Embed Size (px)
Citation preview
®
I N F O R M A T I O N
SECURITY
THREAT PREVENTION TECHNIQUES: BEST PRACTICES FOR THREAT MANAGEMENT
UNLOCKING THE OPPORTUNITY OF SIEM TECHNOLOGY
MAY 2013
THE EVOLUTION OF THREAT DETECTION AND MANAGEMENT Learn about the latest threat detection options.
Essential Guide
2 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
and more sophisticated threats, and outline which tech-nologies enterprises should consider to help manage and prevent them. In particular, this guide will help you understand the latest in threat detection options, from whitelisting and sandboxing, to technologies that analyze and correlate security events, such as network monitor-ing, SIM and log management. You’ll learn about threat prevention and best practices for threat management and how SIEM technology to be a powerful technique in the fight against cybercrime. n
Kara Gattine, senior managing editorRachel Shuster, associate managing editor
The Evolving Threat Management LandscapeDeveloping defense strategies for a world increasingly susceptible to new dynamic attacks.
EDITOR’S DESK
ANTIVIRUS AND INTRUSION prevention aren’t the threat detection stalwarts they used to be. The threat landscape is changing as mobile endpoints and new attack dynamics evolve, and en-
terprises must develop their defense strategies to keep attackers at bay. This change in terms of scale and so-phistication is highlighted with recent attacks on The New York Times and the subsequent findings of Mandiant Corp.’s APT1 report, which traced attacks on U.S. compa-nies to the Chinese military.
In this Essential Guide, we’ll look at how some of the major security vendors are responding to these new
3 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
THREAT DETECTION OPTIONS
By Michael Cobb
THE EVOLUTION OF THREAT DETECTION AND MANAGEMENTLearn about the latest threat detection options, from whitelisting and sandboxing, to technologies that analyze and correlate security events, such as network monitoring, SIM and log management.
CYBERCRIMINALS OF ALL persuasions now easily and rou-tinely bypass existing enterprise security defenses by blending into the background noise of an organization’s operations. These advanced attacks now take place over months and years, subverting traditional malware-detec-tion products that only scan for known malware at a given point in time.
For example, a newly discovered Trojan called APT.BaneChant uses multiple detection-evasion techniques, including masquerading as a legitimate process, monitor-ing mouse clicks to avoid sandbox analysis and perform-ing multibyte XOR encryption to evade network-level binary extraction technology. It also uses fileless mali-cious code loaded directly into memory and escapes auto-mated domain blacklisting by using redirection via URL shortening and dynamic DNS services.
Such attacks are testing the limitations of existing security analytics tools, and the recent Mandiant Corp. APT1 report shows just how long-running and sophisti-cated cyberespionage campaigns have become. According to the 2013 Cyber Threat Readiness survey conducted by
4 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
THREAT DETECTION OPTIONS
to just the data created by one organization. While this data has for years been stored in siloed repositories or disparately throughout an enterprise, the dire realities of today’s attack landscape have fostered new demand for technology that can aggregate this data, analyze it quickly and develop clues pointing to advanced attacks that would otherwise go undetected.
Although security information and event manage-ment (SIEM) products offer a central point of collection and monitoring for enterprise activity data, they have been mainly deployed in order to meet compliance re-porting requirements, particularly with the merchant-focused Payment Card Industry Data Security Standard (PCI DSS). Few organizations actually use the technol-ogy’s event-correlation capabilities and most products don’t provide enough in-depth visibility to facilitate to-day’s analytic needs. Vendors are seeking to address this with next-generation SIEM products that widen the scope and scale of data collection and real-time analysis so that
LogRhythm, an alarming 75% of respondents lack con-fidence in their ability to recognize key indicators of a breach.
Many reported breaches have originally gone unde-tected with most discovered not by the in-house security team, but by a third party.
Enterprises can no longer rely solely on endpoints to stop this type of malware infection. Additional dynamic before-the-fact defenses must be implemented to effec-tively combat advanced attacks at all layers and iden-tify behaviors not seen before. Thankfully many security vendors are starting to upgrade their intelligence-driven security products to counter the problem of today’s ad-vanced threats.
One common approach is the incorporation of secu-rity big data analytics to aid the discovery of malicious activity hidden deep in the masses of an organization’s network traffic. Big data is defined any type of data, struc-tured and unstructured, that can provide incite in to network activity. Enterprises create colossal amounts of data: emails, documents, social media data, audio, click streams, network traffic, and log files (both historical and real-time of files being accessed), registry changes made, and processes starting and stopping. Other system in-formation, such as processor or memory utilization, can highlight unexpected changes in the status of a system while external threat intelligence feeds can further clar-ify what’s normal or acceptable by not limiting analysis
Many reported breaches have originally gone unde tected with most discovered not by the in-house security team, but by a third party.
