Affordable Risk-Based Security by Automating Analysis of Threat Intelligence

Transcription

1 Affordable Risk-Based Security by Automating Analysis of Threat Intelligence FAST FACTS: Problem: Federal IT systems are handling more traffic and types of activity on their networks than ever before with exponentially rising volumes complicating compliance efforts, which are already under pressure from sophisticated cyber attacks. Strategy: IBM QRadar empowers IT departments to implement key elements of continuous monitoring that provide comprehensive security intelligence and contextual insight into network activity. Benefit: QRadar allows IT security practitioners to focus on material threats, as well as any traces left by their perpetrators. It collects data from numerous network devices and performs automatic correlation to distinguish between real dangers and false positives. Armed with high-quality intelligence, security teams can devote themselves to addressing real vulnerabilities. By fulfilling a growing need to provide open access to information resources, federal government agencies have reached a key juncture in cybersecurity. Agency IT systems are increasingly sophisticated, with more traffic and types of activity affecting their networks than ever before. While much of this activity may be routine or innocuous, its exponentially rising volume complicates compliance efforts, which are already under pressure from sophisticated cyber attacks. To combat these continuous and complex threats, organizations need efficient solutions that address the new risk environment and compliance frameworks. The current risk and compliance environment A deluge of security technologies has washed over federal agencies in recent years. Organizations have implemented arrays of security tools such as VPNs, intrusion detection systems, endpoint management suites and anti-malware software. While these solutions have facilitated more secure IT, each one of them generates its own set of logs and alerts, and all of this data is decentralized, requiring managers to access it from multiple interfaces. Accordingly, drawing correlations from one device to the next is an uphill struggle. Agencies have turned to Security Information and Event Management (SIEM) solutions that aggregate and analyze data from multiple sources, producing a more complete picture of threats to the network. While IT systems are quickly becoming more data-intensive, this threat environment is evolving in lockstep. It has expanded to encompass a daunting range of risks, including malicious code execution and insider breaches. With record troves of information to comb through, agencies are now in the unenviable position of addressing advanced security issues such as advanced persistent threats (APTs), which are well organized and often state-sponsored, while staying on top of data management and meeting regulatory obligations. Enterprises have spent more than $13 billion on security solutions in 2013, yet the threat from APTs and high-level malware persists, making that case that agencies still need better solutions for collating data from different apparatuses. Certainly, tools such as firewalls and VPNs will remain key components of IT security, but organizations will require proactive technologies that help them make sense of what is occurring with their networks, endpoints and payloads. Organizations already have access to large amounts of data generated by security solutions, and the MERLIN-INTL.COM 1

2 To effectively address the challenges of data deluge, volatile threat environments and evolving regulatory landscape, IT departments need modern continuous monitoring solutions that synthesize a wide range of data sets into actionable intelligence. next step is finding the right solutions to leverage it for better detection and mitigation of threats, through processes such as setting accurate baselines for normal network behavior. Against this backdrop of an evolving threat landscape and increasingly complex IT architectures, the U.S. government updated FISMA with guidance about continuous monitoring. Designed to replace the check-box compliance model of FISMA 1.0, FISMA 2.0 required agencies to set up risk-based management processes that provide superior long-term visibility and assessment of threats compared to the discrete paper-based exercises of the past. As agencies adjust to these new processes, they are also under pressure from both budgetary constraints and their ongoing obligations to comply with NIST Since NIST compliance is required as part of the compulsory Federal Information Processing Standards 200 under FISMA, agencies have the tall order of keeping systems confidential, secure and available even as risks multiply and funding levels stay flat or even decrease. To effectively address the challenges of data deluge, volatile threat environments and evolving regulatory landscape, IT departments need modern continuous monitoring solutions that synthesize a wide range of data sets into actionable intelligence. Furthermore, these solutions must provide a foundation for developing agency-specific risk models so security teams can better manage threats and intelligently deploy limited security resources where they will have the greatest effect. An industry-leading solution that has helped many federal agencies address similar challenges is IBM s QRadar. This offering gives agencies the power they need to identify and manage risks through comprehensive security intelligence. As a centralized solution, QRadar combines multiple functionalities into a single console, including: Security information and event management Log management Risk analysis Network analytics By uniting these previously siloed functionalities, QRadar puts organizations in prime position to automate more workflows and reduce the growing complexity of their networks. Additionally, QRadar lets IT and security professionals proactively address the escalating risk environment by providing better realtime visibility into data based on analysis of historical trends, which helps unearth threats that would once have flown under the radar. This is an essential capability to effectively counter APTs, as they are designed with security defenses in mind and are engineered to evade basic detection mechanisms. As an experienced provider of government IT solutions and an official IBM partner, Merlin International is uniquely positioned to help agencies implement QRadar at the center of risk management strategies that emphasize continuous monitoring rather than patchwork security. Merlin s expertise in areas such as network management, data center consolidation and cybersecurity solutions gives it a breadth of relevant insight into methodologies for ensuring that clients align operations with FISMA 2.0 and NIST , 2 MERLIN-INTL.COM

