Posts Tagged ‘advanced persistent threats’
Posted by Tom Turner in Cybersecurity, Security Intelligence, Threat Management
I think we can laugh because it was foiled, but we should be chastened that it even exists as a potential threat. What a topical parallel to draw with the daily fight waged by information security professionals. What an analogy to illustrate the need for sophisticated intelligence gathering and analysis — and the reason why traditional signature detection technologies alone are no longer sufficient to address new attacks such as zero-day threats (like this one).
OK, I realize that last sentence is hard to swallow when your eye keeps being drawn to the large blue image to the right, so allow me to borrow from an article in today’s Wall Street Journal to inject the correct tone. In describing how the underwear bomb has evolved (the latest version had dual detonators to compensate for the design flaw thankfully discovered over Detroit) , there is a very relevant comparison to how cyber threats evolve from one version to the next.
The article then went on to describe what aviation security authorities are trying to learn from the most recent generation of this threat. Change a few of the words and it sounds just like the challenge faced by their information security peers who manufacture today’s important perimeter security controls.
“Investigators are closely scrutinizing the construction of the bomb for clues that would lead to its makers and would also help aviation security experts improve and adjust airport detection systems. Investigators say the bomb contained no metal, meaning would have likely evaded detection by airport screeners.”
Most importantly, the threat was evaded not by traditional detection mechanisms (though these will continue to be important) but by the gathering and analysis of intelligence. One can only imagine the sheer amount of intel that is pored over by analysts in connection with suspected terrorist activity. Not unlike the huge volumes of security relevant telemetry that exists within an enterprise network.
The last parallel only just occurred to me, but it is extremely relevant to the conversations we have with security clients today. An important reason this threat was averted appears to have been due to information sharing between different groups….in this case different countries. A more global perspective on the information security landscape is becoming increasingly important to information security pros today as proved by the importance of groups like FS-ISAC and research from experts like the X-Force.
So there are many analogies that can be drawn from this most recent terrorist threat to the cyber threats facing our networks. Intelligence and information sharing are the keys to success in both cases.
Posted by Heather Howland in Network Intelligence, Security Intelligence, Webinars
If you missed our February 22nd webinar with Dark Reading, or attended live but still have questions, this is for you. Of course, you can watch the whole event in its entirety here. During the event, we covered a fair amount of ground, talking through some of the larger attacks of 2011 while noting the varied attack types and motivations that powered them.
Questions started flying when we began talking about security intelligence use cases and strategies to prevent being hacked. We touched on the following use case topics: network activity, application detection and forensic evidence, data leakage, insider fraud, user behavior monitoring, and advanced persistent threats (APT). Not only was network activity flow the common thread between all of these topics, but also in the questions we received.
Since these questions were common amongst all of our attendees, we thought we would share some of the questions and answers with you.
QUESTION: Does network flow capability come with your SIEM? Or is it a separate add-on?
ANSWER: The ability to process flow records from standard formats such as NetFlow, JFlow, and SFlow are supported by default. If you would like to go deeper than the layer4 information of these flow technologies and go to layer 7 with content capture, then QRadar’s QFlow technology provides this functionality. This feature can be built into an appliance or for larger deployments as an optional add-on.
QUESTION: I already monitor NetFlow traffic. How is what you do with flows different?
ANSWER: NetFlow provides useful information such as source and destination IP, source and destination ports, and packet and byte count. QRadar QFlow’s deep packet inspection provides the ability to identify traffic up layer 7 (application layer) and also provides content capture capabilities. This means QRadar can identify applications regardless of port (many applications use dynamically allocated ports or tunnel over port 80). For example, QFlow can detect social applications like Facebook, Myspace, and Twitter; in addition to port-independent applications like VoIP and BitTorrent. QRadar QFlow can also detect traffic over non-standard ports (i.e. SSH over port 5000). QRadar QFlow also provides content capture capabilities. That is, when a flow is session is captured the header information and a user-specifiable amount of content after that is captured. For example, we can detect the file transferred across the network (i.e. customerinfo.doc, creditcard.xls).
QUESTION: Are there some sources that you can’t pull data from in a network? Do we have to manually add in some?
ANSWER: QRadar has the best auto-identification of log sources in the industry and can normalize most major devices automatically. If it creates logs, then QRadar can accept or collect logs from that device. If QRadar does not recognize the device logs a straightforward built-in mechanism within QRadar can be used to create custom parsers.
QUESTION: Do you have any pre-built templates and rules for meeting compliance regulations? Or is scripting required?
ANSWER: QRadar has pre-built compliance templates and reports. Scripting is not required.
If you’re interested in learning more about the value of flows and how to get more out of SIEM, you can watch our on-demand webcast “Getting More out of SIEM: How to Use Flows To Better Detect Threats and Simplify SIEM”. This webcast shows a live demo and talks more about the value of correlating flows.
Have more questions? Need further explanation? Feel free to email us at info@q1labs.com or just post them below.
Posted by John Burnham in In the Industry, Security Intelligence
I recently returned from the Gartner Security Summit in London, an annual
affair. While it was moved back to the stodgy Hotel Lancaster (it was in a shiny new hotel on the Thames last year), it was highly attended and very, very active. Since last year, the news has been all about prominently disclosed attacks, internal and external, so the over-arching theme was sophisticated attacks. That awareness of risk and threat is solidly at the BoD level with Gartner clients, and the edict from on high: get our house in order, as it is only a matter of time and in fact we probably have already been breached to some extent.