5 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
THREAT DETECTION OPTIONS
heterogeneous event sources are the most important ca-pabilities when assessing next-generation SIEM products, particularly when it comes to time-sensitive processes such as fraud detection, to ensure that they can process the vast amounts of diverse data. Certainly check that any shortlisted solution creates actionable intelligence based on business context so threats which pose the greatest risk are prioritized. Tools for visualizing and exploring big data are another key feature as they can quickly highlight infected devices and other hot spots.
SIEM and big data are not the only options when it comes to mitigating today’s threats. Sandboxing and whitelisting are other technologies worth considering. Bit9’s whitelist security software is a trust-based solution using endpoint agents that allows administrators to spec-ify software that can execute on desktops and laptops. A new feature is the ability to leverage the on-demand cloud-based Bit9 Software Reputation Service for highly accurate detection of suspicious malware and associated files.
Sandboxing keeps applications separate so malicious code cannot transfer from one process to another. Any application or content that is unknown can be treated as untrusted and isolated in its own sandbox. McAfee like other security vendors has been acquiring relevant tech-nologies to add to its product range. It plans to offer sand-boxing technology in its ePolicy Orchestrator suite in the second half of 2013. By running suspected malware in a
diverse events can be put into context to find unusual ac-tivity. (It should be noted that network behavioral anom-aly detection (NBAD) products do provide this capability, but only at the network layer.)
Real-time analysis using adaptive intelligence of this big data—understanding what’s normal in order to recog-nize what’s abnormal—can greatly improve the chances of recognizing the indicators of an advanced threat or breach from numerous attack vectors such as advanced persistent threats, fraud and malicious insiders. This pre-attack focus aims to keep a network ahead of attackers and pinpoint potential attack patterns, even if they are spread out over a period of time.
There are plenty of new innovative products com-ing onto the market. The LogRhythm SIEM 2.0 platform now integrates with Rapid7’s Nexpose vulnerability man-agement product to deliver data security analytics and unified risk assessment capabilities from within the Log-Rhythm console. IBM is combining security intelligence with big data using the IBM QRadar Security Intelligence and IBM Big Data Platforms to provide a comprehensive, integrated approach to real-time analytics across massive structured and unstructured data. The RSA Security Ana-lytics product uses threat intelligence from the global se-curity community and RSA FirstWatch to leverage what others have already uncovered and improve detection of malicious activity within an organization’s big data.
Scalability, powerful analytical tools, and support for
6 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
THREAT DETECTION OPTIONS
Whichever advanced threat detection technology an organization deploys, its effectiveness will depend on those configuring and monitoring it. People are always going to be a big part of any threat management program. Administrators must learn how to use emerging tech-nology effectively so that it actually provides additional protection. Training such as Symantec’s Cyber Threat Detection and Incident Response Training, as well as the many in-depth training courses provided by SANS and others, will help staff understand how to identify threats and respond and recover from malicious events.
As with any new IT technology, it’s important not to get caught up in vendors’ marketing hype. Concentrating more on detection and response doesn’t mean that point-defenses technologies like firewalls and antivirus are no longer relevant. Securing any network will still require documented policies and procedures as a foundation for success. Classification of assets and data is essential and remember that although threat management begins with threat identification, remediation is also an essential part of a successful threat management process. n
MICHAEL COBB, CISSP-ISSAP, is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO 27001 certification. He is a noted security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance.
sandbox, it can learn what effect it will have on an end-point and automatically block future occurrences and remediate any already infected endpoints. Fortinet’s For-tiCloud cloud-based sandboxing service provides an on-line sandboxing portal to execute suspicious code in a virtual environment.
Of course, security teams need to extend threat detec-tion and protection to the mobile devices connecting to their networks, particularly as mobile device users are at least three times more likely to become victims of phish-ing attacks than desktop users. The Mobile Threat Net-work from Lookout Mobile Security delivers over-the-air protection to mobile users. Lookout is another product that uses a big data analysis approach to spotting malware and predicting where it will crop up next. Enterprises running their own app stores can also use the Lookout API to ensure that the apps offered are safe. The RSA FraudAction Anti Rogue App Service also detects any ma-licious or unauthorized mobile apps that infiltrate online app stores.
Securing any network will still require documented policies and procedures as a foundation for success.
7 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
STAYING SAFE ON the road involves a number of controls, rules and responses. The car itself is equipped with safety features like anti-lock brakes, blind-spot warnings, seat-belts and airbags. Rules of the road include speed limits and seatbelt laws and drivers themselves must pass tests to prove they are able to operate their cars properly. No one would dream of suggesting that just because a car has airbags that it could be operated safely by a driver with no license going at 100 mph.
