Last week I participated in a panel on Continuous Monitoring at FOSE. Joining me were Mark Crouter from MITRE as the moderator, John “Rick” Walsh, chief of technology and business processes in the Cybersecurity Directorate of the Army’s Office of the CIO, and Angela Orebaugh, Fellow and Senior Associate at Booz Allen Hamilton. Auspicious company indeed.
For those not tuned into the federal government’s cybersecurity initiatives, the concept of continuous monitoring evolved from the previous approach in FISMA (federal information security management act), which mandated annual reviews of federal agencies’ security programs. After a few years of implementation it was widely recognized that the reviews generated rooms full of paper, which were obsolete as soon as they were printed, but didn’t elevate information security plan effectiveness to an acceptable level. Between 2006 and 2010, the number of security incidents rose by over 650%. The resulting strategy is embodied in FISMA 2012 (2.0), which is aimed at continuous monitoring of security controls, determining gaps between current and accepted security baselines, and quantifying risk.
Rick has been facing the challenges of implementing continuous monitoring within the government, and his experience has been that the different business processes, missions, and systems create obstacles, but once overcome, the solution yields financial and process efficiencies, and improved security. One of the biggest challenges is enumerating the assets, but once done is sure to reveal duplication of systems and opportunities to consolidate systems and software licensing.
Angela framed the conversation in her intro, which was appropriate since she co-authored NIST Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations. She has also been involved with the Security Content Automation Protocols (SCAP, pronounced ess-cap) project, which provides a set of standards for describing vulnerabilities (CVE, common vulnerabilities & exposures), systems (CPE, common platform enumeration), and configuration standards (CCE, common configuration enumeration), as well as a scoring system (CVSS), a test definition language (XCCDF), and a vulnerability definition language (OVAL). Angela advocated use of SCAP as a foundation for continuous monitoring.
Questions from the audience mainly focused on how to implement continuous monitoring, including getting buy-off from senior management and budgeting. The key is to show short-term results that are meaningful to business stakeholders. While continuous monitoring is in the process of being mandated, the danger is treating it as a checklist and doing the bare minimum to comply; whereas, when done right continuous monitoring can be the cornerstone for real security improvements, including interrupting the kill chain through early attack detection, provide total visibility to include troubleshooting operational problems, and give management a security dashboard with both technical and business gauges. The State Department was one of the first successful adopters of continuous monitoring and was able to not only ameliorate their high-risk vulnerabilities by 90%, but also slash the cost of certification and accreditation by 62%.
One of the more amorphous questions was how continuous is continuous? Does data need to be analyzed in real-time or near real-time? Does this apply to all systems? The answer is that it depends on each individual agency’s goals and the telemetry that can be collected from the systems. Organizations don’t want to have to retool systems to provide events as they occur–unless the systems are critical enough to warrant that cost and effort and there is no other way to gain the needed visibility. The panel all agreed that some systems only need to report into a central monitoring solution on an occasional basis–vulnerability scanners, for example–while network monitoring should report in near real-time, which means in one-minute intervals for most systems that create NetFlow records. Ultimately, there is no one-size-fits-all answer.
My overall impression from the panel is that continuous monitoring to the federal sector is what we call Security Intelligence in private industry, and both need to be defined and implemented per the enterprise or agency’s specific needs. The primary difference is that continuous monitoring is focused on metrics: quantifying the delta between expected state of assets and the measured states and classifying these differences as vulnerabilities. The scorecard approach provides a common baseline for different organizations to compare themselves against each other, and for management to better understand their organizational security posture at any given moment in time and compare it against past performance.
I was asked at the GTRA conference how the public and private sectors differ. My view is that the government does more up-front analysis and planning, while the private sector sees a need and builds a solution. Between well-considered frameworks, like FISMA 2.0, and tools like QRadar and OpenPages, the federal government and industry have an opportunity to collaborate on a complete Security Intelligence solution incorporating continuous monitoring and meaningful security scorecards and dashboards.
Click here to learn how Security Intelligence can help Federal organizations address continuous monitoring requirements. Find out how QRadar Risk Manager addresses the need for configuration auditing, and assessing the risk of configuration changes, across multi-vendor network environments (switches, routers, firewalls and IDS/IPS).
