Category: Security Intelligence
Posted by Melissa Stevens in Cybersecurity, Security Intelligence, SIEM
Have your security practices been guided by old wives’ tales and horror stories of installations past? In this article for Security Week, Chris Poulin explains why it’s time to revisit your security posture, especially when it comes to SIEM and Security Intelligence. Don’t let superstition influence your strategy!
“Another area where superstitious habits aren’t effectively influenced through SFP [self fulfilling prophecy] is information security. And yet we continue to spend a good part of our security technology budget on the latest iteration of firewall technology–application firewalls, UTM gateways, data diodes–and anti-virus, the perennial favorite, even though conservative figures estimate that A/V protects endpoints from less than 50% of current malware. Granted, much of this spend is aimed at preventing data leakage, which is a positive shift from the perimeter defense strategy, designed primarily to keep out external threats.”
Read the full article to learn how a next generation SIEM, the cornerstone of Security Intelligence, can help keep your organization protected against today’s threats, and why Chris thinks trying to operate without Security Intelligence is equivalent to insanity!
Posted by Michael Applebaum in Cybersecurity, In the Industry, Security Intelligence
We’ve written extensively in this blog about what Security Intelligence means in concept and practice. As a new solution category, it benefits from wide discussion and exploration. My colleague Chris Poulin recently shared Security Intelligence insights from a client and partner panel he moderated at IBM Pulse 2012, where Security Intelligence was a pervasive theme. In this post, I’ll share a few more data points I picked up from clients at Pulse who discussed what Security Intelligence means and the business value they’re obtaining from it.
One panel discussion included the information security executive of a major media company, the global head of IT security at a global manufacturer, and IBM’s own Vice President of IT Risk, Kris Lovejoy.
The opening question – “What is Security Intelligence?” – elicited some interesting views:
- The ability to learn something germane and relevant at the time you need to make a decision. (Media co. exec)
- It’s less about the technology and more about the destination. Understanding the different threats, instrumenting our architecture in a way that is consumable and actionable. (Lovejoy)
And my personal favorite:
- Knowing what the hell is going on! (Manufacturing co. exec)
The last comment really speaks to the pain experienced by security, risk and IT executives who are wrestling with an explosion of threats, limited visibility and information silos that are tough to bridge. (Not to mention fixed/shrinking budgets.) Who doesn’t worry about what’s taking place out of sight in their organization?
Kris Lovejoy also shared a deeper insight about the impact of Security Intelligence:
Viewing Security Intelligence as a destination brings along a new way of thinking. Security Intelligence can be an effective marketing tool internally. You start to think about security differently and strategically.
This is powerful. Security Intelligence is not just a set of technologies, processes, or even the insights resulting from them. It’s also an approach – one focused on up-leveling the security and compliance conversation, focusing on end goals (especially stretch goals), and delivering greater value to both IT and the Line of Business.
An answer to the next question – “How do you justify security investments?” – also emphasized the need to tie security and risk initiatives back to business value:
Focus on business outcomes that are made possible through the investments. (Manufacturing co. exec)
In other words, what supply chain initiatives are you enabling through careful security controls? What cloud services are you making possible through policies, controls and monitoring? And ideally, are you leveraging your security investments to gain tangible insights that drive revenue opportunities?
One client who presented at Pulse is doing just that, leveraging his Security Intelligence solution to gain Business Intelligence. This security executive from a financial services firm is not only using Security Intelligence to detect fraud (as Chris Poulin describes), but also to pinpoint commercial customers whose business has started to decline. Because his Security Intelligence solution is easily customizable, he uses it to identify falling sales volumes as easily as fast-rising ones. They feed this information to their Sales team in real-time, who reach out to those customers and can often reverse the negative trend, making a meaningful impact on the company’s bottom line.
In fact, the business insights produced by the Security Intelligence solution are so valuable that this company’s executive team specifically praised the IT Security organization’s work during one of the company’s recent earnings conference calls. Imagine becoming a hero to your CEO.
Last, I wanted to share the panelists’ perspectives on where the IT security and risk field is headed. In response to the question “What will be different about security in five years?”, they shared the following:
- We won’t need so much audit preparation effort. The information will just be there, accessible. (Media co. exec)
- The bulk of the organization will focus on risk management and business processes, not compliance. (Lovejoy)
Again, note the themes of information visibility and better connecting IT Security with the Line of Business.