But what appears ludicrous in the realm of safe driv-ing can be tempting in the hectic world of IT. Can’t a company just buy a single unified threat management (UTM) product with the best, most advanced threat detection technology and guarantee the organization is protected? Unfortunately, the answer is “no.” Just like driving a car requires multiple parts working to-gether, “driving” a corporate IT network safely requires a blend of the traditional triumvirate: people, process and technology.
So what goes into creating a successful threat man-agement program? Read on to hear what security
By Diana Kelley
BEST PRACTICES FOR THREAT MANAGEMENTLearn about threat prevention and best practices for threat management. A successful program for threat prevention requires effective processes, layered technology and user education.
THREAT PREVENTION TECHNIQUES
8 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
pros agree on this: The core purpose of threat manage-ment is to protect business data and assets from internal and external attacks.
Though the specific answers to what a threat is and how to manage it will vary from organization to organi-zation, there are some high-level definitions that apply to all (or almost all) threat management programs. Taking a moment to review these is worthwhile because it helps a company to level set the business needs for the threat
management program and ensure the right systems are selected. Since threats can come from multiple sources and at many points in the IT architecture, understanding where and how the attacks originate will enable a com-pany to create a more robust plan for mitigating and pre-venting those attacks.
Threat management begins with threat identification. In SP800-30, NIST defines a threat as “the potential for a threat-source to exercise (accidentally trigger or inten-tionally exploit) a specific vulnerability.” A threat source
professionals have to say about best practices for enter-prise threat prevention.
ENTERPRISE THREAT PREVENTION: BUILDING A FOUNDATIONIn 2012, threat prevention has evolved into an integral part of the corporate IT risk and security management program. Most companies have moved beyond stand-alone monthly malware updates and quarterly device scans to an integrated set of technologies that are fully incorporated with the security or network operations center.
Security pros have various ways of defining threat management at their organizations. Waqas Akkawi, direc-tor of information security at global moving and reloca-tion services provider SIRVA, defines threat management at a high level as the “real-time monitoring and report-ing of user activities—and having the ability to effectively query the environment, report on capabilities and send timely alerts” when someone or something accesses pro-tected data. Leo Walsh, IT risk compliance subject matter expert for Memphis, Tenn.-based bank holding company First Horizon National Corporation, notes that a formal definition is less important to threat prevention and man-agement than having an IT risk operations team of people who are entirely focused on IT risk operations and strict change control processes. However, he and other security
THREAT PREVENTION TECHNIQUES
Threat prevention has evolved into an integral part of the corporate IT risk and security management program.
9 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
THREAT PREVENTION TECHNIQUES
management and prevention program are not restricted to technical controls like anti-malware, firewalls and IDSes, he added. While these technologies play an impor-tant and active role in threat management, they need to be part of a traditional process-technology-people trium-virate, and part of the bigger enterprise risk management picture.
THREAT MANAGEMENT PROCESSHow formal the threat prevention and management pro-cess is will vary by enterprise. Some companies have ad-opted formal standards like ISO 27001 and ISO 27005 guidelines that call for certain activities and artifacts to be completed as part of the security management process, and extend this approach into the threat management program. Keep in mind that although there are many ex-cellent guidelines for risk management frameworks and processes, including OCTAVE, NIST Risk Management Framework, the FFIEC Examiner’s Handbook on infor-mation security risk assessment, and ISO 27005, none of these are specific to threat management. And for smaller organizations, a process-heavy approach may not be feasible.
However, even in very informal environments, it’s important to create and maintain at least high-level writ-ten policy and procedure documents because these will be required during most audit cycles. Without proper
can be human, such as a hacker or disgruntled internal employee; natural, such as tsunamis or tornadoes; or en-vironmental, such as a power outage or water damage from leaky pipes. So a comprehensive threat management program must take into account all the sources. NIST also recommends defining the threat motivations of each threat source and the potential actions of these sources. For example:
Threat source: Disgruntled employeeMotivation: Damage company reputation Action: Logic bomb that defaces website in publicly embarrassing manner
But formal threat definitions aren’t for everyone. The First Horizon IT Risk Operations Team focuses on try-ing to keep the company safe, Walsh said, “There are so many ways unauthorized access can happen—an effective approach is to look at what needs to be protected, assess whether or not it has been protected and then monitor the asset continuously to see whether or not it has been accessed,” he added.
As Philip Keibler, director of information security at athletic shoe and apparel retailer The Finish Line, puts it, successful threat management starts with a “need to understand the infrastructure and data, the ability to be proactive and to leverage protection components be-fore the attacker does.” Components of a robust threat
10 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
THREAT PREVENTION TECHNIQUES
keeps a company ahead of the attacker. Keibler doesn’t like playing catch-up and stays prepared using a process that includes scanning so vulnerabilities can be remedi-ated before they’re exploited. The Finish Line process also leverages data classification and network segmen-tation for “before-the-fact” protection and continuous deep-packet inspection monitoring is performed on all
documentation, even the best threat management pro-gram on the planet could fail an audit simply because the written proof of the process wasn’t available. “Any good security program will have policies as a foundation” and the ability to monitor conformance to those policies with proper tools and reporting, The Finish Line’s Keibler said.
