Posts Tagged ‘data breach’
Posted by Tom Kendall in Cybersecurity, Security Intelligence, SIEM
As we have lately read and seen, the style and sophistication of cyber attacks on organizations’ networks have become ever more complex. One type of attack that has had a lot of media coverage in the UK are DDoS attacks, with hacktivists using multiple IP addresses to attack one IP address within an organization, resulting in critical business services and infrastructure being made unavailable. Although this type of attack may not be new news to people, in the UK there has been a lot of fresh exposure, bringing DDoS top of mind.
When reading through these cases it is not the seriousness of the cyber-attack that is the problem, but the late reaction to the attack. These can occur at any time and in many cases the technology is not in place to detect and highlight these immediately. The consequence? A DDoS attack that happens after people have “finished” work are not being acted upon by the Security team until the next morning when the attack has been successful in its mission. This raises the need for organizations to have an effective threat detection system, highlighting an attack to the security team, regardless the time of the day or a DDoS could be used opportunistically to mask other harmful activities.
Real time correlation and effective rule settings allow this to be combated successfully. With the right technology in place, automated alerts can be sent to the security team immediately when there is a suspicious incident, such as a DDoS attack. This allows an instant reaction to occur and enables the security team to be on top of the problem instead of chasing the issue– when it’s already too late to stop or prevent more damage.
For more information on how a next generation SIEM and Log Management solution like QRadar can bring you total security intelligence, changing your security posture from reactive to proactive, as well as responding to “dumber” brute force attacks such as DDoS, download this white paper “The Business Case for a Next Generation SIEM.”
Posted by Michael Applebaum in Risk Management, Security Intelligence, Threat Management
Building on the momentum of our latest QRadar SIEM and QRadar Log Manager release just two weeks ago, we are excited to announce a new release of QRadar Risk Manager that adds several highly anticipated enhancements. As a refresher, QRadar Risk Manager is the member of the QRadar Security Intelligence Platform that provides pre-exploit configuration monitoring and attack simulation. These proactive capabilities help identify security gaps and prevent security breaches and compliance violations before they occur, providing a perfect pairing to the advanced analytics, detection and reporting of QRadar SIEM.
The new configuration monitoring and management capabilities make it easier than ever to strengthen perimeter security and improve network visualization:
Normalized rule and security device comparison allows users to compare rules and object groups across the same security device type (historical comparisons, for example), as well as across differing device types. For example, users can compare the configuration of all of their Internet firewalls, regardless of brand, helping them ensure that all firewalls are configured consistently. QRadar Risk Manager provides views that quickly and easily identify which rules have been added and deleted, highlighting object group changes between devices.
Topology visualization enhancements improve the overall usability of the product by allowing users to hover over interfaces to quickly view connection and interface details. This saves time by removing the need to “drill down” to view this information. This release also provides the ability to quickly save and retrieve saved searches, plus comprehensive path filtering options that include the ability to filter on multiple criteria. The release further adds improved path visualization capabilities, including arrows that indicate path direction and hover options that display partially allowed path information (such as specific ports). Users can also drill down from a hover window to view firewall rules that enable a given path, with a single click.
Firewall rule counting and event association is a powerful feature that associates firewall “accept” and “deny” events with specific firewall rules. Users can now report on most, least and never used rules, aiding in firewall optimization by identifying and eliminating rules that are no longer needed. The ability to drill down from a rule to specific firewall events that triggered it aids with rule forensics, such as detecting what traffic has been allowed by a rule, and where the traffic originated. This helps diagnose traffic issues and assists in determining the impact of rule changes before those changes are made. Liberal rules, such as “any port” and “any destination,” can be easily restricted without the fear of blocking critical traffic.
Shadowed rule detection is a highly requested feature that allows detection of rules that are “over-shadowed” by previous rules that contradict or render them ineffective. This feature reduces excessive firewall overhead and unforeseen security exposures. QRadar Risk Manager now allows users to identify and report on shadowed rules, allowing them to be easily fixed. A hover-over interface also allows the user to instantly view shadowed rule information without the need to drill down.
Firewall rule searching enhancements now allow users to search on time intervals, include or exclude different rule types, and refine results based on rule usage. Results may be sorted by a variety of options, including device rule order.
