Mining Big Data for Better Security Intelligence
Today, IBM Security Systems announced a “Breakthrough with Combination of Security Intelligence and Big Data – Data Analytics Helps Organizations Hunt for Cyber Attacks.” By combining the worlds of business and security intelligence, organizations have the ability to analyze data in new ways resulting in the ability to detect threats that they would have previously missed and react faster with more accurate and timely results. Sandy Bird, CTO for IBM Security Systems, wrote an interesting blog post on this topic where he talks about how the security strategy of the future will be built on the underlying premise that every new source of data is a blessing and not a curse.
Excerpt from the IBM Smarter Planet Blog:
Over the years the game of cat and mouse between attackers and people tasked with defending networks against their advances has evolved to become increasingly more complex. Every new advance in defensive technologies has forced attackers to adopt new tactics, and every new attack technique has produced a new security start-up. The result of this game has been that some of the most diligent and advanced security organizations in the world have deployed over 60 different security products, products that infrequently communicate with one another. Unfortunately, this has not proven a sustainable long-term approach to the security challenge as attacks have become more complicated, difficult to detect and even far reaching. Realistically, we can’t rely on any single product to be successful 100% of the time. The question is, if we understand the realities associated with perfection, why do we continue to embrace strategies that seem to rely on products being successful in isolation?
We need a different, foundational approach to the security challenges associated with sophisticated attackers….the security strategy of the future will be built on the underlying premise that every new source of data is a blessing and not a curse.
Read Sandy’s full post on the IBM Smarter Planet Blog for answers to questions like “How to identify and combine those subtle data indicators of an attack?” and “Does a security strategy need to change just because another piece was added to the puzzle?”
If you are interested in learning more about IBM Security Intelligence for Big Data be sure to check out:
VIDEO The Role Big Data Plays in Solving Complex Security Problems
INFOGRAPHIC on A Big Data Approach to Security Intelligence
IBM Security Systems website: For access to more product information, white papers and more
As I sat down to watch the new James Bond film with my usual supplies of fizzy drinks and sugary sweets, I was very surprised when he decided to take on the cyber terrorist at large and solve the problem single-handedly, physically and without the need for a Security product in sight!
Of course we don’t all have our a secret agent in our organization, driving around eradicating danger. However, security teams can prepare and have clear flexible strategies in place to reduce risk on their network.
The premise of the film (spoiler alert) is a cyber terrorist getting into the British Secret Service network undetected and causing harm to key personnel. The clever methods used to infiltrate the network highlight what is happening on a daily basis to security teams globally, and though a great film, probably made many security personnel squirm slightly in their chairs when seeing the consequences that could occur!
From internal constraints to the rise of Advanced Persistent Threats (an ESG research report highlighted that 59% of enterprise organizations think they have been a target of on APT attack), the role of the security team is becoming ever more complex. The requirement for a clear security strategy, which is able to adapt and be flexible to an organization evolving needs, is vital.
In an exclusive webcast with Dark Reading on 12/13/2012 at 1200 ET Q1 Labs very own James Bond, Michael Applebaum and Jon Oltsik, Senior Principal Analyst at ESG will be presenting “Information Security in Transition: Top things to consider in 2013”. In this must attend event there will be recommendations on how to improve your organizations’ information security model and importantly key issues that you are likely to face in 2013.
If you don’t want to wait for our webcast to get this information, please download Jon Oltsik’s report “Enterprise Information Security in Transition”.
As the news broke that the final trilogy of Star Wars was going to be made, I was excited and intrigued about the plot. However, one question I always ask myself is, “How different would the story have been if the Deathstar were more secure?”
Along with most Star Wars fans, the moment when the rebel alliance flew in on mass to destroy the Deathstar was one of great intrigue. With a power so great and protection around the entire perimeter of the battlestation, how could it ever be penetrated?
Of course the hero, Luke Skywalker, comes to save the day by finding a small gap and, undetected, he flies through to the center of the Deathstar, destroying it and escaping without a single scratch.
When comparing this scenario to what we see everyday in the news regarding cyber attacks, it is very similar- right down to the part where organizations react to the breach far too late. It is of utmost importance for organizations to make sure they are able to see and react instantly when a security breach is happening, no matter how small. As we see with the case of the Deathstar, it only takes one opening for an attacker to slip in and cause a tremendous amount of damage. We only have to see this in the news, where an attacker describes how he stole a database of 150,000 contacts using a SQL injection (more details) without any reaction.
Having a thorough Security Intelligence strategy in place, with a next generation SIEM as the center piece, is vital for an organization. With the advantage of real-time normalization and correlation across your network, any abnormal behavior will be highlighted and notified immediately to your security team, detailing where, when, how, what and why about the attack.
