Posts Tagged ‘critical infrastructure’
Rich Mogull of Securosis recently wrote a blog entry called “Can You Stop a Targeted Attack?” that nicely complements a Dark Reading article and accompanying report by his colleague, Adrian Lane, entitled “15 Ways to Get More Value from Security Log and Event Data.”
After (justifiably) lamenting that many “vendors have been APT-washing their stuff trying to convince anyone who would sit still that their run-of-the-mill IPS or endpoint protection product” could stop APT attacks with “with fairy dust and assorted other black magic,” Rich goes on to ask some interesting questions.
- How many of the adversaries facing organizations today are advanced or persistent? Probably very few, since most of them are “today’s version of script kiddies trying to smash and grab their way out of the despondency of their existence” by stealing your organization’s customer details and payment card information. (I would add that it’s not just script kiddies but also organized gangs of cyber-criminals, operating out of eastern Europe and other exotic locations, preying on both large and small businesses who don’t have even the most basic security controls.)
- Are existing controls such as perimeter defenses sufficient? Answer No (but existing controls still have a role to play).
- Do targeted attacks exist? Absolutely (the Aurora attack on Google being just one example).
- Are new technologies emerging to help prevent targeted attacks? Yes — Rich writes that “lots of vendors are learning and evolving their offerings to factor in this new class of attacker.”
- How can next-generation SIEM and security intelligence help? Rich doesn’t use these specific terms in his blog but writes that “Regardless of what happens on the prevention side, you still need to monitor the hell out of your stuff … it’s career-limiting to plan on stopping [targeted attacks]” so you should still invest in “monitoring, forensics, and response – even in the presence of new and innovative protections.” He mentions Global Payments as an example of an organization that discovered they had been breached by monitoring their egress traffic and “seeing stuff they didn’t like leaving their network” (one of the capabilities provided by QRadar); and yes, they didn’t stop the breach “but it’s a hell of a lot better to catch it yourself than to hear from your payment processor or the FBI that you have a ‘problem’”. Gartner analyst Mark Nicolett made a similar observation in “Using SIEM for Targeted Attack Detection” [complementary download] when he wrote that “Organizations are failing at early breach detection, with more than 85% of breaches undetected by the breached organization.”
In Adrian’s Dark Reading article, he writes that “we are drowning in [security] data but are thirsty for actionable information.” And in the full report from Dark Reading’s Security Monitoring Tech Center, he writes that by deploying SIEM with “automation and resources, along with a healthy dose of human intervention and insight, organizations can make their data work for them, instead of the other way around.”
Adrian also writes that SIEM “technologies are being used not just to analyze data after the fact, but also to perform real-time detection quickly followed by meaningful forensic examination of events.”
By the way — does this sound like Big Data? Of course it does — but we’re talking about purpose-built Big Data analytics that were designed specifically for security — not just a generic Big Data repository with a bunch of scripting tools. QRadar has always been built on a Big Data architecture — distributed, parallel, elastic and indexed — but it’s the applications built on top of this architecture that help you find the proverbial needle in the haystack via automated intelligence.
One of the ways that the QRadar Security Intelligence Platform helps you increase the signal-to-noise ratio is via its embedded expert security knowledge, based on nearly 10 years of real-world experience, including: hundreds of pre-configured correlation rules; 1,500+ security/compliance reports; built-in support for 400+ data sources, including parsing and normalization; and native support for the collection of network flow traffic (via deep packet inspection), which can then be used for behavioral analysis and anomaly detection in combination with information from log sources.
As Adrian Lane writes in the Dark Reading report, “Enterprises are swimming in the sea of data generated by networks, servers, personal computing devices and applications … Just as the bad guys adjust their attacks to take advantage of new vulnerabilities or to tune malware to evade detection, security professionals must continue to adapt. Sitting still means failure. Ultimately, these log files are your view into what’s going on, and it’s your job to figure out what’s important and how to get that information with as little work as possible.”
And hopefully we can help make your job easier – unlike first-generation SIEMs that are complex and require armies of people (in-house staff and/or contractors) to deploy and operate. Gartner says that QRadar is “is relatively straightforward to deploy and maintain across a wide range of deployment scales” while Jerry Walters, Director of Information Security at Ohio Health, says in his YouTube interview that “QRadar gives us the visibility to find the virtual needle in the haystack when it comes to discovering what happened and when, and to proactively prevent things that are potentially going to be problems.”
