How to realize better protection, response efficiency and increased granularity in your security program.

Transcription

1 White Paper Contextual Security Provides Actionable Intelligence How to realize better protection, response efficiency and increased granularity in your security program. (866)

2 Contextual Security Provides Actionable Intelligence Contents Introduction...3 Background...3 Achieving Security Context...5 Requirements...5 Available Information...5 An Integration Platform...6 Accessible Knowledge...6 Redistribution of Efforts...7 Expected Results...8 Security Monitoring Implications...9 Finding Context...10 The Internal Environment...11 Asset Inventory...11 System Vulnerabilities...11 User and Privileged Users...12 Application and Information Intelligence...12 From External Sources...13 GeoIP Data...13 White / Black lists...13 Known Malicious Hosts...13 Threat Intelligence...13 Sensor Data...14 Putting It All Together...16 Real-life Examples...18 Improving security effectiveness and protection with contextual security a retail example...18 Making security technology and resources more efficient saving time and money...20 Achieving flexibility examples of applying security where/when it s needed most...21 The Solutionary Answer

3 Introduction Just as context is key to understanding a concept, security data can also be enriched with contextual data to provide better understanding and actionable intelligence. Learn how a security foundation built on organizational, infrastructure and external context can elevate the information provided by both next generation and legacy security devices provides actionable intelligence the ability to quickly and efficiently make fully informed security decisions. Background Don t be fooled. Contextual security is more of a recent buzz term than a new concept. Organizations that are managing and reducing IT risk successfully already know that effective information security is all about building good context. The more that s known about the environment, the systems being protected and the data residing on those systems, the better the ability to protect them. Context also bears on compliance strategy. Context around regulatory requirements and the data they affect is critical to achieving and maintaining compliance in a cost and resource-effective manner. Think of context as the key ingredient for making better and faster decisions about protecting enterprises from escalating risks. This paper examines scenarios from real organizations to help illustrate how context around security has delivered measureable improvements. Think of context as the key ingredient for making better and faster decisions about protecting the enterprise from escalating risks. What s actually new and different about contextual security today is the ability to achieve it, harness it and benefit from it, based on advances in technology. The top three benefits contextual security provides are: 1. Increased effectiveness of information security decisions 2. Greater efficiency of information security technology and human resources 3. More flexibility to apply security where and when it s needed most An easy example to communicate the benefits of context is used thousands of times a day by thousands of institutions around the world. Financial institutions have to make decisions about financial transactions in real-time as consumers attempt to use their 3

4 debit and credit cards, and access their online banking applications. To provide an idea of scale, global card transactions totaled billion in 2011 (PYMNTS.com, 2012). Take the simple scenario of one of the bank s customers attempting to transfer funds from one of their accounts to an account at a third-party bank. Everything about the transaction appears correct the user authenticated properly to the application, they are accessing an account that has been authorized to perform transfers and the third-party bank account appears to be valid. To put this in perspective from a security monitoring standpoint, we have a source IP, a destination IP and the firewall has allowed the packet through. No IDS or IPS signatures have been tripped. The bank knows that they need additional context in order to make the right decision about this transaction. Has this user ever connected to the online banking application from this particular device before? Does it seem reasonable that the user is coming from an IP address in Bulgaria? Has the user ever done a transfer of any size to a thirdparty bank before? Does it seem reasonable that the user would be transferring the entire contents of the account? Is the third-party bank account owned by someone the Federal Reserve has specially designated? Without the additional context, the bank is unable to determin if this activity is fraudulent. Practitioners are advised to make friends with the fraud department in their organization, if the organization has one. Fraud departments have been doing this sort of analysis for a long time. This paper examines other scenarios from real organizations to help illustrate how context around security has delivered measureable improvements. From protecting against the most advanced threats, to reducing mountains of false positives, to answering executives questions about how IT security can really contribute to the business context is key. 4

