Category: Compliance
Posted by Heather Howland in Compliance, Security Intelligence, Threat Management
At a recent customer meeting, I had the opportunity to speak with a Director of Information Security from a large hospital system in the mid -West. I asked him about what Security Intelligence means to his organization. Three things in his reply stood out: compliance, detecting and preventing threats, and the exposure resulting from social media use. As a large healthcare organization, they are responsible for protecting the information of their patients that visit them as well as all hospital associates. They are bound by HIPAA, and because they do a lot of credit card transactions (pharmacies, gift shops, and doctor visit payments), they are bound by PCI DSS as well. These regulations and standards require them to not simply keep logs but also be able to know what is touching and going on in the networks, including smaller sites into which they lack direct visibility.
They need to be able to correlate events to get the intelligence needed to track down possible breaches or anything going on in the network that could involve HIPAA or PCI. Security Intelligence allows them to find that needle in the pile of needles, and this is important: in real time, and to determine what happened when, and proactively prevent things that have the potential to become a big problem. In the past they were reactive and spent a lot of time building special scripts to dig through logs. With Security Intelligence, not only were they able to catch a zero- day attack during a demonstration prior to installation, but now they have the intelligence to see things before they occur, allowing them to easily show value to their executive team.
Compliance and threat detection are pretty common themes with many customers with whom I speak. What really piqued my interest was when we started talking about social media, as my expertise lies in leveraging online media for marketing. This is a topic that over the past year continues to grow with many of our customers. Like many customers, they are still working through their policy for social media. What’s interesting is how the organization is using security intelligence to help build their strategy. Right now they allow their employees to use Facebook, and one of their biggest concerns was around how much time and bandwidth is consumed. With Security Intelligence, they have the visibility they need to help them make better decisions in terms of what they want to allow and how they want to configure devices in terms of limiting or preventing some of that traffic.
Chris Poulin, Q1 Labs’ Chief Security Officer, has recently gotten many requests to speak about this topic. Check out the latest video of Chris talking about “How to Balance the Risks of Social Media.” This video is part of a series we will be publishing on social media risks, so stay tuned!
Posted by Michael Applebaum in Compliance, Cybersecurity, Log Management, Network Intelligence, Risk Management, Security Intelligence, SIEM, Threat Management
This is part 1 of an ongoing series of posts that answer “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask.”
In the introduction to this series, I asserted that people have many questions about Security Intelligence, then made the bold promise to answer six of the most pressing ones. Let’s start by gaining a common understanding of Security Intelligence.
My colleague John Burnham recently proposed the following definition of Security Intelligence that encapsulates where the industry is headed:
“Security Intelligence is the real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise. The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization.”
That’s a lot to take in, so let’s break down the key elements:
- “Real-time”: Viewing time-lagged historical data or pouring over logs won’t cut it. You need a view of what’s happening right now, across your entire network.
- “Collection, normalization and analysis”: This is where context and intelligence rule. Gather data from every relevant device and system in your network. Normalize it so you can compare activity across different devices and locations. Correlate activity and rule out the false positives that are the bane of every security analyst’s world. Then present the results, clearly and simply, and put every relevant piece of information at your fingertips or eyeballs. Use every bit of data to enrich your view of security incidents, because context drives insight and discovery. Look, you might have already been breached and the evidence could be right in front of you, but you’ll never see it if your solution can’t intelligently correlate, analyze and present information to you.
- “The IT security and risk posture of an enterprise”: Your ability to secure your data, intellectual property, IT assets and more from malicious outsiders and insiders, while maintaining reliable and efficient business operations. A crucial element of protecting your brand and reputation, this can only be accomplished by collecting and analyzing the most comprehensive set of networking and security data.
- “Actionable and comprehensive insight”: Collecting and analyzing all the relevant data in your network is a good start, but data (logs, query results, etc.) by themselves are worthless. (How many times have you experienced alert overload?) A Security Intelligence solution must make sense of your data and help you quickly research and remediate incidents.
- “Reduces risk and operational effort”: (Enough said.)
- “For any size organization”: Security Intelligence isn’t just for those with big budgets, staff and lots of patience. Today’s modern Security Intelligence solution has evolved from the dinosaurs known as first-gen SIEM offerings. These products required major upfront implementation work and actually added to your ongoing headcount needs, rather than easing them. Today it’s just the opposite – which means Security Intelligence is within the reach and budget of virtually any organization. I’ll discuss this further in my next post in this series.
