Category: Risk Management
The worry to organizations however, is the number of these hackers who have never studied computer science but have an ambition to be a software developer and see it as a challenge to try to break into a businesses network undetected. Although this may seem an innocent personal challenge to them, this is ultimately aligned with greed and more often than not these people want to go for bigger and better.
Security teams need to be aware of methods to detect and instantly act upon this type of malicious hacking from so called “amateurs.” The IBM X-Force 2012 Mid-year Trend and Risk Report details the variety of attacks that a business could expect a hacker to use (read more here). A key point highlighted is the complexity of an organization’s network, moving from a traditional office only model to a world of interconnected devices and services. This has made it increasingly difficult to get a clear real-time snapshot of what is happening in the network, making it easier for amateur hackers to get in without raising any alarms.
In a recorded webcast with SCMagazine UK, Chris Poulin, IBM Security Systems Strategist details how to combat these young hackers, through QRadar’s anomaly detection capabilities and advanced forensic analysis, to quickly identify when a breach is occurring on your network. Click here to view.
With the release of QRadar Security Intelligence Platform 7.1, we’re excited to share with you a host of new advances to our family of Security Intelligence products – including QRadar SIEM, QRadar Log Manager and QRadar Risk Manager. These innovations are making it easier for users to leverage cloud investments, simplify management, collect and manage data more flexibly, and replicate or extend QRadar deployments. As a result, QRadar users will receive even greater insight and visibility, further reduce manual work and gain higher system performance. Let’s dive in!
Leverage Cloud Investments
We know many of you have built significant private and public cloud infrastructures and are looking for new virtual workloads to deploy in the cloud. With QRadar 7.1 you now have an additional type of appliance – the Event Collector – that you can deploy virtually, providing more ways to use your cloud environment to gain richer security intelligence.
Event collectors – which come in both virtual and hardware appliance form – provide continuous event logging capabilities, even when network connectivity is unreliable. They collect event logs and forward them to an event processor or all-in-one appliance for correlation, analysis and long-term storage. If network connectivity is lost, they can queue events in a storage buffer and then forward them upon re-connecting. (We call this “store and forward.”) In addition to serving locations with intermittent network connections (like naval vessels), event collectors are well-suited for collecting logs in distributed locations with low to moderate event volumes, such as retail stores and satellite offices. A large retailer, for example, might have hundreds of stores in which they want to collect event data, but the data generated in each location is modest enough that event processors (with terabytes of storage per appliance) aren’t required.
With this release, you now have access to a full complement of virtual appliances – console & all-in-one, event processor, flow processor, VFlow collector, and event collector – to best utilize your current and future cloud infrastructures. Even better, appliances can be mixed and matched among virtual appliance, hardware appliance and traditional software form factors, to meet your specific needs.
Simplify Management – Especially for Big Data
As we and others like Scott Crawford and Jon Oltsik have written, information security is truly a big data analytics challenge today. With its heritage in network flow collection and anomaly detection, QRadar has been collecting and correlating massive data sets in real-time since before big data became a white-hot phenomenon. Critical infrastructure and tier-one telecommunications providers, banks, and energy and utility companies are using QRadar to correlate as many as one million events per second (EPS) in real-time, thanks to QRadar’s purpose-built, embedded Ariel database. But with such massive data volumes come management challenges.
In response, we developed new Index Management capabilities in QRadar 7.1 that provide more refined data management and ultimately better performance. As the volume of stored data explodes, challenges inherent in querying big data become more pronounced – and so do the benefits of optimizing indexes for the queries most often run. QRadar’s default search indexes have always followed the 80/20 rule, providing out-of-the-box indexing for the most commonly used properties. Now we’re taking indexing a step further, enabling deep customization and tuning.
With QRadar 7.1, users have granular control over the creation of search indexes that enable speedy querying. While the fixed database indexing configuration that QRadar has historically provided works well for most scenarios, some clients would benefit from additional or different indexes. That’s why we added the ability to customize the indexing scheme for the event and flow database – so users can drop existing indexes to free up system resources or create new indexes to optimize the system for their specific needs.
QRadar also provides invaluable visibility into the use of indexes – with statistical reporting on the frequency of searches involving each property, how often each property’s index is used, and the size of each index – to help inform indexing decisions. This enables more efficient storage utilization and superior search performance.
Do you suspect one property is getting searched a lot? Get the data.
Do you wonder how big an index has grown? Find out.
Want to start indexing a custom property and see how often that index is used? No problem.
Another new capability that simplifies management is QRadar Risk Manager’s Enhanced Policy Monitoring. Risk Manager excels at monitoring network configurations and system vulnerabilities for potential security and compliance violations, and has always alerted when a policy is violated. Now it takes monitoring a step further with the ability to automatically notify when a policy is passed, providing positive evidence of compliance with external regulations and internal corporate policies. For example, you might want a positive notification when the percent of regulatory assets with Internet exposure vulnerabilities is within policy, or when the percent of regulatory assets with client side vulnerabilities that have communicated with the Internet is within policy. Now you can gain affirmative proof of such compliance.
