of similarity (not least in the amount of money lost) to a similar occurrence at Societe General in 2008. In both cases the alleged perpetrators were exchange-traded fund specialists, they both had back office experience prior to joining a trading desk (experience that helped them cover their tracks), and while they both had triggered internal trading alarms over the years, it was finally the turbulence in the markets of 2008 and 2011 that ultimately exposed their fraud and associated losses.
Now I am certainly not claiming that SIEM solutions would have caught these complex trade patterns and anomalies today, though there is some interesting research being conducted to extend correlation to trading patterns and there are specific fraud detection technologies for financial applications. What I am pointing out is the analogy- a very powerful analogy if you are trying to sell the value of implementing SIEM and Security Intelligence within your environment.
Before the world recognized them as rogue traders, these were trusted employees with sophisticated knowledge of the internal workings of company systems. Their trading activities had raised a number of alarms over the years, but these alarms lacked context about associated actions (the other trades they made to cover their tracks) and were likely lost in the noise of all the other alarms that may occur across a large trading desk. Does this sound familiar?
I believe the analogy is apt. Increasingly we see our customers wanting to monitor the actions of users and detect the anomalies in their interactions with applications and systems. The Wall Street Journal recently posted an interesting article about the challenge that users or trusted insiders present from a security standpoint. You don’t have to look much further than UBS or SocGen to understand the ramifications of fraud by trusted employees.
Posted by Tom Turner in Security Intelligence, Threat Management
I was explaining our correlation and analytics engine the other day and it reminded me that much of the data analysis that we perform is modeled on the judicial system. In fact, we originally called our correlation capability the Judicial Systems Logic and still today we call the analysis process that runs within our product, “The Magistrate”. Now in the early days, certain analysts bloviated that this analogy was a little contrived, so over time we dropped it….shame on us; I still think it makes all sorts of sense, particularly as more and more people realize the need for greater security intelligence in their operation.
When customers feed application, network, identity, vulnerability and security data into QRadar, the Magistrate is weighing all the different evidence from the various product witnesses. The witness and associated evidence is judged according to its credibility, severity and relevance and all of these weights participate in the creation and observation of an offense. In this virtual court house, an offense is an attack against a network or infrastructure and each offense has a different magnitude. The magnitude, represented on a scale of 0-10, is the result of combining the three different measurements as they apply to monitored information.
- Credibility — Credibility indicates the integrity or validity of evidence as determined by the credibility rating from devices reporting the individual security events. The credibility can increase as multiple sources report the same event
- Severity — Severity indicates the amount of threat an attacker poses in relation to how prepared the target is for the attack
- Relevance — Relevance determines the significance of an event or offense in terms of how the target asset has been valued within the network
Our product, deployed at 1800 customers worldwide, is ultimately helping to deliver judgements on activity surfaced from those customer environments. The judgements may be driven mostly by out-of-the-box content Q1 Labs delivers, or through customized rules (or rulings 
) from the customer and its security partners.
You tell me: isn’t the judicial system analogy easier to explain to your CEO than “statistical, anomaly, rules-based, flux- capacitor driven correlation”?
(btw, we do all of that too….well, not the flux capacitor bit!)
Posted by Tom Turner in In the Industry
If you’ve watched the Iron Man films or Thor, you should be familiar with the Strategic Homeland Intervention, Enforcement and Logistics Division (SHIELD). But more importantly, if you are involved in information security, you need to be familiar with the Center for Secure Information Technologies (CSIT).
Based out of Queens University in Belfast, CSIT already has 60+ researchers working on security technology concepts to safeguard the trustworthiness of information transferred and stored electronically. These researchers are funded in part by government money but also by forward-thinking companies like BAE Systems, Thales and Q1 Labs.
You may wonder why organizations like this would work with a group like CSIT, and the answer is pretty simple: in addition to working collaboratively with the best security minds in the industry, government policy makers and the best of academia, organizations like Q1 Labs get access to the research. Research that will most likely benefit our customers.
This isn’t the first time we’ve done something like this. In 2007, together with the University of New Brunswick and the Canadian government, we funded and launched the Information Security Center of Excellence. This is an organization with similar goals to those of CSIT and research from this group helped to shape some of our leading Risk Management technologies.
As our own Tony Stark says: “Joint research between academic, government and commercial researchers is very important to ensure that the security solutions necessary to safeguard critical infrastructures evolves rapidly”. That’s what Q1 Labs and CSIT is all about.
Click here to read more about the official partnership between CSIT and Q1 Labs. To learn more about risk management, watch “5 Steps to Proactive Risk Management: Transitioning your Security Posture from Reactive to Predictive.”
Posted by Tom Turner in Cybersecurity, In the Industry, Security Intelligence
Topiary, the spokesperson for well-known hacker groups LulzSec and Anonymous, has been arrested and detained at his home in the Shetland Islands. That’s right, the Shetland Islands, famous for beautiful scenery, little ponies …..and now world renowned hackers! At the same time, police in the UK have also detained another person with possible ties to their investigation of organized hacking.
The fascinating thing to me is the ages of the two detainees, 19 and 17 years old respectively. This makes me wonder about many things, but one is the potential that hacker groups have for training smart, technically savvy people in an extremely short amount of time. I’m sure the training isn’t formal, but I am also sure that content and communities are easy to find in this Google/Facebook/Twitter age. Maybe there isn’t even the concept of training within the hacker community….in which case they are self-taught….which is even more concerning.
The implications for IT Security professionals are enormous: if relatively callow youths can inflict such concern and damage as part of a loose affiliation, what can a truly organized, dedicated and formally trained set of individuals do to breach a company? Especially when notoriety is NOT their goal? I always like to use the phrase “information security is a game of changing offense and improving defense” (I borrowed that from someone far smarter than I), but given the success that a 17 year old can have I realize that this isn’t a game, it is an arms race.
So what are we, the information security community, doing about training for everyone else? Yes, the arms race has to continue on the defensive end too. Just as technology and techniques now enable rapid advances in hacking, so too must technology and techniques continually improve security defenses and security intelligence. But training is an oft forgotten discipline that sharpens skills, maximizes capabilities and develops expertise. I am constantly surprised that customers can find funds to purchase our solutions much easier than they can find funds (at a much lower cost) to purchase training – and even a product famous for its automation still requires training classes if you want to maximize your ROI and gain the knowledge base of shared best practices. I know customers are similarly challenged to find the money for training that is non-product specific like those classes provided by SANS, MISTI, Accuvant and Fishnet.
If people will spend money to learn to train trees and shrubs (see topiary), and hackers can self-train and achieve the things we have recently witnessed, then organizations have to double-down on their product and skills training for IT security pros.
The latest on Cyber Security
