White Paper. Key considerations for security intelligence in big data. what a CISO needs to know

Transcription

1 White Paper Key considerations for security intelligence in big data A White Paper by Bloor Research Author : Fran Howarth Publish date : February 2013

2 The onus is on every CISO to go on the offensive to ensure that security is intelligence-led, holistic across the enterprise and part of the overall risk management process Fran Howarth

3 Executive summary Today, all organisations face threats from targeted, sophisticated attacks by well resourced and motivated criminals who are looking to conduct industrial espionage for the purpose of stealing trade secrets or intellectual property, to disrupt operations or cause damage to vital infrastructure. The exploits that they use are much harder to defend against than those of yesteryear and many are specifically designed to defeat traditional, reactive security controls that are only useful in guarding against known threats. In the light of factors such as these, a new approach to security is needed one that takes an integrated, systemic approach to security as part of an organisation s overall risk management efforts. This needs to be driven by intelligence garnered from data sources throughout the organisation, combined with that from external sources. The ability to harness actionable data from such sources will allow organisations to better predict, uncover and defend against attacks using exploits not previously seen. In this way, they can reduce the overall risks that they face and the overall security of their operations will be boosted. However, organisations are generating huge and ever-growing volumes of information from their networks, including that related to security, and the ability to collect, analyse and correlate vast volumes of data from disparate sources in various formats poses a real challenge that requires the use of specialised tools. This document discusses the need for an intelligence-driven security approach and aims to provide pointers for security executives regarding what the components of a security intelligence programme should be and other considerations to bear in mind during the selection or upgrade process. Fast facts A security intelligence platform requires big data capabilities to allow organisations to harness and make sense of massive volumes of data. The system must be capable of continuous real time monitoring and automated historical correlation so that threats are discovered in a timely manner, and should also store all data for forensic and compliance purposes. The platform must integrate and interface with multiple information sources as well as other security and IT controls in use in the organisation. The bottom line Automated, intelligence-driven tools will enable an organisation to turn massive and varied information sources into actionable intelligence that will improve their ability not only to defend against advanced threats and illicit activity in real time, but will also mean that they can better perform forensic analysis to ascertain how an attacker gained a foothold on the network. Such intelligence will boost their ability to determine what threats and vulnerabilities are the most relevant and severe, allowing them to better prioritise their defences and fine-tune their security policies. Plus, their ability to perform internal and external investigations will be enhanced, as well as meeting corporate governance and regulatory compliance objectives. This will put the organisation in a position to not only improve IT security, but also to manage the overall risk that it faces in a holistic manner. A Bloor White Paper Bloor Research

4 New security model required for today s threat landscape The threat landscape that organisations face today is characterised by increasingly complex, sophisticated attacks that combine a range of techniques in an effort to make their payloads more effective. Rather than being launched en masse, as was the case with malware attacks just a decade ago, they are now increasingly targeted at individual organisations, with those targets painstakingly researched and attacks customised for specific targets. This has given rise to the term zero-day threat, signifying a threat that is seen for the first time and for which security controls, such as signatures, have not yet been developed. Security incidents are so common today that, according to research undertaken by PricewaterhouseCoopers and Infosecurity Europe in 2012, 93% of large organisations surveyed had suffered at least one security breach in the previous year 1. As attacks grow ever more sophisticated, they are also increasingly aimed at the most valuable information possessed by organisations their intellectually property and trade secrets. Recent research from the Ponemon Institute shows that the theft of information assets was the most serious consequence of a cyber attack, cited by 59% of respondents 2. Figure 1: Most serious consequences of cyber attacks An APT is a game changing use of customer malware and cyber attacks to defeat multiple layers of defence, achieve a specific desired objective and evolve over time to remain undetected. AT&T The term advanced persistent threat (APT) has been coined to describe the latest highly sophisticated attacks being seen. APT refers to attacks that use multiple techniques and methods, aiming to obfuscate their presence to avoid detection. According to the SANS Institute, more than half of Fortune 500 organisations have been compromised by APTs, although organisations of any size can be a target for example, those that supply to larger organisations may provide a route into those organisations that is attractive to criminals. The fact that such attacks are harder to defend against can be seen in data from the most recent Data Breach Investigations Report from Verizon Business, which found that breaches are taking longer to discover, with 85% taking weeks or more in 2011, up 6% over the previous year 3. The same report also shows that 92% of security breaches were discovered not by the organisation that was the victim of the attack, but by third parties, whereas only 4% were discovered by active internal methods that include intrusion detection and prevention systems, log monitoring and antivirus controls. Just 1% of organisations found breaches by reviewing and analysing log records despite the fact that 84% had log evidence available for forensic investigation. Verizon Business states that log analysis is more effective for breach detection that nearly all other methods available Bloor Research A Bloor White Paper