Collect and Manage Data More Flexibly
QRadar 7.1 also offers new capabilities for collecting and managing data with greater flexibility. These include WinCollect – a versatile and scalable new QRadar capability for Windows event collection. WinCollect provides a superior and agentless means for collecting events from large numbers of systems. Installed on a Windows server of the customer’s choice, WinCollect can use the Windows Event Log API to pull events from target systems and then forward them to QRadar, or use Windows event forwarding and allow target systems to automatically push events to it and then forward them to QRadar. WinCollect complements existing collection mechanisms, including Q1 Labs’ own ALE solution, third-party approaches, and native Windows Server capabilities. In a subsequent blog post, we’ll explain the advantages of each approach and the value of having a broad set of choices.
Event collectors (described earlier) also help simplify data collection and management, in addition to leveraging cloud infrastructure and enabling event collection under unreliable connectivity. To begin with, their ability to “store and forward” data not only applies when a network connection is lost; it can also be used proactively for policy-based event forwarding. In some cases, a remote location might have reliable but limited network bandwidth, and you might want to limit the collector’s use of bandwidth to specific (less busy) times. With QRadar 7.1, you can limit forwarding by bandwidth utilization (e.g., never consume >1MB/second), and/or set an hourly, daily or weekly forwarding schedule. In addition, event collectors can filter event data before it is forwarded for correlation, reporting and long-term storage.
Additionally, we have released more than a dozen new product integrations (device support modules) that enable users to normalize and analyze even more types of security telemetry. These include IBM Security zSecure Audit, which allows sending z/OS, RACF, ACF2, Top Secret, DB2, and CICS events from the System Management Facilities (SMF) log to QRadar (in addition to the native z/OS logs that QRadar already collects). We have also completed integrations with many third-party products, such as Verdasys Digital Guardian, AppSecInc DbProtect and Trend Micro Deep Discovery.
Build Extended Solutions and Replicate Existing Deployments
Lastly, we are enabling clients to build extended security intelligence solutions and replicate existing deployments. With Security Intelligence Content Importing/Exporting, you can export correlation rules, building blocks, reference sets, report templates, dashboard widgets and more from a QRadar system to an external device, and subsequently import them into another QRadar system. This enables quick deployment of a new QRadar system based on an existing system or template, as well as sharing of security intelligence content across systems.
We see this being used in several ways:
- Enabling clients to copy custom-built security intelligence content from one deployment to another (across business units or geographies)
- Enabling clients to copy content from a development or test environment to a production system
- Enabling solution providers and system integrators to build unique Security Intelligence intellectual property that they can distribute to their customers.
While QRadar already delivers thousands of rules, report templates, dashboard widgets and saved searches out-of-the-box, many business partners have additional expertise to offer to clients, and have been eagerly awaiting this capability.
To Learn More
With this hefty release completed, we’re gearing up to bring some fantastic new innovations to market in 2013. In the meantime, please try QRadar 7.1 for yourself and let us know what you think. We also encourage you to learn about the other IBM Security product releases just announced, which include capabilities for securing big data environments (including IBM InfoSphere BigInsights and Cloudera), risk-based access control for mobile users in BYOD environments, and privileged identity management.
To read more about using SIEM for targeted attack detection (APT’s), you can also download this Gartner report. Or see how organizations are using network flow analytics for better threat detection and network visibility with this Q1 Labs paper. Best wishes in your security journey!
Allan Paller of the SANS Institute had a few interesting things to say at the ISSA-LA’s Security Summit IV, but two struck me as incredibly salient. The first is that CEOs actually do understand the importance of information security. I’ve heard security experts–smart and well-respected ones–utter that executive management doesn’t “grok” security. That’s true, but they don’t need to grok it; that’s the responsibility of us who inhabit the world of zero-days and hacktivists and APTs. CEOs need us to analyze and summarize our knowledge and present it to them in a business context. The problem isn’t just that we in security generally don’t speak the language of the boardroom, we simply aren’t wired the same. Security practitioners are a risk-averse group, by and large; CEOs are risk managers.
Which makes sense: CEOs are responsible for growing the business and there’s no reward without risk—hopefully well-calculated risk. We don’t want our executives pumping tokens into slot machines in Vegas hoping to hit it big. On the other hand, we don’t want them stuffing the cash from revenues into their mattresses. So when they decide to invest in new market opportunities or augment the current business model using technology, they want to be on the safe side of the risk threshold—but just barely.
But security folks’ impulse is to grab the business stakeholders by the shirt collars and drag them away from that scary precipice. We’re much like lawyers in that way. Their job is to minimize liability, a form of risk, optimally to eliminate it with the fabled iron-clad contract. Of course with lawyers it’s as much a negotiation tactic as dogma; each party stands on opposite sides of an issue with backs to their own walls, fully knowing they’ll both end up somewhere in the middle.