Keeping the process proactive or “pre-attack” focused
Cloud and Managed ServicesA LOT OF threat management activity is still happening on-premise for larger companies with a few notable exceptions where they’re comfortable using cloud services, such as message hygiene and vulnerability scanning.
“Today, most customers have a combination of on-premise and cloud,” said Sadik Al-Abdulla, CDW security prac-tice senior manager, explaining how customers are adopting cloud services for threat management. “Email security, for example, has been a highly effective cloud offering for many years and holds a disproportionate amount of the market compared to on-premise solutions. Web security, on the other hand, is almost exclusively on-premise.”
He said the most common managed security service provider (MSSP) offering is usually a combination of firewalling and intrusion prevention, but that still has minimal market penetration, and even where used, there are other unman-aged threat prevention solutions in play. According to Al-Abdulla, the most frequently observed threat management ar-chitectures today are, in order of occurrence:
1. Mostly on-premise with cloud email security;2. Fully on-premise;3. MSSP firewall, other on-premise, and cloud email security; and4. MSSP firewall, other on-premise. n
11 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
THREAT PREVENTION TECHNIQUES
including change management, helps to ensure the threat management program runs in concert with the business, there is one area where it makes sense to have separation of duties: audit and compliance. Some change requests may come in as highly time sensitive for the business without giving the operations team enough time to evalu-
ate the threat impacts. Having a separate team review and validate changes can prevent or limit unintended threat exposures because the separate audit or compliance team has more time to spend on threat impact analysis. If the compliance, audit or risk team determines the business need can be met with a more restrictive granular rule, then updates are implemented accordingly.
Remediation is an essential part of a successful threat management process, but one that organizations can ne-glect, according to Sadik Al-Abdulla, CDW security prac-tice senior manager. “Many organizations have a blind spot, and until a serious breach occurs, the necessity of a
traffic going into and out of the segments. Policies and rules are set according to the sensitivity and classification of the asset or data, so data that requires tighter controls is placed in a higher trust zone than data at a lower sensi-tivity level.
At SIRVA, Akkawi said he’s integrated threat man-agement into the company’s risk management program so IT security can “decrease the risk while ensuring the company continues to operate in a profitable manner.” Akkawi’s team uses data maps to follow where the data is going; threat and risk management questions are ad-dressed during pre-deployment assessments of new ap-plications. In collaboration with the business, IT answers questions such as, “What kind of data will the application handle?” “How will that data be protected?” and “Who will have access to that data?” IT then uses the answers to put proper controls in place and build alert and remedia-tion procedures in the event of unauthorized access and to train technicians on response plans.
Weaving threat prevention management into change management is part of the process at First Horizon. Scans and penetration tests can be conducted before imple-menting a change in production. If a vulnerability in a particular device is discovered, the IT risk operations team contacts the business owner about it and is able to block the change until the vulnerability is fixed, Walsh said.
Though integration with other processes and systems,
If the compliance, audit or risk team determines the business need can be met with a more restrictive granular rule, then updates are implemented accordingly.
12 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
THREAT PREVENTION TECHNIQUES
absolutely essential,” said CDW’s Al-Abdulla.Technologies in use at companies as part of their
threat management program include (but are not limited to):
n Firewalls/next-generation firewalls; n Intrusion prevention/detection systems (IPS/IDS); n UTMs (firewall, IPS, anti-malware, Web filtering,
etc.); n Endpoint protection suites (anti-malware, host fire-
walling, filtering); n Message hygiene filters; n Web hygiene filters; n Network access control (NAC); n Data loss prevention; n Security information and event management
(SIEM)/log aggregation; n Network vulnerability scanners/Web app scanners; n Policy and configuration management; n Patching and software delivery; n Web application firewalls/database monitors; n Penetration testing tools; and n Strong authentication.
Every threat management program doesn’t need all of the above listed technologies and some use other technologies. The goal isn’t to check off the most “prod-uct” boxes, it is to reduce the threat surface and prevent
response plan is rarely recognized,” he said.Key components of a remediation plan should in-
clude executive ownership, a communications plan, an escalation strategy and a law-enforcement contact strat-egy. “You don’t want people that are under severe stress making decisions about what and how to communicate to customers,” he said. The communication plan is often overlooked in IT, but as breaches and exposure scenar-ios continue to increase, there will be increasing pressure for companies to go on record when attacks occur. Hav-ing media-trained technologists who can convey difficult technical concepts in a calm and understandable manner will go a long way towards preventing compounding data breach damage with a major PR gaffe.