5 New security model required for today s threat landscape As well as attacks becoming more insidious, the number and range of threat vectors available to criminals is increasing. Where once an organisation was like a fortress, with clearly defendable perimeters and a limited number of systems attached to networks that were almost always under the control of the IT department, those perimeters have all but been eroded. Almost every organisation now enables users to access network devices via mobile devices, including those that are owned by users themselves and that are outside the direct control of IT, and many more services are provided in the cloud or via web-enabled applications from external parties. Other vectors of attack that are being opened up include equipment that was traditionally accessed only over closed, proprietary networks that are now being internet-enabled, such as SCADA industrial automation control systems, and devices that were previously analogue, such as electricity meters, being digitally enabled and accessed over open networks. The increasing sophistication of attackers, often motivated by factors beyond mere financial gain, and the proliferation of threat vectors that are often outside of the direct control of an organisation, require that organisations adopt new security models based on proactive defences. A model based on static security controls that defend against only those threats previously identified and based solely within the perimeters of networks is not up to the task of defending against today s threats. A Bloor White Paper Bloor Research

6 Security executives need to focus on intelligence-driven security The complexity of today s threat landscape requires that a more proactive defensive stance must be taken. Rather than focusing on crisis response and compliance, security executives need to take an integrated, systemic approach to security that engenders holistic, enterprisewide risk management. This requires that security executives, who today generally have the title of Chief Information Security Officer (CISO), must assume a business, rather than technical leadership, role that better aligns security needs with business goals, risk appetite, liability concerns, and legal and compliance needs. According to research from the Ponemon Institute, organisations that give responsibility for data protection to the CISO are able to reduce the average cost of a data breach per compromised record by slightly more than two-fifths 4. A more holistic, proactive stance on security requires moving from one based on fire-fighting incidents to one based on risk mitigation and breach avoidance. This involves the identification, assessment and prioritisation of risks that the organisation faces, as well as efforts to reduce the impact of those risks. In order to achieve this, organisations need to adopt an intelligence-driven security model that is based on information regarding not only the threats that they face, but how those threats impact their security posture in order to prevent, detect and predict attacks, make better risk decisions based on context and develop better defensive strategies. In order to obtain the actionable intelligence that organisations need, whether that need is for early threat detection or for historical analysis to track advanced threats over time, they need to better collect and analyse the reams of security-related information that is generated within their networks and correlate that with external intelligence feeds that include realtime threat intelligence information. The more information that is collected, the greater the chance of finding malicious signals that point to security incidents that are occurring or that have occurred, improving an organisation s ability to reduce its overall risk throughout its network. By collecting, analysing and correlating information from multiple sources in varied formats, organisations will be able to detect patterns that would not be possible to discover if they were looking at each source in isolation. For example, an event log indicating that a password has been reset does not by itself necessarily indicate that security might have been breached. But when that reset is correlated with help desk tickets and it can be seen that no ticket has been raised for that event, it could indicate that someone has made that change without authorisation. Similarly, correlating employee network login events with physical access records could flag suspicious behaviour, such as a user logged in to the network from an office location when there is no entry record could indicate that another user is impersonating them. Correlating and analysing log and event data from multiple sources provides the overall picture of the entire landscape so that gaps in security can be weeded out. However, making sense of that information is a daunting task given the vast and ever-growing volumes of information. This includes information not just from traditional sources from within the network, such as log and event data from internal systems, but also from an expanding range of peripheral sources as more and more systems and devices, from mobile devices to industrial control systems, such as sensors, are attached to networks. Every device that connects to the network produces valuable security information that can provide insights that will help the organisation to manage and reduce the overall risks that it faces and will boost the overall security of operations. As volumes of data grow, the term big data has been coined to describe just how big the volumes of data that need to be analysed have become. According to the Cloud Security Alliance, 2.5 quintillion (10 18 ) bytes of data are created every day and data volumes are growing so fast that 90% of the data in the world was created in the last two years alone 5. Forrester Research estimates that volumes of corporate data are growing at 94% on a yearon-year basis. The need for better security intelligence and the sheer volumes of big data require better performance in terms of information management and analysis. Traditional approaches to business intelligence analysis were largely suited to small-scale data sets of relatively homogenous, structured data. Today, vast amounts of information are in unstructured form, such as in the body of messages and intelligence related to new threat variants. This is particularly true of security-related information, which requires dynamic collection and analysis of data feeds or behaviours observed from events recorded in real time, or as near to that as possible Bloor Research A Bloor White Paper