5 Achieving Security Context Requirements Context-based security applies intelligence about company environments to the systems and data being protected. Proper context helps identify appropriate levels of security, improves the precision of security controls and makes security reporting more meaningful for the business. The question, however, remains how to achieve context with existing security and information technology? Three basic requirements must be met to achieve security context in a monitoring program: 1. The contextual information needs to be available In practice, a typical major obstacle to incorporating context into a security monitoring program is the availability of the contextual information in a format that supports integration with log and alert data. 2. There needs to be a platform that can efficiently perform the integration in real-time 3. The integrated contextual information needs to be easily accessible to the user in a way that is relevant to them Available Information In practice, a typical major obstacle to incorporating context into a security monitoring program is the availability of the contextual information in a format that supports integration with log and alert data. Mergers, acquisitions and general business activities cause both the IT and organizational environments to constantly change and adjust. If the information does exist, often it is not in a format or mechanism that enables integration to occur. The information must be keyed or be searchable by the contents of the log and alert data. The key might be IP address or range, port, hostname, FQDN, username, database or file name, application or transaction name. Additionally, the contextual information needs to be validated to ensure that it is accurate and has integrity. Most people have experienced attempts by organizations to market to them based on a database the organization acquired from a third-party. Mismatches in these databases are common and often result in individuals being incorrectly associated with a relative or even a stranger with a similar name. In these cases the old adage garbage in, garbage out is quite true. The challenge for organizations is to ensure they aren t decisively making bad decisions! 5

6 Organizations typically have to execute a specific project to obtain and maintain the contextual information in a form that can be integrated into the security monitoring program. Automation is the key to ensuring the information remains updated over time. An Integration Platform Once the contextual information is available in an accurate, up-to-date and validated format that can be integrated based on key values, a platform is needed that enables the log and alert data to be linked together with the contextual information is required. The ideal platform integrates the data and information in real or near real-time to allow not just the linkage of the data and information efficiently and effectively, but also enables rules and complex event processing to occur using the contextual information. Seeing the contextual information is nice, but without the ability to drive processing rules, the organization really hasn t made much progress from an actionable intelligence standpoint. The ideal platform integrates the data and information in real or near real-time to allow not just the linkage of the data and information efficiently and effectively, but also enables rules and complex event processing to occur using the contextual information. A platform is needed that allows correlation to be extended beyond the normal dimensions of IP addresses and time into contextual dimensions like vulnerability, user, asset and reputational information, reference lists, GeoIP, applications and information sources. Without this advanced correlation capability and the underlying customized rules to reduce false positives, reduce false negatives and provide the situational awareness required to decisively respond to incidents, actionable intelligence can t be realized. Accessible Knowledge Finally, the platform must have the capability to make the integrated information quickly and easily available to security analysts in order to present a scenario (as discussed in the earlier banking example) that provides all of the information required to validate, respond to and mitigate incidents. Making the information relevant to the security analyst is a key deliverable. This may include referencing the user impacted by the incident, the criticality and regulatory scope of the assets impacted and the incorporation of threat, application and information intelligence. 6

7 Ideally, the security analyst doesn t have to perform additional manual research, doesn t need to access another repository to look up information and doesn t have to manually correlate information in their head. The correlation, progression, and impact is laid out in an easily understood, clear and relevant manner. At that point, actionable intelligence from the security monitoring program is achieved. Redistribution of Efforts One result of adding context into a security monitoring program is the redirection of the effort expended in the execution of security monitoring. Adding context requires more research, investigative, creative and development work up front than performing security monitoring without context. To be as effective as possible, it requires the security organization to build working relationships with the organization s IT and development groups. Adding context requires more research, investigative, creative and development work up front than performing security monitoring without context. Solutionary firmly believes, based on its experience with thousands of managed security services (MSS) clients, that this increased effort up front pays handsomely in the ongoing execution of the security monitoring program by reducing the time and effort required to validate, investigate and mitigate security incidents. In turn, this increased efficiency brings reduced risk to organizations by discovering security incidents as early as possible and reducing the scope and impact of those incidents. Figure 1 illustrates this belief and contrasts it with security monitoring programs that have been implemented using off-the-shelf security information and event Figure 1 7