This is the 6th and final entry in a series of posts that answer “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask.”
To understand how people are getting started with Security Intelligence, let’s go straight to an industry expert: Q1 Labs’ own Chris Poulin. Chris is not only Q1 Labs’ Chief Security Officer but also the head of our worldwide Professional Services practice, and drives our Customer Council. Chris has seen more Security Intelligence use cases and customer deployments than most security pros will ever dream (or have nightmares!) about.
I recently sat down with Chris to get the straight talk about how organizations begin their Security Intelligence (SI) journey. Much of what Chris shared with me has also been published in this SecurityWeek article. Here are my takeaways from our conversation:
1. Organizations know they need Security Intelligence, but often don’t know where to start.
We often speak with customers whose SI business cases start with regulatory compliance – PCI DSS, HIPAA, NERC CIP, FISMA, NIST 800-53, GPG 13, etc. – and that’s certainly important. But they know log management and reporting are just the tip of the iceberg in how SI can benefit them. As Chris noted, using Security Intelligence for compliance alone is like stamping a checkbox with a sledgehammer.
2. There are several use cases that apply to nearly all customers.
Although SIEM and other Security Intelligence solutions provide great value through company- and industry-specific use cases, they also address many generic use cases. These include botnet detection, traffic from darknets, excessive authentication failures, and IDS alerts indicating that an attack is targeting an asset the VA scanner reports is vulnerable to that exploit, for example. SI vendors usually provide out-of-the-box rules (with alerts), reports, dashboard widgets, and saved searches that cover these scenarios.
3. Start with a set of core data sources.
Before you can monitor anything, you need to decide which data sources to start with. To avoid getting overwhelmed, Chris recommends beginning with a core set of log sources:
- Authentication events (from Active Directory and other identity management services)
- Windows, Linux/UNIX, and other OS administration logs
- Perimeter firewalls and VPN concentrators
- Anti-malware logs
- File and directory auditing on high-value servers (those that contain PII, ePHI, financial information, and sensitive company information or intellectual property)
In addition, bring in network activity flows (ideally Layer 7 flows) as soon as practical. If incorporated from day one, they can save you a ton of time by automatically discovering and profiling assets and tuning your solution. On an ongoing basis, flows then provide an entirely new dimension of information that leads to better identification of threats, elimination of false positives and faster forensic investigations – across a range of use cases.
4. Define targeted use cases by examining your key business problems.
Once you’re addressing the common use cases, step back and look at your business. What are you and your executives most concerned about detecting or preventing? If you’re an investment brokerage, it might be trader fraud. If you’re a retailer, you might want to protect customers’ PII, including credit card numbers. If you’re a utility or energy company, you might need to strengthen security around your SCADA systems. Re-examine the business case for your project, or take a close look at your CEO’s and CIO’s top priorities, to define your next use cases.
5. Spend time understanding your network and your SI solution’s capabilities.
Congratulations, your solution is in production and delivering new real-time intelligence! Take some time to digest what you’re seeing in its dashboards, reports and offenses (incidents). Move beyond the well-trodden road and push it to give you more. You can learn a lot more than just which users can’t enter their passwords correctly the first three times. Think about new insights you could gain from correlating previously disparate data sets, and new reports you can deliver now that all this data is in a single repository.
6. Phase in IDS/IPS data and other application/user/network telemetry.
IDS/IPS data is also important, but those systems are often improperly tuned, leading to a significant volume of alerts. Therefore Chris recommends waiting until you’ve brought the number of offenses in your SIEM or SI solution down to about 25 per day before adding IDS/IPS telemetry.
Once you’re in business with IDS/IPS data and have tuned your solution sufficiently, think about layering in additional data sources – such as database (and database security) logs, application logs, physical security system logs, etc. – to improve the accuracy of your risk and threat management efforts.
7. Don’t overlook the value of training and community.
Lastly, remember there are others out there who can help you. Look into the training options for your products. Explore vendor and industry conferences that give you the opportunity to meet with peers face to face. Participate in online vendor communities and industry organizations. Everyone using SI or SIEM today – and there are tens of thousands of us worldwide – was once a beginner, and went through the same learning curve. Many will be happy to help, so don’t be shy.
