Posts Tagged ‘best practices’
Posted by Melissa Stevens in Cybersecurity
It’s not news to security experts; they’ve been saying it for ages. But for the rest of us (and by us, I mean people like me, who work in marketing, accounting, and so forth, and have little understanding of how our behaviors online could be compromising network security) one of the more recent Anonymous breaches is a strong reminder that it’s people who are the weakest link in any security policy.
This might come across as a “duh” moment, but organizations who make it a practice to constantly train ALL employees on online security practices are going to have a huge advantage when it comes to staying safe. As a marketeer, I am online all the time. I do my best to keep things locked down:
– bolt my lap top to my desk
– follow prompts and reminders to keep my passwords varied and secure
– remember to send passwords in separate emails if I need to share log in information with new users
–Encrypt and password protect attachments
–Check with security when I’m not sure about a link I’ve been sent
You get the gist. I work for a security company, so of course, we have people out there looking to make sure we follow the rules. And knowing that someone is watching me makes me all the more vigilant (you can call me a brown-noser, but I hate getting in trouble!).
It always amazes me when I see these articles and am reminded that not all organizations operate this way, even though really, we all should be. In today’s hacker-fueled “targets of choice” environment, it’s really important that security professionals take their job to the next level. That means not only relying on technology and policies to keep their networks safe; it means investing time and energy to make sure that everyone with network access has been trained and retrained and possibly certified. Some people might see that as over kill, but I just see it as being prepared.
What are you doing to make sure your employees are taking necessary precautions to keep your network safe? Please share your insights below.
Posted by Melissa Stevens in Cybersecurity, Log Management, Security Intelligence, SIEM
This morning I read an article on Computing.co.uk that asked, “How can organizations be prepared for cyber security incidents they can’t predict?”
I think this is a question a lot of CISOs ask themselves – and certainly, they should be. In the recent Data Protection & Breach Readiness Guide, published this January by the Online Trust Association (OTA), a key take away is “If a business collects data it will experience a data loss incident at some point.” That said, maybe you can’t predict how you will be breached, but it’s reasonable to assume that you will. This is the first step in a comprehensive network security strategy.
There are plenty of tools out there that can help analyze network configurations and identify the vulnerabilities that are creating entry points. You can run simulations and tests, hire white-hat hackers to break into your systems, and monitor network activity until you’re blue in the face. There are some breaches you can prevent, and there are some that you will never see coming.
The key is to have capabilities that will help you respond to the breach and limit your organization’s exposure as quickly as possible. How many horror stories have we heard over the past year of high profile breaches that lasted for months before they were spotted? How long did it take to find out what really happened? When breached, you immediately want to know who, what, when and how, so you can brief your constituents (customers, executives, board members, etc) about what has occurred along with your remediation plan. This is where Security Intelligence comes in.
A Security Intelligence solution like QRadar can help keep you safe. It can be a part of your walled fortress, collecting information from across your entire infrastructure and alerting you when anomalies occur or improper configurations create new vulnerabilities. But more importantly, it can act as a stop gap, the tool you use to help stop the ship from sinking. Knowing immediately that you have been breached and what has been compromised; knowing how the breach occurred and where it originated from; seeing where the information has been distributed, in real-time; all of this knowledge can help you respond and stop the threat from spreading further. And since it’s only a matter of time before a breach occurs, better response preparation could be the competitive advantage you’re looking for.
For more information about breach response best practices, please read Five Ways to Prepare for Your Data Breach. As always, share your comments and questions below!
Posted by Heather Howland in Healthcare, Security Intelligence, Webinars
Truism: it’s always informative to have customers join us on webinars. Last Thursday’s webinar was no exception, as we had two of our healthcare customers accompany us for an interactive discussion about healthcare security and compliance concerns as we approach 2012. A hearty thanks to both Youssef Jad from McGill University Health Centre and Jerry Walters from OhioHealth for taking time away from their busy days to participate in this discussion.
Here’s a brief clip:
- Tuning your security intelligence solution is extremely important to establish a baseline and avoid being overwhelmed with data early on.