Enterprise Security Intelligence is a pervasive theme with Gartner Security and Risk Management teams, and so it was at the event as well. But similar to the Washington DC event this past summer, there were far more sessions on “how to…” define your needs relative to your unique environment. And compliance has become table stakes, checklist tactics rather than an end in itself. And of course this prioritization is spot on: compliance does not equal a measurable, defensible security and risk posture.
One of the best sessions was on risks associated with cloud-sourced services. The content was pragmatic, focused on specifics, such as:
–Diverse tenancy is a new world, versus controlled environment. Your competitors could be using same cloud platform, for example.
–Public access: where are the controls?
–Economic Denial of Service: newly coined term meaning a targeted attack designed to spin up gobs of storage = gobs of cost, billed to you!
Some bits of note (can you spot my Brit vernacular?):
–Security monitoring is essential for any use cases within cloud services, be they hosted, on-prem, or MSSP-driven
–Cloud was primarily Public Cloud, versus virtual datacenter in the sessions I attended
–In one session on Security Monitoring, a definition of Security Intelligence was put forth:
- data is gathered: more is better
- reasoning is applied, in the form of analytics
- actionable information drives a decision
Pretty high level in my view, but maybe less is more.
Posted by Heather Howland in Security Intelligence, SIEM
SIEM has come a long way over the years, evolving from a relatively simple point solution, to a more intelligent, integrated and automated enterprise IT security solution. We thought it would be interesting – and fun – to put together an infographic to try and make sense of it all.
Why bother creating an infographic on SIEM? It has an interesting history. SIEM was originally plagued by a somewhat painful implementation process, difficult to integrate data sources, limited scalability, and an intensely manual reporting process requiring analysts to do the heavy lifting. Reporting and analytics have greatly improved along with scalability, collection, and integration of third party data sources. Not only does this evolution make day-to-day life easier for IT Security professionals, but it decreases breach response time, remediation time, and the total cost of a breach.
In fact, this infographic is about more than just SIEM. It’s about the evolution of SIEM, expanding into adjacent solutions, to add essential contextual data and achieve total security intelligence. Considering recent announcements by other vendors, security intelligence has become more than just a popular term. As one of my colleagues explained in his post last month, security intelligence is “a holistic approach to viewing and managing the security and risk posture of an organization.”
How did we do? Let us know in the comments below if we left anything out. Of course, as the industry progresses, so will this Infographic. We are excited to see how SIEM, and security intelligence, further evolves.
Posted by John Burnham in Critical Infrastructure, Q1 Labs, Security Intelligence, SIEM
Recently, Gartner published a new report titled “Strategies for Dealing With Advanced Targeted Threats”. The message in this report is how to strategically deal with ATTs (Advanced Targeted Threats), which is Gartner’s expanded definition of APTs (Advanced Persistent Threats) in order to emphasize the focused nature of these high-magnitude attacks. A lot of emphasis is placed on the need for network activity monitoring, to the extent of even calling out “flows”, as we also saw in this year’s SIEM Magic Quadrant report.
Below is a breakdown of the report, beginning with The Problem definition:
- The term “advanced persistent threat” (APT) has been overhyped in the press and is distracting organizations from a very real problem. Targeted attacks are penetrating standard levels of security controls and causing significant business damage to enterprises that do not evolve their security controls. Gartner estimates that, for the average enterprise, 4% to 8% of executables that pass through antivirus and other defenses are malicious. Enterprises need to focus on reducing vulnerabilities and increasing monitoring capabilities to deter or more quickly react to evolving threats, and not focus on what country the attacks are coming from.
A major point that supports SIEM in general, and flows/behavior anomaly detection in particular, is in the analyst’s portrayal of “lean-forward” planning. This approach is especially needed in Critical Infrastructure, as the recent Ponemon survey pointed out the discrepancy in spending between physical and IT security, which is in fact evolving due to the potential for APT/ATTs.
Here are some more highlights from the Gartner report:
- Advanced attacks (often called “advanced persistent threats”) are using techniques that demand an evolution of existing defenses, and an introduction of new security controls and processes. Enterprises need to focus on the effectiveness and efficiency of their infrastructure protection approaches.
- Simply adding more layers of defense does not necessarily increase security against targeted threats — security controls need to evolve.
- Gartner estimates that, for the average enterprise, 4% to 8% of executables that pass through antivirus and other defenses are malicious.
- Enterprises need to focus on reducing vulnerabilities and increasing monitoring capabilities to deter or more quickly react to evolving threats, and not focus on what country the attacks are coming from.
- All the innovative techniques used in these attacks are detectable. One key to preventing their success is to focus on avoiding, minimizing or shielding the vulnerabilities they are exploiting.
- security information and event management (SIEM) products or other approaches that correlate information across defense “silos” should be used to gain better exception monitoring capabilities
- A lean-forward, continuous monitoring process includes the following steps:
1. Establish a baseline.
2. Update threat information.
3. Monitor and inspect network traffic and host logs.
4. Investigate possible threat activity.
5. Activate an incident response process, or update defenses or work-arounds.
6. Go to Step 1.
- Some SIEM and next-generation firewall products have added some of the flow analysis features of network behavior analysis.
- You must be prepared to invest in and staff lean-forward processes
Bottom line: Advanced Targeted Threats are front and center in our minds, and this report emphasizes important elements of a responsive strategy for dealing with these threats. It is a must read for all information security professionals concerned with staying ahead of these threats, especially in Critical Infrastructure.
Read more about how Q1 Labs’ Security Intelligence has been protecting Critical Infrastructure customers in our recent release, “A Year on from Stuxnet, More than 100 Critical Infrastructure Customers Rely on Q1 Labs for Security Intelligence.”
The latest on Cyber Security