In summary, I hope this blog series has clarified the concept and practice of Security Intelligence. SI is a powerful new enabler of security and compliance that delivers actionable information through real-time insight and deep forensics. It provides significant benefits by addressing customers’ needs for intelligence, integration and automation – areas that have historically been the Achilles heel of security solutions. And most importantly, SI solutions are reasonable to implement and manage for both small and large organizations, and deliver value quickly.
For the final word, I look to Jerry Walters of Ohio Health for the customer perspective:
“We’ve seen tremendous value using the QRadar product. In the past we were very reactive. My team would get a call to do an investigation, and things had already occurred and we had to piece together what happened. With QRadar we’re able to see things before they even occur and prevent them upfront before they become a real problem. [QRadar] helps us get in front of the things we need to be in front of as a security organization.”
Best wishes on your Security Intelligence journey!
We recently held a webcast with SANS, featuring a major Q1 Labs customer who is a well-known luxury brand in the retail space. They have been relying on the QRadar Security Intelligence Platform to help them tackle compliance regulations, gain visibility into network devices and system logs, display packet level detail, and provide powerful reporting capabilities.
Let’s rewind a bit and discover why they need a SIEM.
PCI compliance is a driving factor since they are a publicly traded company and host payment information. Beyond that, and the reason why they need a SIEM, is the diversity and size of their network. Their infrastructure is comprised of multiple flavors of UNIX (including HPUX and IBM AIX), Red Hat Linux, and Windows servers; with network devices from Cisco, Checkpoint (firewalls), Solarwinds, and Airwave.
With over 500 stores, a corporate network, and a retail network, they faced a challenge of continuously monitoring for threats and suspicious activities. It was clear to them that simply reviewing logs on a periodic basis was not enough. They needed a SIEM solution to help uncover anomalies on their network in real time.
Of course, you don’t have to wait for each of these series to be released – watch the full webcast now. In the next part of the series, we will see why selecting a SIEM vendor is not an easy process.
Ever wonder what the “big deal” is with QRadar Security Intelligence? Watch this short video featuring Chris Poulin to understand what sets QRadar apart from other security inteligence solutions, and why thousands of customers large and small have chosen the QRadar Security Intelligence platform to meet their IT security needs. Learn how QRadar helps customers:
- Detect threats others miss
- Consolidate data silos
- Detect insider threats
- Predict risks against your business, and
- Exceed regulation mandates.
This is part 4 of an ongoing series of posts that answer “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask.”
With a firm understanding of Security Intelligence (SI) in hand, let’s get down to brass tacks and review the benefits organizations are gaining from their SI deployments. Here are several real-world examples:
Like it or not, regulatory compliance – for PCI DSS, HIPAA, NERC CIP, SOX and many others – is a major driver of security initiatives. Although compliance doesn’t guarantee a secure environment, compliance will always get attention and budget because of the potential penalties for failure. Complying with relevant mandates is just the start of enhancing one’s security posture, but it’s an important first step. Security Intelligence aids both regulatory and internal policy compliance by logging and proactively monitoring diverse information across the enterprise in real time, providing accountability, transparency and measurability. It delivers practical value through automated reporting and easy searching of logs, flows and much more.
David Blackburn of California ISO, the electrical grid operator for 80 percent of California, notes, “Compliance was the chief driver in our purchasing a SIEM [solution]. We have many tools that monitor and analyze, but there was no centralized logging capability that [could] analyze those logs and give us good information quickly.” Hear more about how California ISO uses Security Intelligence for NERC CIP compliance in this video.
Faster Detection and Remediation of Threats
In the post-perimeter world, focusing solely on prevention is a noble but losing proposition. Boundaries are porous – think mobile computing, social media and cloud computing – and there’s a heightened risk of insider theft, leading to what Forrester calls a “zero-trust” environment. Security Intelligence solutions address this reality by helping businesses detect and remediate breaches faster. They have become adept at finding the needle in the haystack, by correlating massive data volumes in real time. This includes events from network & security devices, servers, applications, directory servers; network activity flows with Layer 7 visibility; asset information; configuration data; vulnerability information; and more. (If you think SIEM solutions have already been doing this for years, think again.) SI solutions also aid in remediation by identifying which assets and users were potentially affected by a compromise, and by capturing application content for forensic activities.
