Posts Tagged ‘Risk Management’
As I sat down to watch the new James Bond film with my usual supplies of fizzy drinks and sugary sweets, I was very surprised when he decided to take on the cyber terrorist at large and solve the problem single-handedly, physically and without the need for a Security product in sight!
Of course we don’t all have our a secret agent in our organization, driving around eradicating danger. However, security teams can prepare and have clear flexible strategies in place to reduce risk on their network.
The premise of the film (spoiler alert) is a cyber terrorist getting into the British Secret Service network undetected and causing harm to key personnel. The clever methods used to infiltrate the network highlight what is happening on a daily basis to security teams globally, and though a great film, probably made many security personnel squirm slightly in their chairs when seeing the consequences that could occur!
From internal constraints to the rise of Advanced Persistent Threats (an ESG research report highlighted that 59% of enterprise organizations think they have been a target of on APT attack), the role of the security team is becoming ever more complex. The requirement for a clear security strategy, which is able to adapt and be flexible to an organization evolving needs, is vital.
In an exclusive webcast with Dark Reading on 12/13/2012 at 1200 ET Q1 Labs very own James Bond, Michael Applebaum and Jon Oltsik, Senior Principal Analyst at ESG will be presenting “Information Security in Transition: Top things to consider in 2013”. In this must attend event there will be recommendations on how to improve your organizations’ information security model and importantly key issues that you are likely to face in 2013.
If you don’t want to wait for our webcast to get this information, please download Jon Oltsik’s report “Enterprise Information Security in Transition”.
With the release of QRadar Security Intelligence Platform 7.1, we’re excited to share with you a host of new advances to our family of Security Intelligence products – including QRadar SIEM, QRadar Log Manager and QRadar Risk Manager. These innovations are making it easier for users to leverage cloud investments, simplify management, collect and manage data more flexibly, and replicate or extend QRadar deployments. As a result, QRadar users will receive even greater insight and visibility, further reduce manual work and gain higher system performance. Let’s dive in!
Leverage Cloud Investments
We know many of you have built significant private and public cloud infrastructures and are looking for new virtual workloads to deploy in the cloud. With QRadar 7.1 you now have an additional type of appliance – the Event Collector – that you can deploy virtually, providing more ways to use your cloud environment to gain richer security intelligence.
Event collectors – which come in both virtual and hardware appliance form – provide continuous event logging capabilities, even when network connectivity is unreliable. They collect event logs and forward them to an event processor or all-in-one appliance for correlation, analysis and long-term storage. If network connectivity is lost, they can queue events in a storage buffer and then forward them upon re-connecting. (We call this “store and forward.”) In addition to serving locations with intermittent network connections (like naval vessels), event collectors are well-suited for collecting logs in distributed locations with low to moderate event volumes, such as retail stores and satellite offices. A large retailer, for example, might have hundreds of stores in which they want to collect event data, but the data generated in each location is modest enough that event processors (with terabytes of storage per appliance) aren’t required.
With this release, you now have access to a full complement of virtual appliances – console & all-in-one, event processor, flow processor, VFlow collector, and event collector – to best utilize your current and future cloud infrastructures. Even better, appliances can be mixed and matched among virtual appliance, hardware appliance and traditional software form factors, to meet your specific needs.
Simplify Management – Especially for Big Data
As we and others like Scott Crawford and Jon Oltsik have written, information security is truly a big data analytics challenge today. With its heritage in network flow collection and anomaly detection, QRadar has been collecting and correlating massive data sets in real-time since before big data became a white-hot phenomenon. Critical infrastructure and tier-one telecommunications providers, banks, and energy and utility companies are using QRadar to correlate as many as one million events per second (EPS) in real-time, thanks to QRadar’s purpose-built, embedded Ariel database. But with such massive data volumes come management challenges.
In response, we developed new Index Management capabilities in QRadar 7.1 that provide more refined data management and ultimately better performance. As the volume of stored data explodes, challenges inherent in querying big data become more pronounced – and so do the benefits of optimizing indexes for the queries most often run. QRadar’s default search indexes have always followed the 80/20 rule, providing out-of-the-box indexing for the most commonly used properties. Now we’re taking indexing a step further, enabling deep customization and tuning.
With QRadar 7.1, users have granular control over the creation of search indexes that enable speedy querying. While the fixed database indexing configuration that QRadar has historically provided works well for most scenarios, some clients would benefit from additional or different indexes. That’s why we added the ability to customize the indexing scheme for the event and flow database – so users can drop existing indexes to free up system resources or create new indexes to optimize the system for their specific needs.