7 Security executives need to focus on intelligence-driven security Event data collected Over 6 billion records loaded per day = Nearly 2 terabytes of data collected per day Event data correlated and stored Figure 2: Example of big data produced by a customer with 100,000 employees Over 600 million proxy records 4 billion DNS records 30 million DHCP records 1.6 billion Windows event log records 2 trillion records scanned per day with query results delivered in minutes A Bloor White Paper Bloor Research

8 The requirements of big data security analytics The dynamic, streaming nature of security-related information and the sheer volume and variety of big data feeds requires a security intelligence capability that provides robust big data analytics capabilities. The primary functions that such a platform must support are: The collection, normalisation and analysis of data generated throughout the network. The ability to monitor all actions taken by users, applications and systems that are connected to the network in real time, placing those actions in the context of expected behaviour and sifting out suspicious or unexpected behaviour that could indicate a security threat or vulnerability. Such monitoring, correlation and analysis must be performed on a continuous basis so that all suspicious events are flagged. Alerting on incidents that require further investigation so that remediation can be taken in a timely and efficient manner. Support for forensic investigations to piece together trends over time and show how incidents occurred, and for legal and e-discovery requests. Reports and audit trails to aid in achieving corporate governance and regulatory compliance objectives. Advanced analytic capabilities that are able to harness and make sense of massive volumes of data from an ever-growing range of disparate sources. Effective visualisation capabilities that can present the analysis to organisations in a clear, integrated format that aids their decision making. Integration with a range of security tools and product segments that include security information and event management, log management, network monitoring, user authentication and authorisation, identity management, endpoint management, database activity monitoring, threat mitigation, fraud detection, and governance, risk and compliance. Integration with external information sources, including real time threat management feeds. The ability to leverage information from across the organisation to ascertain, for example, where policies are effective and where they are not and to use such insight to fine-tune processes and policies for continuous security improvement Bloor Research A Bloor White Paper

9 The benefits of big data analytics for security intelligence The use of automated tools to turn such information into actionable intelligence that will provide organisations with the situational awareness that will allow them to improve their overall security posture enables them to reduce risk by spotting breaches earlier and by being able to respond quicker to breaches through rapid investigation of information collected centrally. By collecting, analysing and correlating data feeds from systems throughout the network and from external information sources, an organisation s ability to determine what threats and vulnerabilities are the most relevant and severe will be greatly improved, enabling them to assess risks more accurately in order to defend against illicit activity and advanced cyber security threats. Given the volumes of data that are involved from sources both within and without the organisation, this requires that the security intelligence platform implemented to achieve these goals incorporates big data analytics so that visibility is greatly enhanced across the entire IT environment. Through continuous monitoring and analysis, security can be constantly evaluated so that remediation for incidents that do occur can be achieved much more rapidly than with traditional analytic tools, allowing for much faster and more efficient incident response. This can mean reducing the time that remediation takes from days or more to mere minutes. Such tools can also be used to define a baseline of behaviours that are considered to be normal, against which all event records are checked to distinguish behaviour considered to be suspicious or inappropriate from normal activities. As new risks are encountered or changes are made to business processes, those baselines can be adjusted to ensure that protections are up to date and effective. Organisations will not only find that they are better able to defend against advanced cyber threats and illicit activity in real time, but will also be able to perform forensic analysis on the records collected to ascertain how a security incident that was encountered occurred how it got onto the network and the activities that occurred once the exploit had gained a foothold. Such analysis of historical data will also allow organisation to spot anomalies from established baseline behaviour that could point to security issues, such as abnormally high levels of employee logins or downloads. The central repository of information gathered over time will enhance the organisation s ability to perform internal investigations, as well as to answer challenges from external parties, such as e-discovery requests. Those data stores held in a highly secure, tamperproof manner will also aid in complying with the data retention requirements of industry standards and regulatory requirements that the organisation faces. A Bloor White Paper Bloor Research