Adobe Systems senior network security manager Leon Fong discusses the benefits Adobe received from Security Intelligence in this video. He explains that QRadar detected threats other security products missed:
“Within 2 months [of deploying the solution], the conficker worm starting hitting our network. I noticed that we were getting a lot of heavy TCP port 445 traffic being denied by our firewalls. The next day, the traffic grew 10-fold. I had to notify our antivirus team that this needed to be looked into. Soon after, McAfee sent a note of this worm being prevalent. In this case, the SIEM solution [QRadar] found the problem before McAfee was able to.”
Reduction of Insider Fraud, Theft and Data Leakage
External attacks garner most of the headlines, but insider threats can be even more damaging – compromising invaluable intellectual property and even jeopardizing national security. We’re all familiar with WikiLeaks, but few organizations have come to grips with the true risk of insider threats. Would you know if an employee was sending key product plans to a competitor, anonymously publishing confidential information, or accessing financial information that could be used for insider trading? With Security Intelligence solutions, organizations can identify and mitigate those inside threats and many more, by detecting the following:
- Unauthorized application access or usage
- Data loss such as sensitive data being transmitted to unauthorized destinations
- VoIP toll fraud
- Application configuration issues such as privileged access exceptions
- Application performance issues such as loss of service or over-usage
A multi-billion-dollar branded consumer products firm recently used its SI solution to detect an attempted data exfiltration by a trusted employee for financial gain. The company’s executives suspected its intellectual property was being leaked but couldn’t identify the source. When they applied flow-based network activity monitoring to the situation, they were able to quickly track down the data leakage and stop the employee. With application content capture, they could even drill down and view the specific emails sent by the employee through his personal email account to the third party. This prevented the problem from snowballing and potentially causing millions of dollars in damage to the firm.
Pre-Exploit Risk Reduction
Sure, I just finished explaining how you can’t focus only on threat prevention in a post-perimeter, zero-trust world. But that doesn’t mean you have to give up on prevention either. No one is ripping out all their firewalls or IDS/IPS products. Likewise, you shouldn’t overlook some of the more cutting edge approaches to pre-exploit risk reduction. Three ways SI solutions are helping customers prevent compromises today are by:
- Automatically monitoring device configurations (e.g., firewalls) and alerting on policy violations
- Prioritizing the multitude of vulnerabilities reported by vulnerability scanners
- Performing predictive threat modeling and simulation of network changes
These may sound familiar, but modern SI solutions surpass yesterday’s point products by applying greater intelligence to a broader set of inputs. Network activity flows, for example, provide a more complete view of the effectiveness of security device rules than configuration data by itself. As my colleague Brian Mehlman writes, “[Configuration data alone can] miss situations where a configuration is thought to be adequate but for some reason still allows potentially risky network traffic to propagate.” Similarly, knowledge of network topologies can “minimize false positives common among vulnerability scanners and … [prioritize vulnerabilities] that can be easily exposed because of the way the network is configured.”
A major electric energy transmission company uses QRadar Risk Manager to perform centralized device configuration monitoring and auditing, thus reducing the risk of security breaches. Because the solution monitors multiple vendors’ security products and uses flow analytics (QRadar QFlow) to paint a rich picture of exposures, the company believes it has significantly strengthened its security and risk posture. The fact that its risk management capability is part of a broader Security Intelligence solution also reduces training and staffing requirements.
Simplified Operations and Reduction of Effort
Lastly, SI solutions are applying intelligent automation to simplify security operations and reduce the burden on security and network professionals. IANS just published a study of the Return on Security (ROS) achieved by two large customers, and the findings were compelling. In addition to estimated risk reduction benefits of $13.5 million, the objective benefits (net of all solution costs) were estimated at $550,000. These stem from greater efficiencies and elimination of tedious manual tasks. Again, these were the benefits reported by the customers based on actual experience. The full report can be accessed here.
How do these benefits compare to what you’ve received from security solutions? We welcome comments about your own real-world experiences.