QRadar also provides invaluable visibility into the use of indexes – with statistical reporting on the frequency of searches involving each property, how often each property’s index is used, and the size of each index – to help inform indexing decisions. This enables more efficient storage utilization and superior search performance.
Do you suspect one property is getting searched a lot? Get the data.
Do you wonder how big an index has grown? Find out.
Want to start indexing a custom property and see how often that index is used? No problem.
Another new capability that simplifies management is QRadar Risk Manager’s Enhanced Policy Monitoring. Risk Manager excels at monitoring network configurations and system vulnerabilities for potential security and compliance violations, and has always alerted when a policy is violated. Now it takes monitoring a step further with the ability to automatically notify when a policy is passed, providing positive evidence of compliance with external regulations and internal corporate policies. For example, you might want a positive notification when the percent of regulatory assets with Internet exposure vulnerabilities is within policy, or when the percent of regulatory assets with client side vulnerabilities that have communicated with the Internet is within policy. Now you can gain affirmative proof of such compliance.
Collect and Manage Data More Flexibly
QRadar 7.1 also offers new capabilities for collecting and managing data with greater flexibility. These include WinCollect – a versatile and scalable new QRadar capability for Windows event collection. WinCollect provides a superior and agentless means for collecting events from large numbers of systems. Installed on a Windows server of the customer’s choice, WinCollect can use the Windows Event Log API to pull events from target systems and then forward them to QRadar, or use Windows event forwarding and allow target systems to automatically push events to it and then forward them to QRadar. WinCollect complements existing collection mechanisms, including Q1 Labs’ own ALE solution, third-party approaches, and native Windows Server capabilities. In a subsequent blog post, we’ll explain the advantages of each approach and the value of having a broad set of choices.
Event collectors (described earlier) also help simplify data collection and management, in addition to leveraging cloud infrastructure and enabling event collection under unreliable connectivity. To begin with, their ability to “store and forward” data not only applies when a network connection is lost; it can also be used proactively for policy-based event forwarding. In some cases, a remote location might have reliable but limited network bandwidth, and you might want to limit the collector’s use of bandwidth to specific (less busy) times. With QRadar 7.1, you can limit forwarding by bandwidth utilization (e.g., never consume >1MB/second), and/or set an hourly, daily or weekly forwarding schedule. In addition, event collectors can filter event data before it is forwarded for correlation, reporting and long-term storage.
Additionally, we have released more than a dozen new product integrations (device support modules) that enable users to normalize and analyze even more types of security telemetry. These include IBM Security zSecure Audit, which allows sending z/OS, RACF, ACF2, Top Secret, DB2, and CICS events from the System Management Facilities (SMF) log to QRadar (in addition to the native z/OS logs that QRadar already collects). We have also completed integrations with many third-party products, such as Verdasys Digital Guardian, AppSecInc DbProtect and Trend Micro Deep Discovery.
Build Extended Solutions and Replicate Existing Deployments
Lastly, we are enabling clients to build extended security intelligence solutions and replicate existing deployments. With Security Intelligence Content Importing/Exporting, you can export correlation rules, building blocks, reference sets, report templates, dashboard widgets and more from a QRadar system to an external device, and subsequently import them into another QRadar system. This enables quick deployment of a new QRadar system based on an existing system or template, as well as sharing of security intelligence content across systems.
We see this being used in several ways:
- Enabling clients to copy custom-built security intelligence content from one deployment to another (across business units or geographies)
- Enabling clients to copy content from a development or test environment to a production system
- Enabling solution providers and system integrators to build unique Security Intelligence intellectual property that they can distribute to their customers.
While QRadar already delivers thousands of rules, report templates, dashboard widgets and saved searches out-of-the-box, many business partners have additional expertise to offer to clients, and have been eagerly awaiting this capability.
To Learn More
With this hefty release completed, we’re gearing up to bring some fantastic new innovations to market in 2013. In the meantime, please try QRadar 7.1 for yourself and let us know what you think. We also encourage you to learn about the other IBM Security product releases just announced, which include capabilities for securing big data environments (including IBM InfoSphere BigInsights and Cloudera), risk-based access control for mobile users in BYOD environments, and privileged identity management.
To read more about using SIEM for targeted attack detection (APT’s), you can also download this Gartner report. Or see how organizations are using network flow analytics for better threat detection and network visibility with this Q1 Labs paper. Best wishes in your security journey!
Rich Mogull of Securosis recently wrote a blog entry called “Can You Stop a Targeted Attack?” that nicely complements a Dark Reading article and accompanying report by his colleague, Adrian Lane, entitled “15 Ways to Get More Value from Security Log and Event Data.”