 Critical Capabilities for Security Information and Event Management, Gartner, 21 May 2012
Following their widespread adoption, SIEM and log management solutions have become a staple of many organizations’ security and compliance practices. They are relied on to protect against countless security and compliance risks. But there’s a big difference between monitoring the network of a midsize business and those of Fortune 500 organizations. Q1 Labs not only delivers economical solutions for the former, but also scalable and resilient solutions for the latter.
This is no small feat when you’re talking about a magnitude of well over 100,000 events per second, all correlated in real-time – a volume many Q1 Labs customers are achieving with the QRadar Security Intelligence Platform. Run out the math and you find this is billions of events per day. How exactly does QRadar enable success at scale?
Let’s scratch the surface of QRadar’s keys to success:
- Scalability. QRadar’s distributed, federated database architecture allows it to monitor, correlate and store the highest data volumes in real time, without filtering out data or skipping correlation, as some other products do.
- Search Performance. High-performance indexing and search provides incredibly fast access to enterprise networking and security data. Applying Internet search engine technology, QRadar tames big data.
- Customization Ability. Although QRadar ships with thousands of out-of-the-box rules, report templates and dashboards, it is also highly customizable, meeting the needs of multi-divisional and multi-national organizations.
- Expansion and Upgrade Ability. The distributed appliance approach allows an organization to start with a small, mid-sized or large deployment, and add new processing capacity or functional capabilities on the fly. The architecture and size of a QRadar deployment can grow organically and don’t face major constraints.
- High Availability. Q1 Labs provides a turnkey solution for high availability, taking the guesswork, risk and complexity out of HA, so customers can focus on their security operations, not IT infrastructure.
These capabilities are further explained and a series of customer case studies are presented in a new Q1 Labs brochure on “Success at Scale.” As a sneak preview, consider the following portrait of a Fortune 5 energy company:
Business Challenge: This company needed to ensure compliance with PCI-DSS, NERC and numerous regulations in other countries. At the same time, it needed to monitor and analyze an average of 2 billion logs daily to protect itself from numerous security threats.
Q1 Labs Solution: The business addressed its regulatory compliance and security needs by deploying QRadar SIEM and QRadar QFlow using 30 appliances globally. By correlating events, network activity (flows), asset information and configuration data, the solution intelligently identifies 25-50 high priority offenses out of 2 billion daily events, utilizing 40 TB of aggregate storage. It serves 100 security users across four groups, while protecting 10,000 network devices, 10,000 servers and 80,000 user endpoints. Major technologies protected by QRadar include products by Oracle, SAP, Cisco and Juniper. The customer also uses QRadar to monitor 6 million card swipes per day for PCI compliance and ensures the security of SCADA systems for NERC compliance.
While some have claimed the warnings about SCADA system vulnerabilities are merely exaggerations and vendor FUD, this talk should be put to rest with the news that a US utility has suffered real physical damage from a cyber attack.
As widely reported, a water pump at a utility in Springfield, Illinois was burned out by a remote attacker repeatedly turning it on and off over a period of months. Certainly not as dramatic as Stuxnet, but effective nonetheless.
How did it happen? The attacker allegedly infiltrated the network of the vendor whose software controlled the SCADA systems, including the water pump. Through this access, the attacker is believed to have gained customer user names and passwords, including those for the Springfield utility, which enabled remote access to the systems.
Reactions to the news range from indifference (it’s just a water pump; there was no disruption of service due to redundant systems; wake me when I should care) to alarm sounding (the vulnerabilities are real; the potential impact significant; the urgency high). At Q1 Labs, our view (and that of our customers!) is that critical infrastructure providers, their vendors and government authorities need to take these risks seriously.
What can we learn from this attack? Here are five lessons:
1. Information security is just as important as physical security. It is obvious now that cyber vulnerabilities exist, can be exploited, and can cause physical damage. But too often information security best practices are ignored. For example, why are SCADA systems even connected to the public Internet in the first place? ICS-CERT has reportedly “received a number of reports from multiple independent security researchers who have employed the SHODAN search engine to discover internet-facing SCADA systems ‘using potentially insecure mechanisms for authentication and authorization.’” This should never occur, but it happens through ignorance of security best practices, limited budgets and good old-fashioned manual error.