3 ward-off threats and gain access to intelligence that improves security over the long run. Assessing risk management strategies for the current threat landscape The threats facing federal government agencies are unique in their scope and sophistication. They are not garden variety attacks perpetrated by lone wolves, but sustained campaigns often sponsored by nationstates, organized hacker groups and other hostile organizations. In his 2013 State of the Union address, President Obama highlighted the growing threat to the country s critical infrastructure in cyberspace, framing the situation as a national security struggle. Indeed, APTs are essentially a form of cyberwar, and the particular dangers that they pose strike at the heart of why agencies need robust solutions like QRadar that weed out threats even in increasingly convoluted IT environments. APTs are low and slow attacks that harvest information from specific organizations and individuals. Targets may span the public and private sectors, as demonstrated by the APTs that have targeted Japanese government agencies and think tanks since at least Similar APTs have affected governments in Georgia, Estonia and South Korea, and an Iranian attack on state-run Saudi Aramco resulted in 30,000 computers being compromised. In the U.S., the cybersecurity community has been wary of possible APTs supported by governments in other countries. Whereas attacks from individual cybercriminals are often opportunistic and aim to simply scrape weakly secured data, APTs are intent on obtaining specific types of sensitive data such as intelligence, as was the case in an incident that may have involved intelligence agencies from the People s Republic of China keeping tabs on U.S. weapons systems designs. Civilian agencies face similar threats, particularly those securing sensitive information related to critical infrastructure: energy, finance, transportation, and healthcare to name just a few. Even as IT departments wrestle with APTs and other top-level concerns, they are also under pressure from a range of other issues that have sprouted up in the wake of surging network activity and rising data volumes. In this context, insider threats have escaped the attention of many agencies, becoming a silent yet deadly phenomenon. A Fortune 1000 survey of IT professionals in government, education and the private sector revealed that cloud computing had greatly complicated organizations efforts to detect insider threats, making it harder to spot anomalies amid changing baseline behavior. Few federal agencies have invested in data analytics technologies to help manage the surge in information volume. Moreover, APTs and growth in network events illustrate the imperative of continuous monitoring. Older frameworks and the solutions that addressed them were ill-suited to detect and eliminate persistent attacks that could be overlooked. Accordingly, the NIST SP draft defined continuous monitoring as a risk management approach to cybersecurity that maintains an accurate picture of an organization s security risk posture, provides visibility into assets, and leverages use of automated data feeds to quantify risk, ensure effectiveness of security controls, and implement prioritized remedies. However, achieving this level of visibility requires technological solutions that are scalable to enormous architectures, data volumes and risk landscapes. The consolidated nature of QRadar and Merlin International s broad security expertise building and managing comprehensive government security operations centers make integration a straightforward matter. A QRadar implementation from Merlin International empowers IT departments to adjust to this new reality and implement key elements of continuous monitoring that provide comprehensive security intelligence and contextual insight into network activity. Agencies may handle up to billions of network events each day, MERLIN-INTL.COM 3