We are very excited about this release and the many other capabilities planned for the next few months. For more information about QRadar Risk Manager and QRadar SIEM, we invite you to read the white paper “Five Practical Steps to Protecting Your Organization Against Breach.”
And if you are at IBM Pulse, be sure to stop by the Security and Compliance section of the Solution Expo to say hello and learn more!
Posted by Melissa Stevens in Cybersecurity
It’s not news to security experts; they’ve been saying it for ages. But for the rest of us (and by us, I mean people like me, who work in marketing, accounting, and so forth, and have little understanding of how our behaviors online could be compromising network security) one of the more recent Anonymous breaches is a strong reminder that it’s people who are the weakest link in any security policy.
This might come across as a “duh” moment, but organizations who make it a practice to constantly train ALL employees on online security practices are going to have a huge advantage when it comes to staying safe. As a marketeer, I am online all the time. I do my best to keep things locked down:
– bolt my lap top to my desk
– follow prompts and reminders to keep my passwords varied and secure
– remember to send passwords in separate emails if I need to share log in information with new users
–Encrypt and password protect attachments
–Check with security when I’m not sure about a link I’ve been sent
You get the gist. I work for a security company, so of course, we have people out there looking to make sure we follow the rules. And knowing that someone is watching me makes me all the more vigilant (you can call me a brown-noser, but I hate getting in trouble!).
It always amazes me when I see these articles and am reminded that not all organizations operate this way, even though really, we all should be. In today’s hacker-fueled “targets of choice” environment, it’s really important that security professionals take their job to the next level. That means not only relying on technology and policies to keep their networks safe; it means investing time and energy to make sure that everyone with network access has been trained and retrained and possibly certified. Some people might see that as over kill, but I just see it as being prepared.
What are you doing to make sure your employees are taking necessary precautions to keep your network safe? Please share your insights below.
Posted by Heather Howland in Healthcare, Security Intelligence, Webinars
Truism: it’s always informative to have customers join us on webinars. Last Thursday’s webinar was no exception, as we had two of our healthcare customers accompany us for an interactive discussion about healthcare security and compliance concerns as we approach 2012. A hearty thanks to both Youssef Jad from McGill University Health Centre and Jerry Walters from OhioHealth for taking time away from their busy days to participate in this discussion.
Here’s a brief clip:
- Tuning your security intelligence solution is extremely important to establish a baseline and avoid being overwhelmed with data early on.
- Visibility into network flows is a huge factor when attempting to track down application related traffic, especially when fully correlated with other events.
- In the healthcare space, securing the mobile infrastructure is extremely important.
- Security intelligence solutions like QRadar go way beyond reporting and log management.
During their QRadar proof-of-concept (POC), OhioHealth was able to quickly identify infection sources from a malware outbreak stemming from a zero-day event. They leveraged QRadar’s unique QFlow capability to analyze network traffic by looking for specific patterns in the traffic, and they now use QFlow extensively to look for abnormal network activity. QRadar was a replacement for a previous SIEM and log management solution that simply ran out of gas – it could not scale to support the high volume of security events that OhioHealth needed to monitor.
At McGill University Health Centre, QRadar was deployed in a just a few days using the system’s pre-built templates. Tuning and creating custom rules required an additional month, but is an important step to effectively isolate incidents. The solution has already been used to identify malware attacks, and it is a key element of their change control process because it is used to identify unauthorized or erroneous configuration changes that affect the availability of critical applications. McGill chose QRadar after an evaluation process that also included testing ArcSight, which they found to be too complex
- Why did you need a security intelligence solution?
- What were your criteria?
- What other solutions did you look at?
- Did you have any challenges getting the solution in place?
- How large of a staff do you maintain that works directly with QRadar?
- How many systems and devices were included in your deployment?
- Once an incident is discovered, how is it handled?
If you missed the live webinar, the recorded version is posted here for your viewing. Have questions while watching? Send them to info@q1labs.com and we’ll get back to you quickly.
Related: Five Ways to Use Security Intelligence to Pass Your HIPAA Audit (eBook)