10 Considerations for the CISO in selecting a platform Any security intelligence platform needs to be a central point where data from all log and event sources in the organisation are collected, analysed and correlated so that patterns can be identified related to security incidents and overall posture. This provides one central management point where processes can be defined and policies set and managed. It will also allow all activity to be monitored from a central point so that comprehensive reports of activity can be generated that will both attest to the effectiveness of the policies set and will form an audit trail that is required for governance and compliance purposes. Such platforms must provide analytics capabilities that scale to handle the needs of big data sets seen across organisations today, helping to make sense of the massive volumes and variety of data generated. To provide the full range of analytics capabilities needed, the security intelligence platform should also integrate a number of security and IT controls, including security information and event management and log management tools, endpoint management tools, threat mitigation techniques, database activity monitoring, identity and access management systems, application vulnerability scanning services and file integrity monitoring tools. For defence against zero day exploits and APTs, the platform should also provide access to real time threat intelligence and reputation feeds from external sources. The intelligence available from harnessing big data can provide organisations not only with operational improvements, but can improve their ability to detect and respond to increasingly sophisticated security threats and vulnerabilities. Increasingly, such platforms are expanding to take in an ever-growing variety of feeds, such as those derived from machine-to-machine communications, such as sensors built into devices such as mobile phones, smart energy meters and industrial equipment. These feeds provide a higher level of situational awareness across the organisation to better improve not only security, but operational decision making across the organisation. Include all data sources Security information comes from a variety of information sources throughout the organisation, so all data sources need to be logged not just security controls, but from every device and system connected to the network. This is important not just for ensuring that threats can be discovered enterprise-wide, but also for meeting internal corporate governance and external compliance requirements. As with all business intelligence initiatives, as complete a data set as possible is a key priority. For security, any gaps can mean gaps in protection. Maintain integrity Data needs to maintained in its original form for purposes of integrity and for ensuring that it is useful for forensic analysis. For this, a combination of a data warehouse and big data analytics are required, but the traditional data warehousing method of copying, cleansing and normalising data is not suited for security information purposes, where the ability to analyse at speed and scale is of the utmost importance to uncover real time threats. This requires that data is held in as close to its native format as possible. This makes an event data warehouse much more suited to the task. Monitor constantly and review often Periodic reviews will only provide a snapshot of the situation at the time when the review was conducted. For capturing sophisticated, real time threats, constant monitoring is required, with alerts generated and sent to designated personnel when problems are uncovered, based on risk priorities that have been set. For diagnosing longer term problems such as APTs, which aim to penetrate and maintain a long-term presence on a network reviews should be conducted of reports generated on at least a weekly basis to look for patterns that may indicate a subversive attack is underway. Regular reviews will also help an organisation to assess the effectiveness of its policies and make changes to improve its overall security posture Bloor Research A Bloor White Paper

11 Considerations for the CISO in selecting a platform Ensure security reviews are made available to executive management According to recent research from Core Security, just one-third of CEOs receive security updates from their CISOs and only about one-quarter receive security communications on a somewhat regular basis 6. After some of the most publicised security breaches that have been uncovered over the past couple of years, it has come to light that some of the organisations concerned did not have a senior enough executive in charge of the overall security programme. According to the CIO of Pacific Northwest National Laboratory in the US, which suffered a security breach in July 2011, internal investigations showed that the breach was directly related to failure on the part of executive management, including the board, to demand regular security updates. As a result, executives had failed to recognise cyber security as being a significant risk to the organisation and consequently the cyber security programme had been allowed to degrade significantly. Historical data is extremely valuable There are many reasons why historical data needs to be retained, including to fulfil the demands of industry standards and government regulations, as well as for internal corporate governance purposes. Historical data also has a part to play in improving security by providing reference points for developing baselines for expected normal behaviour, against which abnormal behaviour, such as that associated with malware, can be gauged. Elicit support from throughout the organisation Any enterprise-wide security programme needs not only executive support and in the case of security and risk management this will often fall to the CISO but should also engage multiple stakeholders from throughout the organisation. This will aid in ensuring that all data sources are fed into the security intelligence platform and will allow new data sources to be identified and included as they are added to the network. They may also be able to shed light on relationships or interdependencies among data sources. A Bloor White Paper Bloor Research