Defense in depth approaches should be adopted, and best practices understood and applied. For example, many organizations assume they’re secure because they’ve deployed traditional defenses such as firewalls, antivirus, and identity and access management solutions. This attack shows that these traditional approaches are no longer sufficient; you also need continuous monitoring in order to quickly spot unusual or suspicious activities, because cyber criminals might be using legitimate credentials to access your critical systems.
Utilities and other critical infrastructure providers have no excuses, and there is no “A for effort.” This is not only a national security issue, but also a business continuity and viability issue. If you fail your customers catastrophically, you will find yourself out of business.
2. Rapid detection matters. The breach is suspected to have occurred in September, but was not discovered until November 8. During that time, security researcher Joe Weiss reports, “minor glitches were observed in remote access to the SCADA system for 2-3 months before it was identified as a cyber attack.”
The reason operators typically let “glitches” go by for months is they don’t have an easy way to mine network data. If the utility had centralized logging, data normalization, and simplified searching and data pivoting, its operators would have been able to analyze the data faster, and identify and stop the attack. Instead of wondering how to find the root cause, they could have used a Security Intelligence solution to troubleshoot and explore the forensic data with a single, easy-to-use console.
There were also obvious clues that should have tipped off operators to a potential breach, such as the systems being accessed by Russian IP addresses. A modern SIEM solution would have automatically alerted on anomalous network activity, such as access from outside the US.
3. Assume you are already breached. Although rapid detection is vital for responding to new attacks, you should also assume you have already been breached and are now under covert surveillance or attack. Operation Shady Rat showed that US federal agencies, energy providers and other large sophisticated organizations – let alone smaller businesses – can remain unaware of attacks over a period of years.
Would you know if you were already compromised? Stop wondering, and get to work finding the breaches that likely already took place.
4. Aggressive information sharing must become the norm. Besides highlighting weaknesses in security defenses and monitoring practices, this story also demonstrates the industry’s opportunity for improvement in how it responds to a cyber attack. Although the Illinois Statewide Terrorism and Intelligence Center identified the incident, Weiss points out that “the incident has not been disclosed by the Water Information Sharing and Analysis Center, the Department of Homeland Security’s Daily unclassified report, by the DHS Industrial Control System-Cyber Emergency Response Team or other government and industry security groups.” Thus other water utilities remained unaware of the attack, according to Weiss.
5. The full impact of this breach is unknown. Without falling into hyperbole, one has to consider that the known damage may be just the tip of the iceberg with this exploit. Since “many industrial control systems rely on passwords that are hard-coded, making it difficult to change stolen passcodes without causing serious problems,” are other water utilities – or even nuclear power utilities – exposed to this compromise? Weiss notes that “If this is a [big software vendor], this could be so ugly, because a biggie would have not only systems in water utilities but a biggie could even be [used] in nukes.”
Regardless of whether this incident proves to be a minor blip or the start of a series of attacks on the SCADA vendor’s customers, the lessons it presents are clear. Aggressively protect your critical infrastructure. Focus on both parts of the Security Intelligence timeline: pre-exploit (vulnerability and configuration management) and post-exploit (threat detection, investigation and remediation). Learn from the best practices of California ISO and other critical infrastructure providers that have adopted Security Intelligence.
According to reports here, here, here and elsewhere, the Department of Homeland Security and FBI have announced that the destruction of the Springfield, Illinois water pump was not due to cyber hacking. The DHS announcement reads in part, “After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois. There is no evidence to support claims made in the initial Fusion Center report — which was based on raw, unconfirmed data and subsequently leaked to the media — that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant. In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported.”
Questions remain about why the Illinois terrorism center reported this as an attack. But either way, the lessons shared here hold true. SCADA system vulnerabilities do exist, can be exploited, and can cause physical damage. The time to strengthen your pre-exploit and post-exploit security capabilities is now.