8 management (SIEM) platforms with no additional context integration, including the lack of context-driven signatures, rules and thresholds. Solutionary clients have had great success communicating this information to their organization s management to demonstrate the need to make upfront investments in the monitoring program in order to enjoy much lower total cost of ownership. Expected Results The ability to make intelligent, informed security decisions faster has major payoffs for incident mitigation and impact analysis. For example, with a contextual security and compliance management platform, organizations can immediately identify assets under attack in order to focus mitigation efforts in those areas. Contextual security collects real-time information from all security logs in one central location, extracting the maximum security value and context from the log sources. Then, incidents can be analyzed and correlated with contextual information such as source, destination, user, asset, vulnerability interaction and more. Solutionary believes that by building a security monitoring program with context and maximizing the use of that context, organizations will enjoy a number of benefits as a return on the investment. Context goes further to help security analysts decide which security events to prioritize and escalate based on individual business and privacy concerns. It also aids investigation efforts, providing incident details in context with processing and analysis trails all the way down to the raw log lines. In this way, a contextual security and compliance management platform creates an auditable record of response from incident identification through closure, and provides useful intelligence for post-breach investigations. As this whitepaper demonstrates, Solutionary believes that by building a security monitoring program with context and maximizing the use of that context, organizations will enjoy a number of benefits as a return on the investment. These include: Detect things that would not be detected otherwise Increase the capability to match analytics to IT, applications, and information Develop explicit mapping of security information to the organization 8

9 Increase efficiency in responding to potential security threats, compliance exceptions and privacy violations Reduce false positives and false negatives Obtain actionable intelligence Security Monitoring Implications Security technologies are rapidly evolving. There is always some new, better and faster device that promises to protect organizations better than before. Security vendors continuously evolve device models, features and (hopefully) benefits. Change is constant. However, having a security monitoring capability that focuses on collecting, integrating, and processing security context ensures that the overall security program is independent of any given technology or device. The monitoring portion of the security program itself should be continuously improved regardless of the devices used to gather log and alert data. Having capable, effective, wellmanaged devices is no less important, but focusing on the overall security program as opposed to the devices themselves allows the appropriate level of importance to be assigned to each device. Having capable, effective, well-managed devices is no less important, but focusing on the overall security program as opposed to the devices themselves allows the appropriate level of importance to be assigned to each device. Tracking and managing the evolution of the monitoring portion of the security program should focus on the following metrics: 1. Has the number of false positives coming out of the security monitoring platform been reduced? 2. Has the number of false negatives coming out of the security monitoring platform been reduced? 3. Has the effort / time expended on validating security incidents been reduced? 9

10 The following qualitative factors should also be taken into account: Are more context sources being integrated or is deeper integration using context occuring than was done previously? Has the modeling of security incidents to the business improved? Applications? Information? Has communication about the status of security to the business improved? Context allows organizations to think about, communicate, and execute security monitoring in a way that maps to the IT, security, and business environments by design. Context also provides additional indicators that, when taken in totality, can identify a security incident. Individually, the pieces of context and the indicators may not tell much of a story or appear to be particularly impactful. When successfully linked together, however, the results can be quite effective to weed out false positives or find incidents that would have otherwise escaped notice. Context should not be viewed as being black and white. It s much more about different shades of gray that can be combined to provide a cumulative effect. The combination increases the confidence level until a threshold is reached to be dispositive one way or another. Context should not be viewed as being black and white. It s much more about different shades of gray that can be combined to provide a cumulative effect. The combination increases the confidence level until a threshold is reached to be dispositive one way or another. Finding Context So far, this paper has discussed context in a mostly generic sense. To get more specific, the focus will now shift to the different sources of context for incorporation into the security monitoring program. At a high level, there are three major sources from which to find context: 1. The IT, user and business environment 2. External sources 3. Internal devices and sensors 10

11 The Internal Environment Asset Inventory Ideally, organizations should have an asset inventory that exhibits three major characteristics: 1. Identification Network addresses, FQDNs, relationships 2. Attributes Device type, criticality, regulatory impact 3. Tagging Geography, business unit, functional group The asset inventory enables context to be built into the correlation and processing rules. It also provides a mechanism to present information about an incident or set of incidents in a manner that reflects the IT or organizational structure. Tagging particularly allows security analysts to organize the security information in a way that is relevant to them and promotes efficiency. Attributes drive rule processing by matching the risk presented by compromise of an asset with the correlation and processing rules to align priority and assist regulatory compliance. Attributes drive rule processing by matching the risk presented by compromise of an asset with the correlation and processing rules to align priority and assist regulatory compliance. The impact of IPv6 implementations on the organization and the security monitoring program can be greatly mitigated through the use of a flexible asset addressing scheme that allows an end-to-end correlation of related security logs and alerts across addressing schemes between IPv4, tunneling and translation layers and IPv6. System Vulnerabilities Vulnerability scan results can be utilized in three ways: 1. Use the attributes gleaned from the systems during the scanning process to automate the maintenance of asset attributes. 2. If properly integrated with CVE or other linkage, identify when a particular threat or exploit may be on target or off target, providing an additional technical indicator that can be used to influence the priority of the incident and aid in validation. 3. If managed as part of a vulnerability lifecycle management process, the disposition of the vulnerability can be incorporated into the security analyst s 11