To sum up what I heard from clients at Pulse: Security and risk executives are pursuing Security Intelligence initiatives to raise enterprise-wide visibility, gain actionable and tailored information, and transform security and risk management from a tactical pursuit to a strategic initiative driving bottom-line business value.
For help with your own Security Intelligence journey, be sure to check out this comprehensive Resource Center.
Posted by Chris Poulin in In the Industry, Security Intelligence, SIEM, Threat Management
Security Intelligence is about enriching events with context data and ending up with smart information to give enterprises not only total visibility, but to laser in on incidents such as fraud that support business use cases.
That’s the conclusion of a panel of experts at IBM Pulse 2012, held in Las Vegas the week of 5 March. The panel consisted of security managers and consultants from finance, health care, and energy and utility companies, as well as a seasoned and respected consultant from one of Q1 Labs’ trusted partners. When asked to define what security intelligence means to each of them and the organizations they serve, the answer was unanimous: adding context to the data that’s traditionally considered under the purview of log management and SIEM to make correlation, prioritization of incidents, and forensics smarter.
The focus of the panel was to define security intelligence, a term defined broadly by analysts and vendors, and what it means from a practical standpoint. Most of the panelists have worked with multiple log management and SIEM solutions, and agreed that despite the differences across products, the goal of security intelligence is to create actionable results and reduce false-positives, while providing more data to accomplish advanced use cases.
In the finance industry, our panelist used security intelligence in QRadar to detect fraud in addition to traditional internet-born and insider threats. By using anomaly detection to baseline normal activity on their credit history web sites, his company was able to detect fraud by alerting on a significant increase in credit history requests from an individual or an organization as a whole, such as a car dealership.
Fraud is also a huge concern in the health care field, and it’s critical to apply context to system events in the form of caregiver roles, for example. A log entry means one thing when applied to a cardiac surgeon, but has an entirely different meaning for a neonatal clinician. And with the controversy over the US health care law and recent debates over contraception mandates, health care organizations are concerned that they’ve become targets of choice for hacktivists and other outraged individuals, both external and internal. Detecting intrusion attempts early enough to arrest the exploit before it becomes a full compromise and having comprehensive forensics capability to quickly and accurately perform impact analysis is table stakes for security intelligence.
The panelist representing a major oil company pointed out that E&U customers are largely focused on detecting advanced persistent threats (APTs). Critical infrastructure is a tasty target for foreign enemies, and there are many stories of nation state infiltration of electric, water and sewer, and government organizations, for espionnage and sabotage. Stuxnet is the de rigueur poster child, but there are credible reports—and some urban legends—of mass infiltration of US critical infrastructure; the 2007 attack on the Brazilian power grid is believed by many in the security community to have been caused by hackers rather than dirty insulators, as the official report claims. Geo-location of IP addresses, threat source databases, and current information on recent exploit activity, are all key elements to APT detection, and add context to traditional log and network activity monitoring.
The consultant panelist, who has been deploying SIEM solutions for over five (5) years to a wide variety of organizations across industries, has observed the evolution of SIEM from its initial incarnation as log management with correlation bolted on, through first generation integrated solutions, to today’s security intelligence. One of the litmus tests he looks at is whether there is sufficient volume and variety in events: a solid base of events is important to create an accurate representation of activity over time, but without capturing a wide variety of event types, the view is skewed. Similarly, even with a wide variety of event types, if there isn’t sufficient volume to create a solid baseline, it’s impossible to gain context. Once you have volume and variety of events and network activity, he agreed that the next step, which elevates analytics to security intelligence, is to add context data to the mix.
The best quote of the day, in my opinion, came from our health care panelist, although in a separate presentation on the benefits of security intelligence as they were rolling out their QRadar deployment: “Context and correlation can drive deep insight”. She elaborated on the benefits as:
- [The ability to] Detect, notify and respond to threats missed by other security solutions with isolated visibility
- Contextual and actionable surveillance across an entire IT infrastructure
- Ability to detect and remediate threats such as: inappropriate use of applications, insider fraud, threats that could be lost in the noise of millions of events, and more.
- Identify what’s normal and not normal
- Human beings can’t know the whole environment given the size and complexity
- Important for emerging threats
- QRadar deployed in 30 days and in production in 60 using 37 professional services days and 2 weeks of training
So, how do you define security intelligence?
To hear more about what our customers are saying in the conversation about Security Intelligence, watch these videos.
Posted by Melissa Stevens in In the Industry, Log Management, Security Intelligence, SIEM
What mysteries lie solved in the mounds of unstructured data in our world? What value is there in standardizing data, as the World Health Organization is attempting to do with medical service codes?