4 and the ongoing adoption of cloud and advanced sensor technologies will continue to add new layers of complexity to IT infrastructure. By going above and beyond traditional SIEM solutions, QRadar produces granular insight into network flow data so that agencies can distill a sea of information into an actionable set of priorities tailored to the risk profile of a specific agency. Given the complexity of many IT organizations, QRadar is well suited to providing insight into threats across all infrastructure, using advanced techniques like deep packet inspection to root-out threats that other solutions typically miss. Agencies can keep tabs on every asset, from routers to workstations, and use the resulting security intelligence to improve their practices and compliance efforts. At the same time, they can do so without having to procure a variety of different solutions that may require extensive customization. QRadar as the center of a continuous monitoring and risk management strategy QRadar is built upon a database that is scalable even for large operations and optimized to detect sophisticated attacks such as APTs and insider threats. It intelligently draws upon log source data from a wide range of assets, including network events affecting switches and routers, logs from ERP and other applications, operating system details and Layer 7 payloads. By eliminating the noise that typically accompanies mass collection and collation of data, QRadar allows IT security practitioners to focus on material threats, as well as any traces left by their perpetrators. It collects data from numerous network devices and performs automatic correlation to distinguish between real dangers and false positives. Accompanying the underlying database is a unified dashboard for all QRadar components that IT departments can use to prioritize and organize these threats. Armed with the high-quality intelligence that QRadar produces, security teams can devote themselves to addressing real vulnerabilities, rather than losing time and resources in an increasingly complex and unforgiving environment More broadly, QRadar gives security teams the answers they need to common questions, such as: Who is behind the attack? - QRadar compiles rich information, such as location-based data, and creates attacker profiles What are the attackers targeting? - IT professionals can gain insight into targeted assets and their respective vulnerability states and values What must the organization do to better monitor, address and document the incident? - Advanced forensics put IT departments in excellent position to assess data breaches and ultimately shore-up the vulnerabilities that allowed them to happen Unlike less evolved SIEM tools, QRadar is easier to install and operate, producing immediate value for agencies. Its advanced detection and reporting capabilities often make a clear difference within a matter of days. Out-of-the-box, QRadar includes numerous advanced capabilities, such as pre-built dashboards for compliance frameworks like PCI DSS and the Health Insurance Portability and Accountability Act. As a result, it does not require heavy customization and can be integrated easily into pre-existing IT infrastructure. The broader impact of risk-based security on operations The benefits of a QRadar solution from Merlin International extend beyond better monitoring and risk management. Ultimately, continuous monitoring leads to better allocation of IT resources. Implementing risk-based security produces superior insight into the value of assets, the costs if they were to be breached and what would constitute a sensible strategy for protecting them. Risk-based security enables agencies to truly benefit 4 MERLIN-INTL.COM

5 secure, the new framework pushes for environments in which they have an accurate sense of where they stand. Creating a sound risk-based strategy does not have to be difficult, despite the increasing pressure on agencies to reduce costs and improve productivity. On the IT side, QRadar can be implemented easily with Merlin International s guidance. Additionally, because QRadar centralizes security intelligence, it puts managers in both the IT and business departments in better position to make key decisions. They can then make concerted efforts to improve their agencies scores under the FISMA 2.0 system, which has made it much easier for all parts of a given organization to understand security context. Merlin provides a straightforward, efficient QRadar solution for the current landscape Federal government agencies face a unique challenge in reconciling budgetary constraints with IT infrastructure that is increasingly prone to sophisticated risks and record numbers of events. While FISMA has evolved and provided guidance about the continuous monitoring strategies needed to address the new environment, agencies still need the right technological solutions to ensure compliance, improve operations and fend off threats. With help from Merlin International, agencies can quickly implement QRadar at the center of their continuous monitoring risk management strategies. Merlin International offers end-to-end solutions that address the growing complexity of IT, and as an experienced systems integrator, it has been at the forefront of assisting clients with cutting-edge implementations. Such expertise will be vital to navigating the unique challenges that the federal sector faces from rising data volumes, APTs and insider threats. QRadar and Merlin International empower organizations to stay on top of busy networks and persistent threats, ensuring compliance even in challenging environments. About Merlin International Merlin International is one of the country s leading IT solutions providers to the U.S. Federal Government. Our dedication to government customers provides us unparalleled insight into mission requirements and agency challenges. As a company, we are committed to developing truly innovative solutions that better meet mission objectives. A veteran-owned, privately held company, Merlin offers Cyber Security, Network Performance Management, Data Center and Storage, and Enterprise Application solutions for Healthcare, Civilian, and Defense agencies. The company is headquartered in Englewood, CO, with federal operations in Vienna, VA. Merlin International and the Merlin logo are registered trademarks of Merlin International, Inc. Other company, product, or service names may be trademarks or service marks of others. Copyright 2013 Merlin International. SALES sales@merlin-intl.com T MERLIN GOVERNMENT CONTRACTS SEWP# NNG07DA23B GSA# GS35F0783M CORPORATE OFFICE 4B Inverness Court East Suite 100 Englewood, CO FEDERAL OPERATIONS Old Courthouse Rd Suite 200 Vienna, VA MERLIN-INTL.COM