After (justifiably) lamenting that many “vendors have been APT-washing their stuff trying to convince anyone who would sit still that their run-of-the-mill IPS or endpoint protection product” could stop APT attacks with “with fairy dust and assorted other black magic,” Rich goes on to ask some interesting questions.
- How many of the adversaries facing organizations today are advanced or persistent? Probably very few, since most of them are “today’s version of script kiddies trying to smash and grab their way out of the despondency of their existence” by stealing your organization’s customer details and payment card information. (I would add that it’s not just script kiddies but also organized gangs of cyber-criminals, operating out of eastern Europe and other exotic locations, preying on both large and small businesses who don’t have even the most basic security controls.)
- Are existing controls such as perimeter defenses sufficient? Answer No (but existing controls still have a role to play).
- Do targeted attacks exist? Absolutely (the Aurora attack on Google being just one example).
- Are new technologies emerging to help prevent targeted attacks? Yes — Rich writes that “lots of vendors are learning and evolving their offerings to factor in this new class of attacker.”
- How can next-generation SIEM and security intelligence help? Rich doesn’t use these specific terms in his blog but writes that “Regardless of what happens on the prevention side, you still need to monitor the hell out of your stuff … it’s career-limiting to plan on stopping [targeted attacks]” so you should still invest in “monitoring, forensics, and response – even in the presence of new and innovative protections.” He mentions Global Payments as an example of an organization that discovered they had been breached by monitoring their egress traffic and “seeing stuff they didn’t like leaving their network” (one of the capabilities provided by QRadar); and yes, they didn’t stop the breach “but it’s a hell of a lot better to catch it yourself than to hear from your payment processor or the FBI that you have a ‘problem’”. Gartner analyst Mark Nicolett made a similar observation in “Using SIEM for Targeted Attack Detection” [complementary download] when he wrote that “Organizations are failing at early breach detection, with more than 85% of breaches undetected by the breached organization.”
In Adrian’s Dark Reading article, he writes that “we are drowning in [security] data but are thirsty for actionable information.” And in the full report from Dark Reading’s Security Monitoring Tech Center, he writes that by deploying SIEM with “automation and resources, along with a healthy dose of human intervention and insight, organizations can make their data work for them, instead of the other way around.”
Adrian also writes that SIEM “technologies are being used not just to analyze data after the fact, but also to perform real-time detection quickly followed by meaningful forensic examination of events.”
By the way — does this sound like Big Data? Of course it does — but we’re talking about purpose-built Big Data analytics that were designed specifically for security — not just a generic Big Data repository with a bunch of scripting tools. QRadar has always been built on a Big Data architecture — distributed, parallel, elastic and indexed — but it’s the applications built on top of this architecture that help you find the proverbial needle in the haystack via automated intelligence.
One of the ways that the QRadar Security Intelligence Platform helps you increase the signal-to-noise ratio is via its embedded expert security knowledge, based on nearly 10 years of real-world experience, including: hundreds of pre-configured correlation rules; 1,500+ security/compliance reports; built-in support for 400+ data sources, including parsing and normalization; and native support for the collection of network flow traffic (via deep packet inspection), which can then be used for behavioral analysis and anomaly detection in combination with information from log sources.
As Adrian Lane writes in the Dark Reading report, “Enterprises are swimming in the sea of data generated by networks, servers, personal computing devices and applications … Just as the bad guys adjust their attacks to take advantage of new vulnerabilities or to tune malware to evade detection, security professionals must continue to adapt. Sitting still means failure. Ultimately, these log files are your view into what’s going on, and it’s your job to figure out what’s important and how to get that information with as little work as possible.”
And hopefully we can help make your job easier – unlike first-generation SIEMs that are complex and require armies of people (in-house staff and/or contractors) to deploy and operate. Gartner says that QRadar is “is relatively straightforward to deploy and maintain across a wide range of deployment scales” while Jerry Walters, Director of Information Security at Ohio Health, says in his YouTube interview that “QRadar gives us the visibility to find the virtual needle in the haystack when it comes to discovering what happened and when, and to proactively prevent things that are potentially going to be problems.”
 Critical Capabilities for Security Information and Event Management, Gartner, 21 May 2012
Gartner held its annual Security and Risk Management Summit, in Washington DC last week. This is always an excellent event to gauge the IT security market in general: attendance was up from last year according to Gartner, more sponsors, more attendees, and far more focus on targeted attacks. The headlines of the last twelve months confirm what we call the Year of the Breach.