A LAYERED APPROACHFinding the right threat management technology fit is not as simple as buying a high-powered UTM and put-ting it between the organization’s internal network and the Internet. There are no one-size-fits-all answers, or as SIRVA’s Akkawi puts it, “there is no magic solution.”The most effective threat management solutions use layered technology approaches, both architecturally and techni-cally to detect, alert and respond. “Bluntly, it’s ‘defense in depth.’ This is the same drum that the security indus-try has been banging since inception, but the evolution of more and more sophisticated threats is reproving that it is
13 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
THREAT PREVENTION TECHNIQUES
threat activity across the network. Some of the things to look for in the SIEM that may indicate threat activity in-clude number of failed logins, multiple login attempts from the same ID but different IP addresses, and creation of new, privileged accounts on servers or databases.
First Horizon’s Walsh said a high noise ratio of “false positive correlations may be as much of a problem as no correlation at all.” To keep focus on activities with a strong signal, the bank runs a variety of reports from its log aggregation tool that show the number of hits on a specific rule (e.g. access of DMZ via HTTPS) and uses a firewall policy management tool in order to find and as-sess issues. An anomaly like a huge spike in traffic is “rel-evant and throws an alert that really stands out” and is of high value to the security operations team, he said.
Another threat prevention technique in use at the bank is segmentation with VLANS. Rather than hav-ing to reprovision a switch, blades that are attached to
attacks. So assess each technology for how well it will accomplish the business goal of threat detection and prevention.
For example, at SIRVA Akkawi has found the IPS component of the company’s NAC system from Fore-Scout to be extremely helpful with threat management. The NAC product allows them to see who is connected, what their patch level is, and passes all the information into the LogRhythm SIEM so it can be reviewed and cor-related, he said. SIRVA is also using the endpoint pro-tection to detect issues like patch levels that are not up to data and devices that do not have antivirus installed. When the NAC detects noncompliant devices, it triggers alarms, and the devices are taken off the network and put into a quarantined network segment until they can be remediated.
Finish Line, meanwhile, is exploring handling Web application threats using a combination of load balancing from F5 Networks and Web application scanning from WhiteHat. If the Web application scanner detects a vul-nerability in an application, a virtual patch can be applied to the Web application firewall to mitigate exposure. Fin-ish Line also uses endpoint security from Sophos as part of its threat management program.
Keibler notes the importance of bringing alerting and reporting information from tools like an endpoint suite to a single console like a SIEM (his company uses Envi-sion’s) so administrators can have visibility into potential
When the NAC detects noncompli- ant devices, it trig gers alarms, and the devices are taken off the network and put into a quarantined network seg- ment until they can be remediated.
14 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
THREAT PREVENTION TECHNIQUES
“Because there are some social engineering compo-nents in 70 to 80 percent of attacks, every employee has to be part of the program,” he added. At Finish Line, this extends to the help desk, where reps are trained to iden-tify hallmarks of suspicious activity, like a substantial slowdown in device performance that may indicate pres-ence of a bot, and flag this for investigation by the secu-rity team.
At First Horizon, data protection is a key driver for all of the IT risk staff. Walsh said he has a seasoned IT risk operations team that’s “internally driven and knows the value to the business of keeping out of the Verizon DBIR.” He added, “If your employees are not motivated to keep corporate data safe, no framework or formula will do the trick.”
The bank also engages people on the business side through regular communication with executives about risk, especially when there are real-world examples in the news with direct impact to the financial services industry. The bank also has a change advisory board that engages business owners in the threat management discussions when new services are brought on and changes are made, Walsh said. It also provides a corporate-wide information security awareness program that includes an annual test that all users must take.
Good user education can go a long way in helping your threat management program succeed. At SIRVA, employees are educated on data security and threat
the switches are tagged with the VLAN ID and separated from other servers on the VM switch. Inter-policy zone checks are completed by the firewalls when data crosses from one VLAN to another, providing a way to block un-authorized access and to prevent leaks of sensitive data out of protected zones.
THE HUMAN ELEMENTAs is almost always the case, the effectiveness of a tech-nology tool is, in large part, directly related to the capa-bility of the human interacting with that tool. For threat management, people skills come into play in a few main areas: The people running the threat management tools (admins and engineers), the people interacting with the systems that are under attack (users) and the customer service reps interacting with the users. Don’t underes-timate the importance of educating each one of these groups. Although it may be tempting to look for a tool that’s so easy a child could use it, or to write off users as too “non techie” to help prevent attacks, resist the urge. People really are a full one third of the overall solution.
“If you are relying on the endpoint to stop all the mal-ware, then it’s too late. If the malware gets in, then some-thing failed along the way,” said Finish Line’s Keibler. “A more effective approach is to start with employee aware-ness, partner with employees and help them to be an-other arm of the security program.”