12 decision-making process. A vulnerability that was closed with a disposition of client-accepted risk, for instance, can be treated differently than a vulnerability with a disposition of false positive. User and Privileged Users User and privileged user information can be utilized in two ways: 1. Monitor access and identity infrastructure to be able to match network addresses and systems to users, giving the security analyst the incident information in a way that matches the infrastructure assets as well as the users on the network. When time is of the essence, knowing who the impacted user is can make a direct response much faster. 2. Privileged user monitoring is typically implemented by identifying certain activity (typically administrative commands) as privileged user activity. However, this fails to provide a complete picture of what privileged user accounts are doing. By maintaining a reference list of privileged user accounts, all activity performed by a privileged user can be identified. For example, if a privileged user is accessing a system from China, and the user is US based, then the seemingly innocuous can quickly be identified as malicious. Application and Information Intelligence Application and information intelligence has a huge impact on both the granularity with which processing rules can be applied and the ability to model the discovery of security incidents to the actual application and information environment. The additional granularity enables not just a negative security model (identifying activity that is known bad ) but a positive security model (identify that which is not good ). This can include identifying exceptional application activity including access, activity and volume exceptions. However, this is only possible if there is an understanding of the normal use cases of the application (what is good activity). As previously stated, the security group, the application group and the business group need a working relationship in order to realize the maximum impact. Security personnel need to communicate to the application and business groups the types of processing and correlation rules that can be implemented to leverage those application and business resources effectively. 12

13 Just as reference lists can be used to identify privileged users, they can also be used to identify privileged or critical files and database tables. Combining these different sources of information can drive fairly sophisticated processing (for example: non-privileged users accessing privileged information). From External Sources GeoIP Data Understanding the countries in which organizations normally do business, in conjunction with geographic asset tagging (where in the world things are coming from and going to) can provide a quick way to identify potentially malicious activity. Global emerging and trending threats can be useful in understanding tools and methods used by hacking organizations and hacktivists that organizations may face. White / Black lists Reference lists can also be used to create whitelist and blacklist entries that can be used to identify issues with trusted partners and to know when prohibited activity is occurring. Whitelists are a perfect example of the type of indicator based incident identification that isn t possible without context. While allowing potentially critical business communication to occur (instead of blocking them), context allows potential exceptions to be validated. Known Malicious Hosts Third-party and internal, proprietary malicious host lists can help identify activity that otherwise would not be deemed malicious to be treated as potentially malicious. While not a guarantee, reputational information is another indicator that can help log and alert data from authorized activity to potentially malicious. Threat Intelligence Much has been made of threat intelligence in recent years, but if that threat intelligence does not translate quickly and consistently into security device or processing rules, its maximum value cannot be realized. Just like any other contextual information, the threat intelligence must be actionable. 13

14 Global emerging and trending threats can be useful in understanding the tools and methods used by the individual hackers, hacking organizations and hacktivists that organizations may face. Hackers tend to be like most computer professionals the tools and methods evolve over time, and the desire to use the latest and greatest is universal. In addition to the visibility provided by threat intelligence, organizations that leverage security vendors with a view across thousands of clients will have additional protection from attacks that the organization hasn t faced or even been made aware. While global intelligence is a foundational contextual security component, many organizations overlook the importance of local context in their security program. Large national and international events that occur in the vicinity of an organization or that are related to the organization s industry can pose a serious threat to the organization. The ability to react to these local events with increased security scrutiny, including privileged information and client data can be the difference between being breached and remaining unscathed. Sensor Data Solutionary believes there are five distinct log and alert processing steps that must occur to build a context-aware security monitoring program: 1. Parsing the first and last opportunity to extract the maximum amount of security value from a log line / alert. Parsing should not only extract common header-based information like IP addresses, ports, host names and log messages, but also extract data from specialty sources like database access monitoring, web application firewalls, application monitoring, data loss prevention, web gateways, proxies, mainframes and midrange systems. The goal should be to extract any useful information that can be integrated with contextual information during the enrichment phase. Often the security context present from these information sources is ignored and an opportunity to elevate the security monitoring program is lost. While global intelligence is a foundational contextual security component, many organizations overlook the importance of local context in their security program. The ability to react to these local events with increased security scrutiny, including privileged information and client data can be the difference between being breached and remaining unscathed. 2. Enrichment defined as the gathering of external and intrinsic facts and circumstances that correspond to a log line / alert and relating them to that data. This step is where the hard work of defining, creating and maintaining the contextual information starts to pay off, and the capability 14