In his latest contribution to Security Week, Chris Poulin asks these questions and delves into the value normalization could bring to data, especially in a security context. Imagine if event data followed a standard classification system, instead of being a mish-mash of vendor specific formats made up by software developers? Could event data then be more easily used to your advantage?
“There are already taxonomies for classifying vulnerabilities in the form of the Common Vulnerability Enumeration (CVE) database and Open Source Vulnerability Database (OSVDB), but not so with events. Every vendor creates their own log formats and many vendors have many formats, perhaps from acquiring multiple software applications or simply not having a development standard. In many cases the software developers just make up their own events, following neither a prescribed format for the fields nor the text within the fields. This makes parsing and categorizing events from a wide range of vendors difficult, and yet it’s a critical undertaking: normalization is the foundation of cross-system data mining and correlation.
There are a couple of main strategies for dealing with the lack of event standardization:
• Store it, perhaps making a best effort to parse the data into common, or normalized, fields, and wrap a flexible search engine around it;
• Invest significant effort into parsing and normalizing the data
The first is the simpler of the two but is largely relegated to post-event analysis; the latter requires more effort but lends itself to real-time correlation and early threat detection. The difference is log management vs. SIEM.”
Click here to read the full article, “Working toward a Unified Security Model.” To learn more about the difference between log management and SIEM, and to gain an understanding of what a next generation security intelligence solution can bring to your organization, read this whitepaper, “The IT Executive Guide to Security Intelligence: Transitioning from SIEM to Total Security Intelligence.”
Posted by Heather Howland in Network Intelligence, Security Intelligence, Webinars
If you missed our February 22nd webinar with Dark Reading, or attended live but still have questions, this is for you. Of course, you can watch the whole event in its entirety here. During the event, we covered a fair amount of ground, talking through some of the larger attacks of 2011 while noting the varied attack types and motivations that powered them.
Questions started flying when we began talking about security intelligence use cases and strategies to prevent being hacked. We touched on the following use case topics: network activity, application detection and forensic evidence, data leakage, insider fraud, user behavior monitoring, and advanced persistent threats (APT). Not only was network activity flow the common thread between all of these topics, but also in the questions we received.
Since these questions were common amongst all of our attendees, we thought we would share some of the questions and answers with you.
QUESTION: Does network flow capability come with your SIEM? Or is it a separate add-on?
ANSWER: The ability to process flow records from standard formats such as NetFlow, JFlow, and SFlow are supported by default. If you would like to go deeper than the layer4 information of these flow technologies and go to layer 7 with content capture, then QRadar’s QFlow technology provides this functionality. This feature can be built into an appliance or for larger deployments as an optional add-on.
QUESTION: I already monitor NetFlow traffic. How is what you do with flows different?
ANSWER: NetFlow provides useful information such as source and destination IP, source and destination ports, and packet and byte count. QRadar QFlow’s deep packet inspection provides the ability to identify traffic up layer 7 (application layer) and also provides content capture capabilities. This means QRadar can identify applications regardless of port (many applications use dynamically allocated ports or tunnel over port 80). For example, QFlow can detect social applications like Facebook, Myspace, and Twitter; in addition to port-independent applications like VoIP and BitTorrent. QRadar QFlow can also detect traffic over non-standard ports (i.e. SSH over port 5000). QRadar QFlow also provides content capture capabilities. That is, when a flow is session is captured the header information and a user-specifiable amount of content after that is captured. For example, we can detect the file transferred across the network (i.e. customerinfo.doc, creditcard.xls).
QUESTION: Are there some sources that you can’t pull data from in a network? Do we have to manually add in some?
ANSWER: QRadar has the best auto-identification of log sources in the industry and can normalize most major devices automatically. If it creates logs, then QRadar can accept or collect logs from that device. If QRadar does not recognize the device logs a straightforward built-in mechanism within QRadar can be used to create custom parsers.
QUESTION: Do you have any pre-built templates and rules for meeting compliance regulations? Or is scripting required?
ANSWER: QRadar has pre-built compliance templates and reports. Scripting is not required.
If you’re interested in learning more about the value of flows and how to get more out of SIEM, you can watch our on-demand webcast “Getting More out of SIEM: How to Use Flows To Better Detect Threats and Simplify SIEM”. This webcast shows a live demo and talks more about the value of correlating flows.
Have more questions? Need further explanation? Feel free to email us at info@q1labs.com or just post them below.
The latest on Cyber Security