15 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
THREAT PREVENTION TECHNIQUES
setting down policy and procedures in writing.Most companies find success using a layered set of
solutions to identify and prevent attacks and maintain visibility into reporting from all of those solutions by rolling them up into a central stem console like a SIEM. And most importantly, don’t forget about the people part of the program. Train engineers on data maps and flows and train users to know what’s fishy or suspect and how to report suspicious activity to the correct parties. n
DIANA KELLEY is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors. Send comments on this article to [email protected].
prevention—work that certainly paid off when an em-ployee received a well-crafted spear phishing email that pretended to be a $1,000 reward gift card from corpo-rate HR. Rather than clicking on the gift link to collect the reward, the employee immediately reported the email to IT and Akkawi’s team proceeded to investigate. A re-view of the log files and interviews with the employee showed that the spear phish had used social network data from outside the company and had not breached internal systems.
Though successful threat management programs have a number of moving parts and layers, they do not need to be overly complex or process-heavy. Advice from the trenches is to focus on what needs to be protected for the business. Know where the data and assets are and who (or what) has approved access to them. Use network segmentation to cordon off sensitive assets and prevent “panic” moments and audit documentation failures by
16 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
UNLOCKING THE OPPORTUNITY OF SIEM TECHNOLOGYLearn about SIEM technology and how to unlock the opportunity for SIEM technology to be a powerful technique in the fight against cybercrime.
By Andrew Hutchison
SIEM TECHNOLOGY
ENSURING THE ONGOING integrity of an enterprise informa-tion technology environment is a formidable task, and one that requires every advantage a delivery management team can harness. Security information and event man-agement, or SIEM, can create a significant advantage in providing enterprises with a comprehensive, coordinated view of the security status of their environment. The chal-lenge in security is always to remain one step ahead of those who may try to compromise the integrity in some way. Implemented properly, SIEM technology can be a powerful technique for obtaining advantage over individ-uals or technologies with malicious intent.
The opportunity of SIEM is to establish a central-ized, coordinated view of security-related information and events. The underlying principle is that such inputs are produced in multiple locations, but without seeing “the big picture,” it may not be obvious that trends or pat-terns are occurring. By establishing a collector network, the security-related events from end-user devices, servers,
17 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
may be filtered out too soon, so a balance is required and this is the challenge of SIEM designers and implement-ers. At the central node, analysis techniques are applied to interrogate, aggregate and correlate the incoming in-formation. The better the analysis techniques, the more value can be derived from the SIEM environment.
FEEDING THE SIEMDepending on the level at which security-related infor-mation and events are collected, a SIEM can be quite versatile. Traditionally, it is the infrastructure-related events that are collected by SIEM systems. The operat-ing systems running on end-user devices and servers can forward information like logins (successful or not, user information, administrator logins, Kerberos events etc.), antivirus system alerts (successful/unsuccessful updates, repairs, infection details, etc.), and communication sub-system information (port connection attempts, blocked connections, IP address information, etc.). Additional information from network devices such as routers, fire-walls, and intrusion prevention systems can also be for-warded to a SIEM to provide information relating to these aspects of the infrastructure, too.
To be able to identify anomalous events, it’s impor-tant the SIEM can also build a profile of the system un-der normal event conditions. For this reason, items such as successful system logins are also typically recorded to
network equipment—and even specialized security equipment like firewalls, antivirus or intrusion preven-tion systems—can be gathered and inspected.
In this article, we examine how a SIEM system works and what types of events can be integrated, including new data sources such as fraud detection systems and network access control technologies that haven’t always been in scope for a SIEM deployment. We also look at the process for detecting actual security threats or incidents and steps organizations can take to develop a SIEM capability.
SIEM COMPONENTSAs indicated, the opportunity of SIEM is that informa-tion from diverse sources and systems can be collected. Often the volumes are very high and the SIEM system needs to ensure it is capable of handling the events with-out becoming overwhelmed. SIEM systems are typically constructed in a hierarchical manner so collection can be done at multiple levels. Some sort of agent is often de-ployed in multiple locations, communicating back to a central SIEM management node at which detailed analy-sis takes place.
In some systems, pre-processing may happen at edge collectors, with only certain events being passed through to a centralized management node. In this way, the vol-ume of information being communicated and stored can be reduced. The danger, of course, is that relevant events
SIEM TECHNOLOGY
18 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
SIEM TECHNOLOGY
the requestor, or where other separation-of-duty require-ments are compromised, could be of high relevance to an organisation. The difficulty with application-generated events is they tend to be non-standard, whereas a whole population of operating system devices generate events of similar format and semantics [meaning]. Although ap-
plication events may require some work to integrate and interpret, this is effort well spent in terms of taking the SIEM from the engine room to a system that also incor-porates business process information.