15 of the context-aware platform starts to become evident. The ability to enrich millions of log lines as they are processed in real-time will reveal any scalability weaknesses and the ability to do lookups and searches on contextual data will uncover any capability weaknesses. 3. Classification relating the security meaning of a device-specific log line / alert to a non-device-specific security meaning. Being able to abstract device-specific security meaning to a common security meaning allows the processing in steps 4 and 5 to be applied in a one-to-many fashion which acts as a processing force-multiplier. In this way, the sheer number of analytics and correlation rules can be kept to a minimum while the granularity and effectiveness can be at a maximum. 4. Analytics specialized processing engines that look for particular anomalies, behaviors, patterns or thresholds in the log and alert data. An example of a simple analytic engine is an invalid login analyzer. In order to be alerted when an actual login brute-forcing or attack is being executed, but not be overwhelmed every time someone mistypes their login information, it s necessary to maintain state to not only identify when an invalid login occurs, but also when the state is reset by a subsequent valid login. The capability to maintain state within the analytic engines is key to applying the contextual information in the most effective way possible. This stateful contextual concept can be particularly effective when combined with industry-specific business operations. When the solution used to manage security technology is automatically enriched with context about the IT environment, security effectiveness, efficiency and flexibility can be improved. 5. Correlation finding commonality and relationships among the results derived from the first 4 steps to identify the severity and extent of a security threat, compliance exception or privacy violation. The ability to perform cross-device correlation can allow context to be inherited across devices and raise the inherent contextual information across all devices involved in an incident. Complex event processing, combined with the analytics output, allows behavioral and situational correlation to occur across disparate log lines and alerts using the enriched contextual information, including threat, application and information intelligence. 15

16 Putting It All Together As discussed, a context-aware security platform is key to realizing actionable intelligence. When the solution used to manage security technology is automatically enriched with context about the IT environment, security effectiveness, efficiency and flexibility can be improved. A context-aware security and compliance platform is able to collect and correlate vast amounts of data from virtually any device or application capable of producing a log file including non-security contextual elements like routers, mail servers and desktops. The contextual clues present in the platform help security analysts understand and validate security events in order to make better decisions about escalation and/or mitigation. The following graphics illustrate how all of the components of a context-aware security monitoring program can be brought to realization: Figure 2 Figure 2 demonstrates that certain security devices can provide context from a micro perspective within the scope of their own operation. The amount of context varies from the next generation devices on the higher-end to relatively dumb devices 16

17 like routers and switches at the lower end of the scale. Other charts will show that by using cross-device correlation, context can be leveraged across all of an organization s devices. Figure 3 Figure 3 shows the impact that incorporating both environmental and external context has on a context-aware security monitoring program. The rising tide of the macro context has lifted the micro context inherent to the various devices in the infrastructure. As more devices are added, the amount of context increases. Figure 4 17

18 Figure 4 illustrates the cross-device correlation discussed previously. By correlating across devices, the logs and alerts from lower context devices can inherit the context from the higher intrinsic context devices. Figure 5 Figure 5 depicts the combination of threat, application and information intelligence and the processing rules built using these contextual sources to increase the effectiveness of the context-aware security monitoring program. Real-life Examples Improving Security Effectiveness and Protection with Contextual Security a Retail Example Proper context enables more effective protection for data and the IT environment. Consider a large retailer as an example. The company has security controls in place for its inventory system, supply chain and payment processing systems, as well as the network infrastructure to support internal communications and an external customer portal. All of these systems are critical, so how should the business prioritize and maximize security across its environment with a limited budget and resources? Context provides the answer. For example, the environment subject to Payment Card 18