This story continues to play out in the headlines, with the FBI’s Cyber Division acknowledging that hackers recently accessed the infrastructure of three cities through SCADA systems. As this post notes, the good news is that the FBI’s budget for cyber defense will likely rise over the coming year. The bad news is that although the Cyber Division’s deputy assistant director “expects” the division to double in size within 12 to 18 months, the FBI’s budget request for cyber defense was only 12% higher for the 2012 fiscal year. How much impact will a 12% increase have? Your guess is as good as mine.
What is clear is that the vulnerabilities surrounding SCADA systems are real, and this issue will only become more significant over time. Consider that my first security prediction for 2012.
Last week we held a webcast with our partner Accuvant and talked a bit about the state of critical infrastructure security and how security intelligence can help build a comprehensive security program – specifically in the energy and utilities industry.
Chris Poulin, Q1 Labs’ CSO, kicked it off with a creative view of the smart grid, electricity transmission and distribution systems to set the tone with a few interesting takeaways. While smart meters may not necessarily be prevalent yet, those that are deployed need to be logged and properly monitored. The advancements related to smart grid highlight the vulnerabilities and security concerns looming over our entire critical infrastructure, as the energy supply chain becomes more exposed and interconnected.
David Swift from Accuvant brought up some of the top concerns IT security professionals in the energy and utilities sector have when approaching APTs, zero day attacks, and overall compliance mandates. While sometimes we get caught up in the complexities of discovering attacks, David reinforced that for starters we need to keep a close eye on logs. Track firewall denys, IDS/IPS events, Geo IP data, etc. Patterns discovered from AV alerts or repeated, large, IM file downloads can be the key to discovering slow moving, but significant threats to an enterprise.
If you missed the live webcast, watch the highlight clip above and download the full on-demand webcast. Attending RSA Europe? Chris will be presenting live – When Refrigerators Attack! Securing the Critical Infrastructure – on 10/12 at 4:40 pm in the Windsor Suite (East Wing).
With the advent of the “Smart Grid”, the electric and power industry has been progressing through their version of the Renaissance. Historically, the biggest concern for this industry was physical security, e.g. how do we keep our physical grids secure from being tampered with? Now, they seem to be focused on service, moving towards the Smart Grid in order to help smooth the delivery of electricity to an increasing number of customers, provide new monitoring services, and reduce the frequency of blackouts. This effort has been led by states like California working closely with NIST’s Smart Grid Interoperability Panel. But have they left cyber-security out of the big picture?
Similar to SCADA systems, most smart meters are delivered and implemented with little to no security measures in place. As a result, a rapidly growing number of energy providers and critical infrastructure suppliers are implementing security intelligence solutions to help them collect, normalize, and analyze network event and device data generated by their smart grids. They are recognizing that as smart meters become more intelligent, the risk profile increases accordingly, exposing the nation’s energy grid to more advanced attacks (what Gartner calls Advancecd Targeted Threats).
In June 2011, the Obama administration released a report titled “A Policy Framework for the 21st Century Grid”, which has a task of defining the future of our nation’s energy policy. One of the goals in the report is focused directly on establishing policies and best practices for cyber-security, specifically standards and a knowledge-based culture.
The Administration is moving in the right direction by working with states and private companies to develop standards and guidelines to drive a more secure power grid, but we still have a ways to go before our critical infrastructure is adequately protected. For now, states like California are making noticeable progress on smart grid adoption, and private companies like Portland General Electric are making similar progress securing their infrastructure with security intelligence solutions. However, the vast majority of the industry is still operating in the dark, as revealed in a recent study by the Ponemon Institute, “State of IT Security: Study of Utilities and Energy Companies.” This study found that nearly half of global energy organizations did not view IT Security as a strategic initiative.
You’ve heard this before – but a cyber-terrorism attack would have a catastrophic impact on the nation’s electric grid, shutting down critical businesses, slowing our ability to respond locally with law enforcement, disabling cell phones and other communication devices, and more. U.S. Defense Secretary Leon Panetta recently warned that “The next Pearl Harbor we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems”.
Clearly our power grid (smart grid or not) is vulnerable to attack. Hopefully, as we move closer towards broader smart grid adoption, the industry will make progress adopting security intelligence solutions to help protect our critical infrastructure assets. Do you think the electric and power industry is prepared to adequately protect itself from attacks?