It is just my opinion, but if the Deathstar had an anomaly detection system to highlight immediately when enemies were within its network, Darth Vader would have had a much easier life…. “May the Force be with you”.
To learn more about securing your own “Deathstar,” watch this Dark Reading webcast featuring end user Richard Webster, Senior Manager of Security at Sanofi, and Michael Applebaum, Director of Product Marketing at Q1 Labs, an IBM Company. In it, they discuss real-world lessons about applying Security Intelligence and next-generation SIEM for threat protection.
The worry to organizations however, is the number of these hackers who have never studied computer science but have an ambition to be a software developer and see it as a challenge to try to break into a businesses network undetected. Although this may seem an innocent personal challenge to them, this is ultimately aligned with greed and more often than not these people want to go for bigger and better.
Security teams need to be aware of methods to detect and instantly act upon this type of malicious hacking from so called “amateurs.” The IBM X-Force 2012 Mid-year Trend and Risk Report details the variety of attacks that a business could expect a hacker to use (read more here). A key point highlighted is the complexity of an organization’s network, moving from a traditional office only model to a world of interconnected devices and services. This has made it increasingly difficult to get a clear real-time snapshot of what is happening in the network, making it easier for amateur hackers to get in without raising any alarms.
In a recorded webcast with SCMagazine UK, Chris Poulin, IBM Security Systems Strategist details how to combat these young hackers, through QRadar’s anomaly detection capabilities and advanced forensic analysis, to quickly identify when a breach is occurring on your network. Click here to view.
Do you ever feel like you’re playing the role of Goldilocks at work? You know the scenario – you’re trying to solve a problem and every solution feels too hot or too cold, too big or too small. You can’t get administrative privileges to implement it, it requires an agent and you can’t install one, the firewall blocks it, or it’s just too expensive.
Windows event collection for SIEM and log management fits right into this category. Windows is pervasive in IT environments, but collecting Windows events can pose challenges for any product that doesn’t run on Windows.
Fortunately, Q1 Labs has been addressing this for years, and with the release of QRadar 7.1, we are offering customers more flexibility than ever to use a wide range of collection API’s, agents, third party tools and QRadar capabilities – seamlessly integrated and centrally controlled.
Because QRadar is deployed by thousands of customers running diverse IT environments, we’re constantly innovating in Windows event collection, to provide choices that meet your needs. As part of QRadar 7.1, we are pleased to introduce WinCollect, an additional, versatile and scalable QRadar capability for Windows event collection. WinCollect joins existing collection mechanisms, including Q1 Labs’ own ALE solution, third-party approaches (Snare, Adiscon EventReporter, syslog-ng), and native Windows Server capabilities (WMI and Windows event forwarding). With this release, QRadar offers the broadest Windows event collection techniques of any security intelligence product. Most importantly, regardless of which ones you use, the event information looks the same and triggers rules in exactly the same way, for seamless integration and consistent operation.
With more options, QRadar can better meet the needs of different areas of your environment – even if you want to combine collection mechanisms, and even when your requirements change over time.
QRadar now offers the following approaches to meet a variety of customer needs:
- Adaptive Log Exporter (ALE), a no-charge element of the QRadar platform, provides an excellent means to collect Windows events at any level of volume, when an agent can be installed on the target system. An agentless implementation is also popular using ALE on one Windows instance to collect events from other servers.
- Third-party agents such as Snare, Adiscon EventReporter and syslog-ng provide similar capabilities, and are often used by QRadar customers when those agents have previously been installed.
- Windows Management Instrumentation (WMI) is a Microsoft-created, agentless approach to event collection using Windows’ built-in interface to query event logs. This is often used by customers who have relatively unimpeded access to WMI on their Windows servers. WMI-based event collection can be administered through the QRadar user interface.
WinCollect provides a new, superior and agentless means for collecting events from large numbers of systems. Installed on a Windows server of the customer’s choice, WinCollect offers two highly scalable approaches:
- Using the Windows Event Log API, it can pull events from target systems and then forward them to QRadar.
- Using Windows event forwarding, it will allow target systems to automatically push events to it and then forward them to QRadar.
WinCollect administration is fully integrated into the QRadar user interface, enabling centralized and granular control of Windows event collection across a large estate of Windows servers. Even better, it can be used in combination with any of the other event collection mechanisms – for “mix and match” flexibility.
We understand Windows servers comprise a key component of our clients’ infrastructures and we’re designing QRadar to be the most flexible solution in the marketplace. When it comes to enterprise technology, it’s rare for one size to fit all, the porridge to be just right, and the bed to be comfy too.