Security Intelligence solutions have evolved from a number of technologies you may be familiar with. In short, Security Intelligence builds on the data collection capabilities and compliance benefits of log management, the correlation, normalization and analysis capabilities of SIEM (security information and event management), the network visibility and advanced threat detection of NBAD (network behavior anomaly detection), the ability to reduce breaches and ensure compliance provided by risk management, and the network traffic and application content insight afforded by network forensics. Yet what distinguishes a modern Security Intelligence solution is that it’s not a gift basket of discrete technologies wrapped together with duct tape, or worse, PowerPoint. It’s a truly integrated solution built on a common codebase, with a single data management architecture and a single user interface.
As for why it matters, I could discuss the increased prevalence and sophistication of advanced persistent threats. But instead, I think David Ingall of BGL Group (a leading UK insurance broker) puts it best:
“The move to the QRadar Security Intelligence Platform has been a real eye opener for us and has helped us to concentrate our efforts on the most important issues. Even without significant tuning, it has improved how we deal with security intelligence and it will form a core part of our infrastructure as we move forward.”
Stay tuned for my next post in this series, where we’ll take a closer look at how modern Security Intelligence solutions differ from first-generation products. And please share your thoughts in the comments below!
Posted by Heather Howland in Compliance, Retail, Security Intelligence
In an article on infosecurity.com this week, there’s news that as of Oct 1, 2012 Visa is waiving the requirement for US merchants to annually validate their compliance with the PCI Data Security Standard (PCI DSS) – *if* 75% of the merchant’s Visa transactions come from chip-enabled terminals that support both contact and contactless chips.
Part of Visa’s plan to accelerate migration to the new chip technology is to eliminate the need to annually validate PCI compliance, which I think is a bit short sighted. Here’s some of the “small print” from Visa:
Qualifying merchants must continue to protect sensitive data in their care by ensuring their systems do not store track data, security codes or PINs, and that they continue to adhere to the PCI DSS standards as applicable.
Ok that’s great, but who is enforcing this? In most cases, validation drives compliance, which drives security (or at least budgets). So what will happen when validation goes out the window? While achieving PCI compliance isn’t necessarily the “end-all” solution to security problems, it certainly pushes merchants in the right direction and adds structure to an already hectic environment (considering the frequency of card breaches popping up in the news). According to the 2011 Verizon Breach Report, 89% of organizations that suffered breaches were not validated PCI compliant.
With PCI compliance validation all but off the table, we have to trust that other security measures won’t fall short. How do merchants “ensure” (as Visa states) that they are not storing track data, security codes, PINs and so on? As Gartner’s John Pescatore recently pointed out, “There is a big difference between compliance and security.”
Even though Visa may not be requiring audits for qualifying merchants, it is important to consider the larger security picture beyond just collecting logs. Retailers and other third-party vendors have a responsibility to keep consumer data secure, and to do so, they need a fully featured security intelligence solution to correlate log data, network flows, asset configurations, device & network vulnerabilities, and (internal / external) threat data into one consolidated view, with a goal of exceeding PCI control objectives. Not just to meet Visa’s requirements, but to uphold their duty to protect consumer information. After all, it’s good for business.
Posted by Heather Howland in Compliance, Cybersecurity, Federal, Risk Management, Security Intelligence, Threat Management
Federal government agencies are no strangers to budget hassles. But with the cyber-security landscape becoming much more sophisticated and the volume of high profile breaches infiltrating the news on an almost daily basis, government agencies need to continually raise the bar on how they predict risk and protect their, and their partners’, data. And in many cases, they have to do it with the same amount of resources, or less resources, than they currently have.
In a recent conversation with a director of security at one of our Defense customers, we asked what processes they undertook when implementing a continuous monitoring strategy. The key takeaway was that it came down to shifting priorities and internal education. With attacks being more specifically targeted, using more detailed knowledge of what does and doesn’t work, who they are going after and recently leveraging social engineering techniques and trickery, it takes more education, intelligence and the perspective that “security is a process, not a destination,” in order to protect the organization’s ecosystem.