- Visibility into network flows is a huge factor when attempting to track down application related traffic, especially when fully correlated with other events.
- In the healthcare space, securing the mobile infrastructure is extremely important.
- Security intelligence solutions like QRadar go way beyond reporting and log management.
During their QRadar proof-of-concept (POC), OhioHealth was able to quickly identify infection sources from a malware outbreak stemming from a zero-day event. They leveraged QRadar’s unique QFlow capability to analyze network traffic by looking for specific patterns in the traffic, and they now use QFlow extensively to look for abnormal network activity. QRadar was a replacement for a previous SIEM and log management solution that simply ran out of gas – it could not scale to support the high volume of security events that OhioHealth needed to monitor.
At McGill University Health Centre, QRadar was deployed in a just a few days using the system’s pre-built templates. Tuning and creating custom rules required an additional month, but is an important step to effectively isolate incidents. The solution has already been used to identify malware attacks, and it is a key element of their change control process because it is used to identify unauthorized or erroneous configuration changes that affect the availability of critical applications. McGill chose QRadar after an evaluation process that also included testing ArcSight, which they found to be too complex
- Why did you need a security intelligence solution?
- What were your criteria?
- What other solutions did you look at?
- Did you have any challenges getting the solution in place?
- How large of a staff do you maintain that works directly with QRadar?
- How many systems and devices were included in your deployment?
- Once an incident is discovered, how is it handled?
If you missed the live webinar, the recorded version is posted here for your viewing. Have questions while watching? Send them to info@q1labs.com and we’ll get back to you quickly.
Related: Five Ways to Use Security Intelligence to Pass Your HIPAA Audit (eBook)
Posted by Heather Howland in Cloud Security, Security Intelligence
While I only have one first cousin, we have bizarre similarities and notable differences. First off, she’s 12 and about ten times smarter than I am (yes, I set myself up with that one). We share some slightly similar facial features, personality traits, and food tastes that favor northern Italian cuisine. She is an accomplished violinist already. I hack at my guitar every once in a blue moon. Anyway… enough kicking myself in the teeth.
What does this have to do with SIEM and cloud computing? Similar to my previous “cloud security” themed post, I will again reference the best practices paper by Q1 Labs’ CSO Chris Poulin. In this, he suggests that SIEM itself provides a cloud-type capability and is structurally similar. I find this a very interesting correlation and pretty darn accurate in many ways. Lets get into it.
A classic SIEM is fed data from all around an organization via different groups with varying requirements and responsibilities. These groups cross organizational divides and often have very different interests, data types, and use cases. SIEM has definitive customers and providers, as do cloud providers. For example, the systems management group may feed Microsoft Windows Active Directory events into the SIEM to be alerted on user login failures, signaling a brute-force password attack or escalation of privileges attempt.
Cloud providers are fed data from different customers, expecting their data to be protected, segmented from other customers, controlled, secured, and monitored. A cloud provider is also expected to not access customer data for their use or benefit unless allowed by the customer. While this may not 100% correlate to a SIEM environment, there are contractual obligations between the operational management function and SIEM consumers to ensure processes are in place to handle potential incidents, empowering the data owners and developing a clear escalation process.
Related: What’s in a cloud security plan?
This points out one of the differences between cloud and SIEM, and why they might be cousins, yet only distant cousins. The SIEM provider generally has total context and an overarching security responsibility, otherwise known as security intelligence, that spans across data from all groups. For example, correlating vulnerability scanner results with firewall logs and network activity to detect an active threat. In the case of cloud services, there is a clear dividing line between roles and responsibilities; especially involving customer data. The data belongs to the customer and has to be treated differently. An example is GMail. Most likely, it wouldn’t be accepted if Google started reading our email or forwarding it to other GMail users. Okay, they are reading it, but hopefully not forwarding.
What do you think, are there other similarities between cloud and SIEM? Besides SIEM being a lot smarter than cloud, that is.
Learn more about IT Security best practices in cloud environments.
The latest on Cyber Security