As a final word on the type of events a SIEM should aim to incorporate, it’s also necessary to interpret system or application events in the context of external events. Unusual behavior patterns may be detected by security staff, based on SIEM alerts, but these could relate to system modifications in change control windows (with, for example, more privileged logins than usual), the time of day or seasonal variations such as increased trading volumes from a Black Friday or pre-Christmas rush.
establish a norm against which abnormal logins can be detected. Rich events relating to access of the network can also be integrated in environments where network access control (NAC) is enabled. It may be possible to pick up patterns of denied access or to detect patterns of network access by virtue of the NAC mechanisms of checking credentials, device addresses etc. to prevent unauthorized devices from connecting to an enterprise LAN.
Sometimes it is also useful to have knowledge of other system information, such as processor or memory utiliza-tion to determine whether there is an unexpected change in the status of a system. For this reason, it is useful to have other contextual information available for the SIEM management team. While we are suggesting that SIEM has a special focus and separateness, it’s often this kind of system information that exhibits the effect of an incident. So SIEM should also be viewed as part of an overall, com-prehensive systems management approach.
When talking about the business impact of security in-cidents and where the real damage occurs, corporations often say the transactional level is the most dangerous. Fraudulent transactions can result in direct costs for orga-nizations, and this can come at a very high price. An op-portunity for SIEM systems is to collect information that is above the infrastructure level and which derives from application and business systems. Being able to intercept a transaction where an approver is the same person as
SIEM should also be viewed as part of an overall, com prehensive systems management approach.
19 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
SIEM TECHNOLOGY
researchers, and universities are working to enhance pre-diction of attack situations. Through various attack mod-eling techniques, systems can compare incoming events with certain patterns and determine whether an attack pattern is being observed. This is particularly powerful, specifically for dealing with zero-day type attacks. Re-sponses to incidents can be characterized as reactive or
proactive, but identifying attacks in advance can be chal-lenging. Where attack patterns have been seen before these can be incorporated into rule-bases or correlation engines. In this way, rules can be changed to add or adapt a static/threshold response. Post-event analysis can help to prevent future occurrences.
As a final word on detection, it is important to recog-nize that the SIEM system needs to form part of an over-all security process. It is arguably just as important to have appropriate interfaces, channels, alerts and inspec-tion capabilities available to SIEM operators, as it is to have the relevant security source information and events collected by the SIEM.
DETECTING THREATS WITH SIEM SYSTEMSFrom the multitude of security information presented, SIEM systems have to make sense of the feeds received and determine whether alarms need to be raised, opera-tors need to intervene or if warnings should be provided. The task is a bit like finding a needle in a haystack. Over-all though, the accuracy aspect of a SIEM should be to re-duce false positives, whereby patterns that don’t relate to an attack or malicious behavior are reported as such.
At the most basic level, static rules can be configured in SIEM systems and, based on logical expression evalu-ations, these will either be activated or not. A similar ap-proach is to configure thresholds, whereby identification of certain numbers of events (or some combination of event types) will result in a flagging of this occurrence.
Much of the focus of future SIEM work is on moving from static detection techniques to dynamic ones that are capable of identifying behaviors not seen before. The lat-ter type of system uses techniques such as anomaly detec-tion based on artificial intelligence. Through employing techniques of finding anomalous points or anomalous series, depending on the types of data, statistical or time series analysis can be performed to find deviations from a norm. Experimental systems based on such techniques are showing promise, and such learning type systems will increasingly be incorporated in commercial systems too.
In addition to techniques that can detect anomalies and outliers, security vendors, managed service providers,
Re sponses to incidents can be characterized as reactive or proactive, but identifying attacks in advance can be chal lenging.
20 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
SIEM TECHNOLOGY
an environment, and for giving security operation center teams a feel for the norms that should be seen. Documen-tation and mapping of security events are other useful by-products of a SIEM deployment.
LOOKING AHEAD: FUTURE OF SIEMThe future of SIEM systems is promising, especially with additional detection techniques being developed and in-corporated into SIEM analysis engines.
The evolution to an “Internet of things” means many more devices will be IP enabled, and it will become in-creasingly difficult to manage and ensure the operation of all these components without SIEM techniques. Trends with cyber-physical systems make the stakes even higher, in that connected vehicles, energy grids, health systems, or manufacturing environments create the potential for life-threatening impact of security attacks. For this rea-son, another avenue of exploration for SIEM systems is to make them more tightly coupled with the architectures of the environments they are supporting. For example, vari-ous smart grid and smart car architectures make use of a systems bus for intercommunication and connection of supporting modules. Building SIEM-type capabilities into these environments directly could be a promising (and reassuring) approach to complement the technology ad-vances in these environments with strong supporting se-curity monitoring modules. As systems evolve, and attack
DEVELOPING A SIEM CAPABILITYIn terms of establishing a SIEM capability, an organiza-tion may either do this directly through its IT function or retain a service provider to perform this service along with other systems or security services. Various products are available from major vendors and there also are open source options such as Alien Vault.
