Category: Threat Management
Posted by Michael Applebaum in Cybersecurity, Q1 Labs, Security Intelligence, SIEM, Threat Management
Today, IBM announced the first major deliverable from the acquisition of Q1 Labs back in October – a new and dramatically enhanced QRadar Security Intelligence Platform. The new release combines deep analytic capabilities with real-time data feeds from hundreds of different sources to give organizations the ability to help proactively protect themselves from increasingly sophisticated and complex security threats and attacks.
This is exciting news for many reasons, including that QRadar continues to define the frontier of security intelligence, offering new capabilities for instant search, massive scalability and intelligent data policy management. In addition, QRadar will tap security analytics and threat intelligence from more than 400 sources. IBM X-Force, one of the world’s largest repositories of threat and vulnerability insights, provides an intelligence feed to QRadar based on the real-time monitoring of 13 billion security events per day. This insight can flag behavior that may be associated with new and emerging threats, all in real-time. Whether it’s the newest strain of malware or an advanced exploit technique first being seen halfway around the world, QRadar will monitor this intelligence and correlate it with what’s happening in your own environment, large or small.
To provide one example of how we’re bridging silos, consider the following scenario: An external attacker (or even an insider) compromises a number of user accounts, seeking access to a sensitive corporate database. After failing to login to the database with the first four accounts, he successfully logs in with the fifth account (a privileged user), downloads the organization’s customer list and emails it from the compromised account to a suspicious domain. Most organizations would struggle to piece together these actions into a cohesive picture of the attack and the impact, and almost certainly would not see it in real-time.
But with the combination of QRadar, IBM Guardium Database Security and IBM X-Force threat intelligence, the attack is detected and impact identified immediately. Guardium provides the continuous database monitoring and sends alerts to QRadar SIEM, which enriches the view of the incident with network flows and logs it has collected. It then observes activity involving an IP address (the receiving domain) that IBM X-Force has identified as suspicious. QRadar QFlow also provides insight into the content actually sent by the attacker, via deep packet inspection. And if the organization wanted to apply automated remediation to prevent the data exfiltration, it could even use QRadar to have the perimeter security devices block the data transmission. In sum, the incident is detected in real-time and the impact understood – or even prevented.
We view this as an important step forward in bridging security silos and applying greater intelligence and automation. What do you think?
For more information on today’s announcement, please see the press release here.
Posted by Tom Kendall in Cybersecurity, Network Intelligence, Risk Management, Security Intelligence, Threat Management
This past weekend I watched a documentary on More4 that delved into the Wikileaks scandal. “Wikileaks: Secrets & Lies” went into great detail explaining how Julian Assange served as a middleman in this scandal. Although Julian Assange is viewed as the face and spokesperson for Wikileaks, the documentary showed that Assange would not have had any global status if it weren’t for insiders who are willing to send sensitive information to the organization.
This programme was not broadcasting how a hacker could break into a network and steal information; it uncovered a deeper concern of how an insider can revolt, stealing privileged information from inside the network and causing havoc along the way.
This threat is a concern that should be top of mind for organizations. In a report published by Verizon on Business Data Breaches, they found that 48% of total data breaches were caused by insiders and 48% of breaches involved a misuse of an insider’s privileges.
Although identifying the risk of an insider threat was highlighted, the documentary really drove home the need for better security measures, so these incidents can be prevented or halted as they occur and the people responsible can be identified and punished.
For companies without proper security technology, identifying the “rogue insider” is not an easy task. Wikileaks is an excellent example of why traditional perimeter security defenses, such as firewalls and anti-virus software, are no longer sufficient in the “post-perimeter” world. To prevent these types of incidents, organizations should deploy automated technologies that continuously monitor and correlate user activities across various sources (such as network devices, OS logs and applications). This Total Security Intelligence will allow rapid detection of unusual activities such as a large number of sensitive documents being downloaded from a SharePoint server during off-hours or from a remote access location.
To learn more about how Total Security Intelligence can help combat these insider threats and how organizations are using QRadar as the key component for their IT Security, click here.
Posted by Michael Applebaum in Compliance, Security Intelligence, SIEM, Threat Management
This is the 6th and final entry in a series of posts that answer “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask.”
To understand how people are getting started with Security Intelligence, let’s go straight to an industry expert: Q1 Labs’ own Chris Poulin. Chris is not only Q1 Labs’ Chief Security Officer but also the head of our worldwide Professional Services practice, and drives our Customer Council. Chris has seen more Security Intelligence use cases and customer deployments than most security pros will ever dream (or have nightmares!) about.
I recently sat down with Chris to get the straight talk about how organizations begin their Security Intelligence (SI) journey. Much of what Chris shared with me has also been published in this SecurityWeek article. Here are my takeaways from our conversation:
1. Organizations know they need Security Intelligence, but often don’t know where to start.
We often speak with customers whose SI business cases start with regulatory compliance – PCI DSS, HIPAA, NERC CIP, FISMA, NIST 800-53, GPG 13, etc. – and that’s certainly important. But they know log management and reporting are just the tip of the iceberg in how SI can benefit them. As Chris noted, using Security Intelligence for compliance alone is like stamping a checkbox with a sledgehammer.
2. There are several use cases that apply to nearly all customers.
Security Intelligence Dashboard
Although SIEM and other Security Intelligence solutions provide great value through company- and industry-specific use cases, they also address many generic use cases. These include botnet detection, traffic from darknets, excessive authentication failures, and IDS alerts indicating that an attack is targeting an asset the VA scanner reports is vulnerable to that exploit, for example. SI vendors usually provide out-of-the-box rules (with alerts), reports, dashboard widgets, and saved searches that cover these scenarios.