19 Industry Data Security Standard (PCI DSS or PCI) compliance should receive more advanced security controls than the inventory system. Both systems are important, but stronger controls in the area containing PCI data will streamline auditing and protect credit card data more effectively. Concerns about inventory data privacy are likely not as strong. Contextual awareness in a security management platform also keeps organizations better-prepared to respond to security issues. With visibility into what servers are hosting what data and the level of privacy associated with that data the security team can make the most effective decisions when facing a combined threat. Many attacks today employ diversionary tactics to hide their attempts to steal data. This can leave a security team scrambling to prioritize protection and mitigation. For example, a Distributed Denial of Service (DDoS) attack or defacement of a publicfacing Web site may be used to distract the security team from a more sinister information theft or breach. The diversion may also be used to slow down the security response. Contextual awareness combats this problem, giving the security analysts the intelligence and visibility to make the right decisions. If a public-facing Web site is defaced, the security team may not need to react as urgently to that issue as an attack on the customer portal, which houses private credit card data. Without security context, an organization might know that it s being attacked. With good context, however, the organization will know that 12 of the 15 servers in the PCI environment are being attacked from an internal IP address in the Atlanta office. Without security context, an organization might know that it s being attacked. With good context, however, the organization will know that 12 of the 15 servers in the PCI environment are being attacked from an internal IP address in the Atlanta office. Good context may even provide enough visibility to know that one of the systems being attacked is corp007, a Windows server that houses the cardholder database, located in the Princeton, N.J. data center, row 3, rack A12. That level of detail can make the difference between the theft of thousands of customer credit card numbers and a successful mitigation that protects critical data. 19

20 Making Security Technology and Resources More Efficient Saving Time and Money With attack surfaces expanding and vulnerabilities a permanent part of every IT environment, security efficiency is paramount. In most organizations, security resources and budgets are already stretched thin, and each issue can seem like an emergency. This is not a sustainable model for enterprise security. Insightful organizations are using contextual awareness to work smarter, not harder. They are relying on context in their security management platform to do more with the same amount of resources. Insightful organizations are using contextual awareness to work smarter, not harder. They are relying on context in their security Context also plays an integral part in winnowing millions of potential security events down to just a few actionable, auditable security tickets. For many enterprises, this can produce significant cost and resource savings. Consider a core banking system management platform to do more with the same amount of resources. that processes daily transactions and posts updates to accounts and other financial records. Many banks will dedicate one or more internal security resources to monitor these systems for privileged-user access, insider and external threats. A contextual security and compliance management platform can provide the same or higher level security by collecting and correlating the following information: Monitoring for technologies/devices, including mid-range and mainframe systems, applications, databases, network and security devices, servers and endpoints Privileged-user monitoring, tracking and audit reporting Identity, vulnerability and asset information integration Content-aware data loss prevention Malicious host identification and detection With this information housed centrally and augmented with underlying context about the type, location, business unit and importance of assets, the bank can rely on the security management portal and 24/7 dedicated monitoring from a Managed Security Service Provider (MSSP) to protect its core systems for the same, or even a reduced cost. Subsequently, the internal security resources can be redirected to more missioncritical and revenue-supporting initiatives. 20

21 Achieving Flexibility Examples of Applying Security Where and When it s Needed Most The more that an organization knows about its environment, the more appropriate and precise it can make the security controls used to protect that environment on an ongoing basis. Contextual security also encompasses both a top-down business perspective and a bottom-up operational perspective, giving organizations greater flexibility to meet a variety of demands. Security flexibility can enable business executives to analyze the company s security profile and comply with regulations like the Health Information Portability and Accountability Act (HIPAA) and HITRUST as well as other industry or internal standards. At the same time, it can help operational resources with real-time monitoring and management, and 24/7 proactive security for the entire network. Contextual security also encompasses both a top-down business perspective and a bottomup operational perspective, giving organizations greater flexibility to meet a variety of demands. Security For a healthcare organization, security context helps apply protection efficiently and effectively across all enterprise assets. Healthcare systems and applications tend to be specific to the user base, numerous and of widely varying technology and security capabilities. Without context, the organization attempts to blanket security across these varying assets, protecting the entire attack surface as much as possible given limited flexibility can enable business executives to analyze the company s security profile and comply with regulations. budgets and resources. By adding context to the security management platform, the same healthcare organization is able to apply intelligent, proactive security in a flexible and cost-effective manner. Context enables granular access and use monitoring to enforce security and compliance policies within a specific set of leading healthcare applications. Healthcare application security monitoring can be extended with identity information logged from resource directories or other outside data sources. Context enables a healthcare organization to identify the most critical servers for 15-minute security incident service level agreements (SLAs) with its MSSP. Assets deemed to be a second-level security priority still receive protection, but at a lower SLA (typically with a lower cost for monitoring). This provides protection for critical and noncritical assets, while maximizing budget and resources. 21