Here are some observations from the conversation:
With security, it’s important to continue to improve as you go along: changing offense and shifting defense. This doesn’t come without challenges. Organizations need a certain amount of flexibility in order for people to do their jobs, and as mobility and work from home programs increase, it makes it trickier for the “security bar” not to get in the way, because risk shifts from being something that can be completely controlled to something that has to be more open and flexible. This is where education comes in to play. Maintaining good relations with staff on different security issues and keeping them informed of issues and how attacks are successful is important, as they are often the first line of defense. As social engineering attacks become more prevalent, it becomes increasingly important to be diligent in educating staff and make them more aware of risks.
Continuous Monitoring is now the top priority for this federal organization. As a matter of fact, they started implementing it before the term Continuous Monitoring (we call it FISMA 2.0) was even born, back when FISMA was primarily focused on annual audits. They also needed to figure out how to get the most value out of what they already had from a technology, resource and budgetary perspective. With techniques by attackers continuously changing, they needed to implement continuous monitoring so that they could better understand what’s known, what they are looking for, and proactively close down things as problems and vulnerabilities come up. Managing risk is a key driver.
For this organization, when it came down to implementing Continuous Monitoring, it was all about tradeoffs and shifting priorities. Without additional budget for more resources, they needed to reposition staff to make continuous monitoring the new top priority and other things became lower priority. Like many organizations, they had a lot of individual devices that did their own things and provided their own data. The effort to bring the data all together for correlation was required to provide greater security intelligence and situational awareness.
Since they made Continuous Monitoring their top priority, they have found a number of situations where they were able to prevent some incidents and compromises from occurring. One of the challenges of course is that it’s not always easy to sell to management, because making it a priority comes at the expense of something else. So, it’s important to prove value and show a rapid ROI so that tradeoffs are understood. Helping management better understand the “behind the scenes” is important so they can see the real value by knowing what was prevented, protected, etc. Security Intelligence answers the four fundamental questions demanded by Continuous Monitoring:
1.) What are the internal and external threats now being faced?
2.) Are we properly configured to protect against these threats?
3.) What is happening right now?
4.) What was the impact?
Where does our defense customer see itself in 3-5 years? As stated earlier, security is a process and they hope to find the right balance. They want to increase the capabilities to better protect data and get to a stable configuration. The reality they understand is that security will continue to evolve and they hope that some of the legacy technologies and silos begin to evaporate. Their mission is to protect their organization’s data while the methods continuously evolve.
Learn more about developing a comprehensive security strategy, which includes continuous monitoring, in this on-demand webinar, “No One is Immune to Being Hacked: Strategies for Managing Advanced Threats.”
Posted by John Burnham in Cloud Security, Compliance, Cybersecurity, In the Industry
Day 1: we participated in a panel at the William Blair Technology Symposium, “The Future of Cloud Computing.” The panel was entitled, “How the Cloud Changes Security”. Great topic, great panel, staffed by security solutions suppliers. Major takeaway based on the questions asked of the panel, by the investment community, not end-users: confusion reigns supreme, and most likely due to the outrageous amount of hype surrounding “cloud”. Usually the questions were about virtualization, but using cloudy(ed?) language.
Day 2: Q1 Labs Customer Council. The topic of Cloud came up twice: once in the form a customer’s presentation of one of his major use cases: SIEM as the security intelligence platform for his companies cloud-based services offerings. He relies on QRadar for visibility/compliance and intelligence/threat management to both ensure the integrity of his brand and to provide proactive threat management. And once from another customer in the form of a question, essentially: “What is the role of SIEM in the Cloud, in your opinion?” This generated a very grounded discussion of the various cloud types (private, public, hybrid, multitenant) and how SIEM, Log Management, Vulnerability Management play a role. Clarity prevailed: one size does not fit all use cases.
Prosodie (France) another customer, recently announced their adoption of our QRadar Security Intelligence Platform for both visibility/compliance for their cloud-based services and in addition uses QRadar SIEM from Q1 Labs for intelligence/threat management of their internal network, similar to the customer referenced above.
So, customers view cloud clearly (like how I did that?) as a potentially viable business proposition worthy of examination, versus a cool technology shift: if cloud adoption enables them to do their jobs better and grow their businesses, great. If not, it drops off the list of priorities.
And it would appear that while the market observers might be a bit confused about the exact utility and deployment model of the cloud, customers are not, and seem to have a pretty clear vision for SIEM’s role in securing it.
The latest on Cyber Security