12 Summary Today s organisational networks are complex and sophisticated, embracing an ever-wider range of devices, services and users, many of which are peripheral or external to the organisation itself, such as cloud-based services provided by third parties. Placing defences to guard the perimeters of the organisation is no longer sufficient as those perimeters have been eroded. The threats that we face are also increasingly complex and sophisticated, often constantly morphing to avoid detection. It is also no longer sufficient to guard against only known threats through the use of traditional controls such as signature-based antimalware and intrusion prevention controls. These factors require that organisations move from a reactive security stance to a proactive one based on the intelligence that can be gleaned from log and event data generated by every device and system connected to the network. Turning that data into actionable intelligence allows organisations to detect and pre-empt threats in real time to improve their overall security posture. However, this requires that any security intelligence platform chosen can handle massive volumes of disparate data from throughout the organisation, monitoring that data both in real time and maintaining it in secure event data warehouses for forensic analysis to spot security trends. Such a platform must combine data analytics capabilities that can handle the volume and variety of security-related information that is generated throughout the network, combined with a variety of other security and IT controls to increase the likelihood that threats can be countered proactively. The onus is on every CISO to go on the offensive to ensure that security is intelligence-led, holistic across the enterprise and part of the overall risk management process. References ponemon-perceptions-network-security.pdf 3. rp_data-breach-investigations-report-2012_en_xg.pdf Big_Data_Top_Ten_v1.pdf 6. on%20ceo-ciso%20divide% %20final.pdf Further Information Further information about this subject is available from Bloor Research A Bloor White Paper

13 Bloor Research overview Bloor Research is one of Europe s leading IT research, analysis and consultancy organisations. We explain how to bring greater Agility to corporate IT systems through the effective governance, management and leverage of Information. We have built a reputation for telling the right story with independent, intelligent, well-articulated communications content and publications on all aspects of the ICT industry. We believe the objective of telling the right story is to: Describe the technology in context to its business value and the other systems and processes it interacts with. Understand how new and innovative technologies fit in with existing ICT investments. Look at the whole market and explain all the solutions available and how they can be more effectively evaluated. About the author Fran Howarth Senior Analyst - Security Fran Howarth specialises in the field of security, primarily information security, but with a keen interest in physical security and how the two are converging. Fran s other main areas of interest are new delivery models, such as cloud computing, information governance, web, network and application security, identity and access management, and encryption. Fran focuses on the business needs for security technologies, looking at the benefits they gain from their use and how organisations can defend themselves against the threats that they face in an ever-changing landscape. For more than 20 years, Fran has worked in an advisory capacity as an analyst, consultant and writer. She writes regularly for a number of publications, including Silicon, Computer Weekly, Computer Reseller News, IT-Analysis and Computing Magazine. Fran is also a regular contributor to Security Management Practices of the Faulkner Information Services division of InfoToday. Filter noise and make it easier to find the additional information or news that supports both investment and implementation. Ensure all our content is available through the most appropriate channel. Founded in 1989, we have spent over two decades distributing research and analysis to IT user and vendor organisations throughout the world via online subscriptions, tailored research services, events and consultancy projects. We are committed to turning our knowledge into business value for you.

14 Copyright & disclaimer This document is copyright 2013 Bloor Research. No part of this publication may be reproduced by any method whatsoever without the prior consent of Bloor Research. Due to the nature of this material, numerous hardware and software products have been mentioned by name. In the majority, if not all, of the cases, these product names are claimed as trademarks by the companies that manufacture the products. It is not Bloor Research s intent to claim these names or trademarks as our own. Likewise, company logos, graphics or screen shots have been reproduced with the consent of the owner and are subject to that owner s copyright. Whilst every care has been taken in the preparation of this document to ensure that the information is correct, the publishers cannot accept responsibility for any errors or omissions.

15 2nd Floor, St John Street LONDON, EC1V 4PY, United Kingdom Tel: +44 (0) Fax: +44 (0) Web: