Category: Threat Management
Posted by Michael Applebaum in Risk Management, Security Intelligence, Threat Management
Building on the momentum of our latest QRadar SIEM and QRadar Log Manager release just two weeks ago, we are excited to announce a new release of QRadar Risk Manager that adds several highly anticipated enhancements. As a refresher, QRadar Risk Manager is the member of the QRadar Security Intelligence Platform that provides pre-exploit configuration monitoring and attack simulation. These proactive capabilities help identify security gaps and prevent security breaches and compliance violations before they occur, providing a perfect pairing to the advanced analytics, detection and reporting of QRadar SIEM.
The new configuration monitoring and management capabilities make it easier than ever to strengthen perimeter security and improve network visualization:
Normalized rule and security device comparison allows users to compare rules and object groups across the same security device type (historical comparisons, for example), as well as across differing device types. For example, users can compare the configuration of all of their Internet firewalls, regardless of brand, helping them ensure that all firewalls are configured consistently. QRadar Risk Manager provides views that quickly and easily identify which rules have been added and deleted, highlighting object group changes between devices.
Topology visualization enhancements improve the overall usability of the product by allowing users to hover over interfaces to quickly view connection and interface details. This saves time by removing the need to “drill down” to view this information. This release also provides the ability to quickly save and retrieve saved searches, plus comprehensive path filtering options that include the ability to filter on multiple criteria. The release further adds improved path visualization capabilities, including arrows that indicate path direction and hover options that display partially allowed path information (such as specific ports). Users can also drill down from a hover window to view firewall rules that enable a given path, with a single click.
Firewall rule counting and event association is a powerful feature that associates firewall “accept” and “deny” events with specific firewall rules. Users can now report on most, least and never used rules, aiding in firewall optimization by identifying and eliminating rules that are no longer needed. The ability to drill down from a rule to specific firewall events that triggered it aids with rule forensics, such as detecting what traffic has been allowed by a rule, and where the traffic originated. This helps diagnose traffic issues and assists in determining the impact of rule changes before those changes are made. Liberal rules, such as “any port” and “any destination,” can be easily restricted without the fear of blocking critical traffic.
Shadowed rule detection is a highly requested feature that allows detection of rules that are “over-shadowed” by previous rules that contradict or render them ineffective. This feature reduces excessive firewall overhead and unforeseen security exposures. QRadar Risk Manager now allows users to identify and report on shadowed rules, allowing them to be easily fixed. A hover-over interface also allows the user to instantly view shadowed rule information without the need to drill down.
Firewall rule searching enhancements now allow users to search on time intervals, include or exclude different rule types, and refine results based on rule usage. Results may be sorted by a variety of options, including device rule order.
We are very excited about this release and the many other capabilities planned for the next few months. For more information about QRadar Risk Manager and QRadar SIEM, we invite you to read the white paper “Five Practical Steps to Protecting Your Organization Against Breach.”
And if you are at IBM Pulse, be sure to stop by the Security and Compliance section of the Solution Expo to say hello and learn more!
Posted by Melissa Stevens in Cybersecurity, Log Management, SIEM, Threat Management
image via prweb.com
Businesses today can’t afford to ignore the customer insight and connections they can gain through social media. Being able to connect with your customers and prospects where they already are offers unprecedented access into their lives and lets you build relationships that extend the value of your brand. But aside from the great benefits you can gain, there’s also a dark side organizations need to consider and be prepared to address.
We’ve moved on from the age-old discussion of social media the “time- drainer”, and whether or not employee access should be blocked for productivity reasons. The conversation instead should be about something much more serious: protecting the vital information and assets of your organization from breach. In this article from USA Today, some very staggering statistics are cited that remind us that social media isn’t simply the utopian data-mine we’ve heard of. The information that businesses are finding so valuable for building relationships is also giving power to hackers just waiting to break in. Some highlights:
- “In most of the high-profile breaches we’ve seen in the past 12 months, hackers used social engineering to get an initial foothold inside the company,” says Hugh Thompson, RSA conference program committee chair. “It isn’t a generic stranger trying to deceive your employees; it’s someone who knows them through online reconnaissance.”
- Web traffic of 5,500 PC users in 20 nations was analyzed and it was found that 1 : 60 Facebook postings and 1 : 100 Twitter posts carried malicious code.
- “Companies now routinely permit employees to connect their personally owned smartphones and tablet PCs into company systems, creating a myriad of fresh pathways into corporate networks. A recent Juniper Networks survey of applications available for all mobile device operating systems [found] 28,472 malicious mobile apps in 2011, a 155% increase from the 11,138 malicious apps that existed in 2010.”
So what can you do about these new persistent threats?
You need to adopt security intelligence to monitor activity and content to and from social networks and independent devices. You need a security intelligence platform that can monitor your entire network, giving you complete visibility into everything going on across your network. Preferably, you need a solution that can automatically detect new devices and provide instant monitoring. You want to be alerted to new risks and vulnerabilities as they appear. And you want context to be able to understand what the data you are collecting means, and access to advanced reporting and analytics that can help you dive into and address redflags immediately.
To learn more, and to evaluate what a next generation log management and Security Information and Event Management (SIEM) solution can do for your organization, download this white paper, “Five Practical Steps to Protecting your Organization Against Breach.”
Posted by Michael Applebaum in Cybersecurity, Q1 Labs, Security Intelligence, SIEM, Threat Management
Today, IBM announced the first major deliverable from the acquisition of Q1 Labs back in October – a new and dramatically enhanced QRadar Security Intelligence Platform. The new release combines deep analytic capabilities with real-time data feeds from hundreds of different sources to give organizations the ability to help proactively protect themselves from increasingly sophisticated and complex security threats and attacks.
This is exciting news for many reasons, including that QRadar continues to define the frontier of security intelligence, offering new capabilities for instant search, massive scalability and intelligent data policy management. In addition, QRadar will tap security analytics and threat intelligence from more than 400 sources. IBM X-Force, one of the world’s largest repositories of threat and vulnerability insights, provides an intelligence feed to QRadar based on the real-time monitoring of 13 billion security events per day. This insight can flag behavior that may be associated with new and emerging threats, all in real-time. Whether it’s the newest strain of malware or an advanced exploit technique first being seen halfway around the world, QRadar will monitor this intelligence and correlate it with what’s happening in your own environment, large or small.
To provide one example of how we’re bridging silos, consider the following scenario: An external attacker (or even an insider) compromises a number of user accounts, seeking access to a sensitive corporate database. After failing to login to the database with the first four accounts, he successfully logs in with the fifth account (a privileged user), downloads the organization’s customer list and emails it from the compromised account to a suspicious domain. Most organizations would struggle to piece together these actions into a cohesive picture of the attack and the impact, and almost certainly would not see it in real-time.
But with the combination of QRadar, IBM Guardium Database Security and IBM X-Force threat intelligence, the attack is detected and impact identified immediately. Guardium provides the continuous database monitoring and sends alerts to QRadar SIEM, which enriches the view of the incident with network flows and logs it has collected. It then observes activity involving an IP address (the receiving domain) that IBM X-Force has identified as suspicious. QRadar QFlow also provides insight into the content actually sent by the attacker, via deep packet inspection. And if the organization wanted to apply automated remediation to prevent the data exfiltration, it could even use QRadar to have the perimeter security devices block the data transmission. In sum, the incident is detected in real-time and the impact understood – or even prevented.
We view this as an important step forward in bridging security silos and applying greater intelligence and automation. What do you think?
For more information on today’s announcement, please see the press release here.
Posted by Tom Kendall in Cybersecurity, Network Intelligence, Risk Management, Security Intelligence, Threat Management
This past weekend I watched a documentary on More4 that delved into the Wikileaks scandal. “Wikileaks: Secrets & Lies” went into great detail explaining how Julian Assange served as a middleman in this scandal. Although Julian Assange is viewed as the face and spokesperson for Wikileaks, the documentary showed that Assange would not have had any global status if it weren’t for insiders who are willing to send sensitive information to the organization.
This programme was not broadcasting how a hacker could break into a network and steal information; it uncovered a deeper concern of how an insider can revolt, stealing privileged information from inside the network and causing havoc along the way.
This threat is a concern that should be top of mind for organizations. In a report published by Verizon on Business Data Breaches, they found that 48% of total data breaches were caused by insiders and 48% of breaches involved a misuse of an insider’s privileges.
Although identifying the risk of an insider threat was highlighted, the documentary really drove home the need for better security measures, so these incidents can be prevented or halted as they occur and the people responsible can be identified and punished.
For companies without proper security technology, identifying the “rogue insider” is not an easy task. Wikileaks is an excellent example of why traditional perimeter security defenses, such as firewalls and anti-virus software, are no longer sufficient in the “post-perimeter” world. To prevent these types of incidents, organizations should deploy automated technologies that continuously monitor and correlate user activities across various sources (such as network devices, OS logs and applications). This Total Security Intelligence will allow rapid detection of unusual activities such as a large number of sensitive documents being downloaded from a SharePoint server during off-hours or from a remote access location.
To learn more about how Total Security Intelligence can help combat these insider threats and how organizations are using QRadar as the key component for their IT Security, click here.
Posted by Michael Applebaum in Compliance, Security Intelligence, SIEM, Threat Management
This is the 6th and final entry in a series of posts that answer “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask.”
To understand how people are getting started with Security Intelligence, let’s go straight to an industry expert: Q1 Labs’ own Chris Poulin. Chris is not only Q1 Labs’ Chief Security Officer but also the head of our worldwide Professional Services practice, and drives our Customer Council. Chris has seen more Security Intelligence use cases and customer deployments than most security pros will ever dream (or have nightmares!) about.