More relevant to our patch, however: for the first time ever at this event, Security Intelligence and SIEM were called out during the opening keynote as "no longer nice to have but fundamental." SIEM and Security Intelligence have now been recognized across Gartner security for what we (and our customers) have known for years. More than three years ago, IBM developed the IBM Security Framework, and we positioned to Gartner as the foundation of our go-to-market and development strategy. It is great to see this message corroborated at the analyst firm's top security event, which I learned is their 2nd largest event behind Symposium. This fact is further evidence of the elevation of IT security challenges and prioritization in the marketplace.
Some highlights from the Summit:
- "Gartner predicts the global spend on security services to exceed $49B by 2015."
- During a SWOT on our major competitor the analyst listed this among that vendor's Threats: "IBM is becoming a security powerhouse."
- What IT event would be complete without discussions of Big Data? Security Intelligence' relevance to Big Data was prominent at the event:
Gartner definition: "Big Data is a class of information processing problem that, due to the volume, velocity, variety and complexity of the data, requires different approaches to support analytics to derive cost-effective, timely, business-relevant insight. However, Big Data in and of itself, is not our goal. Delivering risk-prioritized actionable insight is. To support the growing need for security analytics, changes in information security, people, technologies, integration methods and processes will be required, including security data warehousing and analytics capabilities, and an emerging role for security data analysts within leading edge enterprise information security organizations."
- Gartner also believes that a key driver of Security Intelligence is the "the shift to context-aware security": "To enable faster and more-accurate assessments of whether a given action should be allowed or denied, we must incorporate more real-time context information at the time a security decision is made." Gartner elaborates that context should be obtained from a range of sources, mirroring our announcement earlier this year about integrating various sources from the IBM security portfolio such as network security (IBM Network IPS), endpoint security (IBM EM/BigFix), IAM (IBM Identity Manager), mobile application security (IBM Mobile AppScan), and content/data security (IBM Guardium), in addition to threat intelligence (IBM X-Force).
- Gartner also mentions the need to incorporate flow data: "Vendors ... such as IBM/Q1 Labs ... collect large amounts of network packets and/or flows to support the analysis for anomalous activities."
- And finally, collecting all that context doesn't help unless you can also create actionable intelligence via analytics: "Some, such as IBM's Q1 Labs with its QRadar, provide a form of security analytics on top of its SIEM repository, which is a good example of how we believe the vendors will evolve to deliver Security Intelligence."
We couldn't have said it any better.
Allan Paller of the SANS Institute had a few interesting things to say at the ISSA-LA’s Security Summit IV, but two struck me as incredibly salient. The first is that CEOs actually do understand the importance of information security. I’ve heard security experts–smart and well-respected ones–utter that executive management doesn’t “grok” security. That’s true, but they don’t need to grok it; that’s the responsibility of us who inhabit the world of zero-days and hacktivists and APTs. CEOs need us to analyze and summarize our knowledge and present it to them in a business context. The problem isn’t just that we in security generally don’t speak the language of the boardroom, we simply aren’t wired the same. Security practitioners are a risk-averse group, by and large; CEOs are risk managers.
Which makes sense: CEOs are responsible for growing the business and there’s no reward without risk—hopefully well-calculated risk. We don’t want our executives pumping tokens into slot machines in Vegas hoping to hit it big. On the other hand, we don’t want them stuffing the cash from revenues into their mattresses. So when they decide to invest in new market opportunities or augment the current business model using technology, they want to be on the safe side of the risk threshold—but just barely.
But security folks’ impulse is to grab the business stakeholders by the shirt collars and drag them away from that scary precipice. We’re much like lawyers in that way. Their job is to minimize liability, a form of risk, optimally to eliminate it with the fabled iron-clad contract. Of course with lawyers it’s as much a negotiation tactic as dogma; each party stands on opposite sides of an issue with backs to their own walls, fully knowing they’ll both end up somewhere in the middle.
But security is not at odds with the business; it’s not a negotiation between the two parties. Our job is to determine appropriate responses and come to the table with the best, most informed decision possible with the given data. We need to find a happy middle between a purist security stance that discourages new initiatives (e.g., cloud, BYOD, partner portals, etc.), and a Wild West approach where the business does whatever it wants without addressing risk — and present that to executive management. They need to trust that we understand the business and are helping them to make the right risk management decision. Remember, “defend” is not the only response to a threat; other mitigating controls include transferring risk and accepting it.
Alan also said that CEOs want to know “how much is enough.” This is the heart of the matter. Finding the center of gravity that lets the business grow and thrive is the key to transforming the perception of information security from a cabal of naysayers to trusted risk analysts and business enablers.