Posts Tagged ‘data breach’
The worry to organizations however, is the number of these hackers who have never studied computer science but have an ambition to be a software developer and see it as a challenge to try to break into a businesses network undetected. Although this may seem an innocent personal challenge to them, this is ultimately aligned with greed and more often than not these people want to go for bigger and better.
Security teams need to be aware of methods to detect and instantly act upon this type of malicious hacking from so called “amateurs.” The IBM X-Force 2012 Mid-year Trend and Risk Report details the variety of attacks that a business could expect a hacker to use (read more here). A key point highlighted is the complexity of an organization’s network, moving from a traditional office only model to a world of interconnected devices and services. This has made it increasingly difficult to get a clear real-time snapshot of what is happening in the network, making it easier for amateur hackers to get in without raising any alarms.
In a recorded webcast with SCMagazine UK, Chris Poulin, IBM Security Systems Strategist details how to combat these young hackers, through QRadar’s anomaly detection capabilities and advanced forensic analysis, to quickly identify when a breach is occurring on your network. Click here to view.
What would you do if someone was repeatedly trying to break in your front door? Would you add an extra lock and hope that was enough? Would you completely ignore the back door? If you lived in a neighborhood where lots of homes had been broken into, would you do some research to see what the common entry points were and maybe take some precautions to better address those risks- even if your house had been safe so far?
I’d like to think you’d do just about anything in your power to protect your home, and definitely your business. But finger crossing and dead bolt- equivalents seem to be the approach a lot of organizations take when it comes to security, especially network security. Those organizations are resting on hope; hope that they won’t be targeted by a cyber attack, hope that no disgruntled insiders will take a shot, hope that their network security analysts won’t miss something in the piles of log data being generated every minute, and hope that their first generation solutions are working good enough to catch modern attackers.
Earlier this week I read an article in Network World about the failure of CSOs to properly evaluate risk in their security strategy. It asked the important question- “what happens if your security strategy doesn’t work?” I’m betting there’s a lot of organizations out there who don’t know the answer to that question, and if they did, they wouldn’t be happy.
To truly be secure, you need to know where your vulnerabilities are and then figure out how to fix them. Your team needs to be prepared to identify and respond quickly to attempted and successful breaches (because inevitably, some will get through). They also need to know how to minimize the damage that can be caused by an incident. They need to be able to find the who, the what, the when, the where and most importantly, the how- and they need this information in real time! This is the essence of Security Intelligence. Do you have it?
As we have lately read and seen, the style and sophistication of cyber attacks on organizations’ networks have become ever more complex. One type of attack that has had a lot of media coverage in the UK are DDoS attacks, with hacktivists using multiple IP addresses to attack one IP address within an organization, resulting in critical business services and infrastructure being made unavailable. Although this type of attack may not be new news to people, in the UK there has been a lot of fresh exposure, bringing DDoS top of mind.
When reading through these cases it is not the seriousness of the cyber-attack that is the problem, but the late reaction to the attack. These can occur at any time and in many cases the technology is not in place to detect and highlight these immediately. The consequence? A DDoS attack that happens after people have “finished” work are not being acted upon by the Security team until the next morning when the attack has been successful in its mission. This raises the need for organizations to have an effective threat detection system, highlighting an attack to the security team, regardless the time of the day or a DDoS could be used opportunistically to mask other harmful activities.
Real time correlation and effective rule settings allow this to be combated successfully. With the right technology in place, automated alerts can be sent to the security team immediately when there is a suspicious incident, such as a DDoS attack. This allows an instant reaction to occur and enables the security team to be on top of the problem instead of chasing the issue– when it’s already too late to stop or prevent more damage.
For more information on how a next generation SIEM and Log Management solution like QRadar can bring you total security intelligence, changing your security posture from reactive to proactive, as well as responding to “dumber” brute force attacks such as DDoS, download this white paper “The Business Case for a Next Generation SIEM.”
Building on the momentum of our latest QRadar SIEM and QRadar Log Manager release just two weeks ago, we are excited to announce a new release of QRadar Risk Manager that adds several highly anticipated enhancements. As a refresher, QRadar Risk Manager is the member of the QRadar Security Intelligence Platform that provides pre-exploit configuration monitoring and attack simulation. These proactive capabilities help identify security gaps and prevent security breaches and compliance violations before they occur, providing a perfect pairing to the advanced analytics, detection and reporting of QRadar SIEM.
The new configuration monitoring and management capabilities make it easier than ever to strengthen perimeter security and improve network visualization:
Normalized rule and security device comparison allows users to compare rules and object groups across the same security device type (historical comparisons, for example), as well as across differing device types. For example, users can compare the configuration of all of their Internet firewalls, regardless of brand, helping them ensure that all firewalls are configured consistently. QRadar Risk Manager provides views that quickly and easily identify which rules have been added and deleted, highlighting object group changes between devices.
Topology visualization enhancements improve the overall usability of the product by allowing users to hover over interfaces to quickly view connection and interface details. This saves time by removing the need to “drill down” to view this information. This release also provides the ability to quickly save and retrieve saved searches, plus comprehensive path filtering options that include the ability to filter on multiple criteria. The release further adds improved path visualization capabilities, including arrows that indicate path direction and hover options that display partially allowed path information (such as specific ports). Users can also drill down from a hover window to view firewall rules that enable a given path, with a single click.
Firewall rule counting and event association is a powerful feature that associates firewall “accept” and “deny” events with specific firewall rules. Users can now report on most, least and never used rules, aiding in firewall optimization by identifying and eliminating rules that are no longer needed. The ability to drill down from a rule to specific firewall events that triggered it aids with rule forensics, such as detecting what traffic has been allowed by a rule, and where the traffic originated. This helps diagnose traffic issues and assists in determining the impact of rule changes before those changes are made. Liberal rules, such as “any port” and “any destination,” can be easily restricted without the fear of blocking critical traffic.
Shadowed rule detection is a highly requested feature that allows detection of rules that are “over-shadowed” by previous rules that contradict or render them ineffective. This feature reduces excessive firewall overhead and unforeseen security exposures. QRadar Risk Manager now allows users to identify and report on shadowed rules, allowing them to be easily fixed. A hover-over interface also allows the user to instantly view shadowed rule information without the need to drill down.
Firewall rule searching enhancements now allow users to search on time intervals, include or exclude different rule types, and refine results based on rule usage. Results may be sorted by a variety of options, including device rule order.
We are very excited about this release and the many other capabilities planned for the next few months. For more information about QRadar Risk Manager and QRadar SIEM, we invite you to read the white paper “Five Practical Steps to Protecting Your Organization Against Breach.”
And if you are at IBM Pulse, be sure to stop by the Security and Compliance section of the Solution Expo to say hello and learn more!