22 The Solutionary Answer Log Monitoring and Management services powered by the ActiveGuard service platform provide 24/7 context-aware security monitoring for organizations of all sizes. The patented, cloud-based ActiveGuard platform is the context-aware technology behind Solutionary services. ActiveGuard is able to accurately collect and correlate vast amounts of contextual data from virtually any application or device capable of producing a log file, including applications, databases, endpoints, firewalls, IDS/IPS, UTMs, WAFs, FIMs and network devices. ActiveGuard enriches collected security data with a variety of contextual information such as vulnerabilities, assets, GeoIP, malicious hosts, privileged and non-privileged users to detect threats and increase accuracy. The contextual awareness in ActiveGuard acts as a force multiplier, enabling Solutionary to improve security while making it more efficient. The contextual awareness in ActiveGuard acts as a force multiplier, enabling Solutionary to improve security while making it more efficient. With ActiveGuard, clients can tag assets according to a variety of classification factors, including geography, business unit, technology, criticality and more. ActiveGuard also captures information about users and their roles. Even non-contextual information can inherit context in ActiveGuard. This provides internal security staff and analysts in the Solutionary Security Operation Centers (SOCs) with an asset- and user/rolebased understanding of the client infrastructure which enhances security decisionmaking. Figure 6 22

23 ActiveGuard uses multiple detection methods, including signatures, anomaly detection, statistical analysis, heuristics and global threat intelligence from the Solutionary Security Engineering Research Team (SERT) to detect threats. Security experts in the Solutionary SOCs provide additional analysis, validation and response management for security threats. The advanced analytics in ActiveGuard in combination with threat intelligence from SERT helps to recognize Advanced Persistent Threats (APTs) and zero-day attacks. With a large, diverse client base, Solutionary is able to leverage intelligence across thousands of clients to detect and respond to advanced and emerging threats faster than clients internal teams are otherwise capable. Solutionary delivers context-aware security monitoring as a managed service that complements and optimizes the existing security infrastructure. Expert, certified analysts in the Solutionary SOCs work as an extension of client teams as a trusted partner, allowing clients to focus efforts on more strategic initiatives. Learn More To learn more about contextual security and find ways to implement it in your security plan, contact Solutionary - the leading pure-play MSSP. About Solutionary Solutionary is the leading pure-play managed security services provider. Solutionary reduces the information security and compliance burden, delivering flexible managed security services that align with client goals, enhancing organizations existing security program, infrastructure and personnel. The company s services are based on experienced security professionals, global threat intelligence from the Solutionary Security Engineering Research Team (SERT) and the patented ActiveGuard service platform. Solutionary works as an extension of clients internal teams, providing industry-leading customer service, patented technology, thought leadership, years of innovation and proprietary certifications that exceed industry standards. This client focus and dedication to customer service has enabled Solutionary to boast a client retention rate of over 98%. Solutionary provides 24/7 services to mid-market and global, enterprise clients through multiple security operations centers (SOCs) in North America. Contact Solutionary at: info@solutionary.com or ActiveGuard US Patent Numbers: 7,168,093; 7,424,743; 6,988,208; 7,370,359; 7,673,049; 7,954,159. Solutionary, the Solutionary logo, ActiveGuard, the ActiveGuard logo, are registered trademarks or service marks of Solutionary, Inc. or its subsidiaries in the United States. Other marks and brands may be claimed as the property of others. The product plans, specifications, and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2012 Solutionary, Inc. 23 Solutionary.com Solutionary, Inc Underwood Ave., 3rd Floor Omaha, NE WP 09/12