But security is not at odds with the business; it’s not a negotiation between the two parties. Our job is to determine appropriate responses and come to the table with the best, most informed decision possible with the given data. We need to find a happy middle between a purist security stance that discourages new initiatives (e.g., cloud, BYOD, partner portals, etc.), and a Wild West approach where the business does whatever it wants without addressing risk — and present that to executive management. They need to trust that we understand the business and are helping them to make the right risk management decision. Remember, “defend” is not the only response to a threat; other mitigating controls include transferring risk and accepting it.
Alan also said that CEOs want to know “how much is enough.” This is the heart of the matter. Finding the center of gravity that lets the business grow and thrive is the key to transforming the perception of information security from a cabal of naysayers to trusted risk analysts and business enablers.
What would you do if someone was repeatedly trying to break in your front door? Would you add an extra lock and hope that was enough? Would you completely ignore the back door? If you lived in a neighborhood where lots of homes had been broken into, would you do some research to see what the common entry points were and maybe take some precautions to better address those risks- even if your house had been safe so far?
I’d like to think you’d do just about anything in your power to protect your home, and definitely your business. But finger crossing and dead bolt- equivalents seem to be the approach a lot of organizations take when it comes to security, especially network security. Those organizations are resting on hope; hope that they won’t be targeted by a cyber attack, hope that no disgruntled insiders will take a shot, hope that their network security analysts won’t miss something in the piles of log data being generated every minute, and hope that their first generation solutions are working good enough to catch modern attackers.
Earlier this week I read an article in Network World about the failure of CSOs to properly evaluate risk in their security strategy. It asked the important question- “what happens if your security strategy doesn’t work?” I’m betting there’s a lot of organizations out there who don’t know the answer to that question, and if they did, they wouldn’t be happy.
To truly be secure, you need to know where your vulnerabilities are and then figure out how to fix them. Your team needs to be prepared to identify and respond quickly to attempted and successful breaches (because inevitably, some will get through). They also need to know how to minimize the damage that can be caused by an incident. They need to be able to find the who, the what, the when, the where and most importantly, the how- and they need this information in real time! This is the essence of Security Intelligence. Do you have it?
Building on the momentum of our latest QRadar SIEM and QRadar Log Manager release just two weeks ago, we are excited to announce a new release of QRadar Risk Manager that adds several highly anticipated enhancements. As a refresher, QRadar Risk Manager is the member of the QRadar Security Intelligence Platform that provides pre-exploit configuration monitoring and attack simulation. These proactive capabilities help identify security gaps and prevent security breaches and compliance violations before they occur, providing a perfect pairing to the advanced analytics, detection and reporting of QRadar SIEM.
The new configuration monitoring and management capabilities make it easier than ever to strengthen perimeter security and improve network visualization:
Normalized rule and security device comparison allows users to compare rules and object groups across the same security device type (historical comparisons, for example), as well as across differing device types. For example, users can compare the configuration of all of their Internet firewalls, regardless of brand, helping them ensure that all firewalls are configured consistently. QRadar Risk Manager provides views that quickly and easily identify which rules have been added and deleted, highlighting object group changes between devices.
Topology visualization enhancements improve the overall usability of the product by allowing users to hover over interfaces to quickly view connection and interface details. This saves time by removing the need to “drill down” to view this information. This release also provides the ability to quickly save and retrieve saved searches, plus comprehensive path filtering options that include the ability to filter on multiple criteria. The release further adds improved path visualization capabilities, including arrows that indicate path direction and hover options that display partially allowed path information (such as specific ports). Users can also drill down from a hover window to view firewall rules that enable a given path, with a single click.
Firewall rule counting and event association is a powerful feature that associates firewall “accept” and “deny” events with specific firewall rules. Users can now report on most, least and never used rules, aiding in firewall optimization by identifying and eliminating rules that are no longer needed. The ability to drill down from a rule to specific firewall events that triggered it aids with rule forensics, such as detecting what traffic has been allowed by a rule, and where the traffic originated. This helps diagnose traffic issues and assists in determining the impact of rule changes before those changes are made. Liberal rules, such as “any port” and “any destination,” can be easily restricted without the fear of blocking critical traffic.
Shadowed rule detection is a highly requested feature that allows detection of rules that are “over-shadowed” by previous rules that contradict or render them ineffective. This feature reduces excessive firewall overhead and unforeseen security exposures. QRadar Risk Manager now allows users to identify and report on shadowed rules, allowing them to be easily fixed. A hover-over interface also allows the user to instantly view shadowed rule information without the need to drill down.
Firewall rule searching enhancements now allow users to search on time intervals, include or exclude different rule types, and refine results based on rule usage. Results may be sorted by a variety of options, including device rule order.
We are very excited about this release and the many other capabilities planned for the next few months. For more information about QRadar Risk Manager and QRadar SIEM, we invite you to read the white paper “Five Practical Steps to Protecting Your Organization Against Breach.”
And if you are at IBM Pulse, be sure to stop by the Security and Compliance section of the Solution Expo to say hello and learn more!