3. Start with a set of core data sources.
Before you can monitor anything, you need to decide which data sources to start with. To avoid getting overwhelmed, Chris recommends beginning with a core set of log sources:
- Authentication events (from Active Directory and other identity management services)
- Windows, Linux/UNIX, and other OS administration logs
- Perimeter firewalls and VPN concentrators
- Anti-malware logs
- File and directory auditing on high-value servers (those that contain PII, ePHI, financial information, and sensitive company information or intellectual property)
Automated Server Discovery
In addition, bring in network activity flows (ideally Layer 7 flows) as soon as practical. If incorporated from day one, they can save you a ton of time by automatically discovering and profiling assets and tuning your solution. On an ongoing basis, flows then provide an entirely new dimension of information that leads to better identification of threats, elimination of false positives and faster forensic investigations – across a range of use cases.
4. Define targeted use cases by examining your key business problems.
Once you’re addressing the common use cases, step back and look at your business. What are you and your executives most concerned about detecting or preventing? If you’re an investment brokerage, it might be trader fraud. If you’re a retailer, you might want to protect customers’ PII, including credit card numbers. If you’re a utility or energy company, you might need to strengthen security around your SCADA systems. Re-examine the business case for your project, or take a close look at your CEO’s and CIO’s top priorities, to define your next use cases.
5. Spend time understanding your network and your SI solution’s capabilities.
Congratulations, your solution is in production and delivering new real-time intelligence! Take some time to digest what you’re seeing in its dashboards, reports and offenses (incidents). Move beyond the well-trodden road and push it to give you more. You can learn a lot more than just which users can’t enter their passwords correctly the first three times. Think about new insights you could gain from correlating previously disparate data sets, and new reports you can deliver now that all this data is in a single repository.
6. Phase in IDS/IPS data and other application/user/network telemetry.
IDS/IPS data is also important, but those systems are often improperly tuned, leading to a significant volume of alerts. Therefore Chris recommends waiting until you’ve brought the number of offenses in your SIEM or SI solution down to about 25 per day before adding IDS/IPS telemetry.
Once you’re in business with IDS/IPS data and have tuned your solution sufficiently, think about layering in additional data sources – such as database (and database security) logs, application logs, physical security system logs, etc. – to improve the accuracy of your risk and threat management efforts.
7. Don’t overlook the value of training and community.
Lastly, remember there are others out there who can help you. Look into the training options for your products. Explore vendor and industry conferences that give you the opportunity to meet with peers face to face. Participate in online vendor communities and industry organizations. Everyone using SI or SIEM today – and there are tens of thousands of us worldwide – was once a beginner, and went through the same learning curve. Many will be happy to help, so don’t be shy.
In summary, I hope this blog series has clarified the concept and practice of Security Intelligence. SI is a powerful new enabler of security and compliance that delivers actionable information through real-time insight and deep forensics. It provides significant benefits by addressing customers’ needs for intelligence, integration and automation – areas that have historically been the Achilles heel of security solutions. And most importantly, SI solutions are reasonable to implement and manage for both small and large organizations, and deliver value quickly.
For the final word, I look to Jerry Walters of Ohio Health for the customer perspective:
“We’ve seen tremendous value using the QRadar product. In the past we were very reactive. My team would get a call to do an investigation, and things had already occurred and we had to piece together what happened. With QRadar we’re able to see things before they even occur and prevent them upfront before they become a real problem. [QRadar] helps us get in front of the things we need to be in front of as a security organization.”
Best wishes on your Security Intelligence journey!
Posted by Melissa Stevens in Cybersecurity, Federal, Security Intelligence, Threat Management
In a post published earlier this week, I invited you to read the latest article written by Chris Poulin for SecurityWeek. In this article, Chris presented his belief that full breach disclosure and better collaboration among security professionals is key to thwarting today’s cyber threats.
In line with this belief, proposed breach legislation is also attempting to make disclosure and collaboration a center point of the nation’s cyber security strategy. According to an article on CNN’s Security Clearance blog, such legislation would “enable the intelligence community to share classified information with the private sector while at the same time addressing the concerns private companies have with providing information about attacks on their systems to the government.”
This addresses weaknesses outlined in an INSA study published this past summer, in which the authors suggested both private industry and public agencies have a responsibility to defend the country against cyber attack. In this proposed law, not only would businesses be required to share information about attacks with the government, the government would also share intelligence with security-cleared organizations. This would open up communication channels in the cyber-intelligence community immensely, creating the type of collaborative environment Poulin describes in his article.
What do you think? Can collaboration between the federal government and private industry help defend the country from a major cyber attack? Does it seem too idealistic to imagine that these sectors can work together? Share your thoughts below!
Posted by Melissa Stevens in Cybersecurity, Log Management, Security Intelligence, SIEM, Threat Management
“… there are other ways to move from a position of constant and reactive defense to a state of preparedness: sharing our individual experiences. The bad guys are already organized and collaborating effectively on how to compromise our systems; we need to start sharing, and sharing openly.”
How do we beat the bad guys at their game? That’s the question Chris Poulin is asking in this new article for part of his ongoing series at SecurityWeek. The answer? Thinking like your adversary. Well, at least that’s part of it.
In his latest article, “Compromise Full Disclosure: Collective Knowledge Brings Stronger Defense,” Poulin explains how, in order to fight organized cyber attacks, security professionals need to be more organized themselves. This means more collaboration, knowledge sharing and, of course, the adoption of security intelligence. The end goal is to create an environment where breaches and the details of the attack (and not the vulnerability) are shared among professionals so that others can learn from these attack strategies and prevent their own breaches.
Click here to read the full article and share your thoughts about Poulin’s call for more full disclosure.
The latest on Cyber Security