I recently sat down with Chris to get the straight talk about how organizations begin their Security Intelligence (SI) journey. Much of what Chris shared with me has also been published in this SecurityWeek article. Here are my takeaways from our conversation:
1. Organizations know they need Security Intelligence, but often don’t know where to start.
We often speak with customers whose SI business cases start with regulatory compliance – PCI DSS, HIPAA, NERC CIP, FISMA, NIST 800-53, GPG 13, etc. – and that’s certainly important. But they know log management and reporting are just the tip of the iceberg in how SI can benefit them. As Chris noted, using Security Intelligence for compliance alone is like stamping a checkbox with a sledgehammer.
2. There are several use cases that apply to nearly all customers.
Security Intelligence Dashboard
Although SIEM and other Security Intelligence solutions provide great value through company- and industry-specific use cases, they also address many generic use cases. These include botnet detection, traffic from darknets, excessive authentication failures, and IDS alerts indicating that an attack is targeting an asset the VA scanner reports is vulnerable to that exploit, for example. SI vendors usually provide out-of-the-box rules (with alerts), reports, dashboard widgets, and saved searches that cover these scenarios.
3. Start with a set of core data sources.
Before you can monitor anything, you need to decide which data sources to start with. To avoid getting overwhelmed, Chris recommends beginning with a core set of log sources:
- Authentication events (from Active Directory and other identity management services)
- Windows, Linux/UNIX, and other OS administration logs
- Perimeter firewalls and VPN concentrators
- Anti-malware logs
- File and directory auditing on high-value servers (those that contain PII, ePHI, financial information, and sensitive company information or intellectual property)
Automated Server Discovery
In addition, bring in network activity flows (ideally Layer 7 flows) as soon as practical. If incorporated from day one, they can save you a ton of time by automatically discovering and profiling assets and tuning your solution. On an ongoing basis, flows then provide an entirely new dimension of information that leads to better identification of threats, elimination of false positives and faster forensic investigations – across a range of use cases.
4. Define targeted use cases by examining your key business problems.
Once you’re addressing the common use cases, step back and look at your business. What are you and your executives most concerned about detecting or preventing? If you’re an investment brokerage, it might be trader fraud. If you’re a retailer, you might want to protect customers’ PII, including credit card numbers. If you’re a utility or energy company, you might need to strengthen security around your SCADA systems. Re-examine the business case for your project, or take a close look at your CEO’s and CIO’s top priorities, to define your next use cases.
5. Spend time understanding your network and your SI solution’s capabilities.
Congratulations, your solution is in production and delivering new real-time intelligence! Take some time to digest what you’re seeing in its dashboards, reports and offenses (incidents). Move beyond the well-trodden road and push it to give you more. You can learn a lot more than just which users can’t enter their passwords correctly the first three times. Think about new insights you could gain from correlating previously disparate data sets, and new reports you can deliver now that all this data is in a single repository.
6. Phase in IDS/IPS data and other application/user/network telemetry.
IDS/IPS data is also important, but those systems are often improperly tuned, leading to a significant volume of alerts. Therefore Chris recommends waiting until you’ve brought the number of offenses in your SIEM or SI solution down to about 25 per day before adding IDS/IPS telemetry.
Once you’re in business with IDS/IPS data and have tuned your solution sufficiently, think about layering in additional data sources – such as database (and database security) logs, application logs, physical security system logs, etc. – to improve the accuracy of your risk and threat management efforts.
7. Don’t overlook the value of training and community.
Lastly, remember there are others out there who can help you. Look into the training options for your products. Explore vendor and industry conferences that give you the opportunity to meet with peers face to face. Participate in online vendor communities and industry organizations. Everyone using SI or SIEM today – and there are tens of thousands of us worldwide – was once a beginner, and went through the same learning curve. Many will be happy to help, so don’t be shy.
In summary, I hope this blog series has clarified the concept and practice of Security Intelligence. SI is a powerful new enabler of security and compliance that delivers actionable information through real-time insight and deep forensics. It provides significant benefits by addressing customers’ needs for intelligence, integration and automation – areas that have historically been the Achilles heel of security solutions. And most importantly, SI solutions are reasonable to implement and manage for both small and large organizations, and deliver value quickly.
For the final word, I look to Jerry Walters of Ohio Health for the customer perspective:
“We’ve seen tremendous value using the QRadar product. In the past we were very reactive. My team would get a call to do an investigation, and things had already occurred and we had to piece together what happened. With QRadar we’re able to see things before they even occur and prevent them upfront before they become a real problem. [QRadar] helps us get in front of the things we need to be in front of as a security organization.”
Best wishes on your Security Intelligence journey!
The latest on Cyber Security