A project to establish SIEM functionality requires the incorporation of many heterogeneous devices. In some cases, SNMP information feeds may exist, in other cases syslog information is derived and fed to the analy-sis engine. Overall, though, a careful mapping of events, incorporating all operating systems and devices needs to take place. This should be done with a dedicated, external team. In one large SIEM deployment studied, there were significant delays because the same team running day-to-day security also tried to build the SIEM capability.
When collecting and scrutinizing events via a SIEM deployment, other problems in the IT environment may surface. For example, inconsistent configuration can lead to one device generating huge volumes of event infor-mation, in contrast to other devices emitting very little (or no) information. This can lead to an anomaly based system flagging this difference immediately. To counter this, servers and domain controllers can be configured for how “verbose” they are with their logging informa-tion. The establishment of a SIEM environment has the additional benefit of creating a real bottom-up view of
21 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
SIEM TECHNOLOGY
distinct from the normal management and monitoring activities that track availability, performance, capacity, etc. within an IT environment. In combination with a security operations center type approach, the SIEM will help an organization consider patterns that may suggest or reflect a security incident. Advances in analysis and correlation techniques pro-vided in SIEM tools will assist operational staff to inter-pret the large volumes of information even better, and SIEM will increasingly play an important role in helping retain the advantage of safe, secure systems of integrity—despite those who may try to undermine the intended operation in some way. n
ANDREW HUTCHISON is an information security practitioner with a combination of technical and business experience obtained over the last 20 years. He has experience in the deployment and operation of SIEM systems in a managed service provider environment. He currently participates in several international security projects aimed at improving security attack detection through advanced techniques. Send comments on this article to [email protected].
scenarios are considered, misuse cases can be developed. We also need to understand misuse cases better to as-sist designers of future SIEM-supporting technologies to make analysis approaches as effective as possible.
Other emerging trends include experimentation with cloud-based delivery of SIEM services. While there is de-bate on the security of cloud services in general, SIEM-based cloud systems may still have some concerns to alleviate before becoming widely accepted.
The security of the SIEM system itself is something that also needs to be considered. An attacker may have reason for wanting to modify or block messages within the SIEM. The integrity of the SIEM system itself is criti-cal: If the security monitoring system can be undermined, then system management can be compromised. Research-ers are trying to develop resilient collector agents (with smart routing) that could prevent parts of an SIEM from becoming partitioned.
Overall, SIEM is a technology and approach that can provide powerful insights, through separating and focus-ing on security information and events. Organizations should work towards developing a SIEM service that is
22 INFORMATION SECURITY ESSENTIAL GUIDE n MAY 2013
EDITOR’S DESK
THREAT DETECTION
OPTIONS
THREAT PREVENTION TECHNIQUES
SIEM TECHNOLOGY
TechTarget Security Media Group
TechTarget 275 Grove Street, Newton, MA 02466www.techtarget.com
EDITORIAL DIRECTOR Robert Richardson
FEATURES EDITOR Kathleen Richards
SENIOR SITE EDITOR Eric Parizo
SENIOR MANAGING EDITOR Kara Gattine
ASSOCIATE MANAGING EDITOR Rachel Shuster
DIRECTOR OF ONLINE DESIGN Linda Koury
COLUMNISTS Marcus Ranum, Gary McGraw, Doug Jacobson, Julie A. Rursch, Matthew Todd
CONTRIBUTING EDITORS Michael Cobb, Scott Crawford, Peter Giannoulis, Ernest N. Hayden, Jennifer Jabbusch Minella, David Jacobs, Nick Lewis, Kevin McDonald, Sandra Kay Miller, Ed Moyle,Lisa Phifer, Ben Rothke, Anand Sastry, Dave Shackleford, Joel Snyder, Lenny Zeltser
USER ADVISORY BOARD
Phil Agcaoili, Cox CommunicationsRichard Bejtlich, MandiantSeth Bromberger, Energy Sector ConsortiumMike Chapple, Notre DameBrian Engle, Health and Human Services Commission, TexasMike Hamilton, City of SeattleChris Ipsen, State of NevadaNick Lewis, Saint Louis UniversityRich Mogull, SecurosisTony Spinelli, EquifaxMatthew Todd, Financial Engines
VICE PRESIDENT/GROUP PUBLISHER Doug [email protected]
© 2013 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or byany means without written permission from the publisher. TechTarget reprints are available through The YGS Group.
About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.
COVER IMAGE AND PAGE 3: LOLLOJ/FOTOLIA
