A Forrester Consulting Thought Leadership Paper Commissioned By RSA. December 2015

Transcription

1 A Forrester Consulting Thought Leadership Paper Commissioned By RSA December 2015 Security Analytics Is The Cornerstone Of Modern Detection And Response Organizations Must Evolve Beyond SIEM To Address The Rapidly Changing Threat Landscape

2 Table Of Contents Executive Summary... 1 Current Threat Landscape... 2 SIEM Is Insufficient For Today s Threats... 3 Build A Strong Foundation For Breach Detection And Response... 5 Key Recommendations... 7 Appendix A: Methodology... 8 Appendix B: Supplemental Material... 8 Appendix C: Endnotes... 8 ABOUT FORRESTER CONSULTING Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their organizations. Ranging in scope from a short strategy session to custom projects, Forrester s Consulting services connect you directly with research analysts who apply expert insight to your specific business challenges. For more information, visit forrester.com/consulting. 2015, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. For additional information, go to [1-V7FXNI]

3 1 Executive Summary Keeping your company secure is as much about detecting and responding to attacks as they occur as it is about preventing attacks before they happen. Given the proliferation and sophistication of malicious entities, organizations must assume that they will be infiltrated and have an effective detection and response strategy. For years, security information and event management/security information management (SIEM) solutions have been the primary tool that security and risk (S&R) professionals have relied on to aggregate information from their enterprise to help identify abnormal behavior that could be evidence of an intrusion. Yet SIEM hasn t kept pace with the security needs of modern enterprises it is adequate for compliance but inadequate for incident detection and response. It s time for S&R professionals to implement a purpose-built technology for incident detection and response: security analytics (SA). no. SIEM s ability to detect and investigate unknown threats, exfiltration, and threats that are already inside the enterprise is insufficient. Mature organizations are moving to security analytics. When Forrester compares high-maturity organizations those that have implemented and are reaping benefits from specific technologies and have more effective security monitoring processes with those with lower maturity, it is clear that security analytics systems are replacing SIEM solutions as the primary system for detection and response. For example, 67% of high-maturity organizations regularly use an SA system to improve their understanding of the impact of threats, compared with only 30% of lower-maturity organizations. SIEM s ability to detect and investigate unknown threats, exfiltration, and threats that are already inside the enterprise is inadequate. In July 2015, RSA commissioned Forrester Consulting to evaluate how the capabilities of SIEM and security analytics solutions stack up against the current threat landscape. To do this, Forrester conducted a survey of 180 security and risk professionals from countries around the world, as well as interviewed security professionals responsible for security monitoring at their organizations. KEY FINDINGS Forrester s study yielded three key findings: S&R pros must evolve their tool set and capabilities to keep up with the mutating threat landscape. Malicious entities have more tools and techniques in their arsenal than ever before, and the consequences of a breach are often dire. Respondents to Forrester s survey cited a litany of greatest threats to their organization, including malware, phishing, and network intrusion. To keep up, organizations must make the right technology and personnel investments, guided by a fully formed detection and response strategy. SIEM is a start, but it is insufficient. SIEM implementation is widespread, but does it provide the security information your organization needs to effectively support its detection and response strategies? In a word,

4 2 Current Threat Landscape Security and risk professionals are stuck between a rock and hard place. They must help the business meet customer demands for innovative, personalized digital experiences as well as support internal initiatives such as cloud storage and bring-your-own-device. These initiatives are imperative to remain competitive in the modern marketplace, but they also increase your organization s exposure to risk. As for the attackers themselves, they have a slew of new, advanced tools and techniques in their arsenal to bypass preventive and traditional detective security measures and exfiltrate precious data. It is a dilemma that only stands to grow more daunting organizations will continue to extend their digital footprint to compete, making them even more vulnerable to increasingly crafty adversaries. Our study found that: Organizations feel the pressure from multiple threat vectors. In this mutating threat landscape, where attackers are constantly changing and evolving their methods in order to evade detection, security organizations must be on guard for multiple threats. The IT security pros we surveyed reported that many attacker techniques and tools pose a serious threat to their organizations, including malware, phishing, operating systems attacks, mobile application intrusions, and many others (see Figure 1). Your organization s security will be compromised. If you re among the optimistic few, thinking, It can t happen to me, you re making a big mistake. According to Forrester s survey, nearly four out of five respondents (79%) reported experiencing one or more businessimpacting attacks or breaches in the past 12 months, suffering an average of 10 attacks over the past year. And the ways in which those attacks affect the business extend far past attention-grabbing headlines, including compromised customer records, diverted resources, and network/application downtime all poison to your organization s operations and brand (see Figure 2). Nearly four out of five respondents reported experiencing one or more business-impacting attacks or breaches in the past 12 months. FIGURE 1 Organizations Face Many Threats Which types of attacker techniques and tools pose the greatest threat to your organization going forward? (Select the top three) Malware (i.e., viruses, worms, botnets) Database/content/data mgmt. system compromise Operating system vulnerabilities attacked Mobile applications intrusion Web/software applications exploited Trafficking in illicit materials/illegal data Drive-by downloads 13% Website vandalized or site content manipulated Theft of computers or storage devices Phishing 34% Theft of mobile devices 21% Denial of service attacks 21% 13% 11% 10% 17% 24% 21% 29% 49% Base: 180 IT security decision-makers at US, UK, German, and Brazilianbased companies that have implemented or evaluated SIEM or security analytics technology Source: A commissioned study conducted by Forrester Consulting on behalf of RSA, September 2015 Good prevention is necessary but not sufficient. While, indeed, there is no such thing as an impregnable security defense, the claims that prevention is completely ineffective are exaggerated. In reality, prevention is not dead. 1 It remains a component of your security strategy, along with detection and response. Not every attack on your infrastructure is going to be advanced: If you can stop attacks before they enter your organization, you can then dedicate your limited security monitoring resources to detecting and responding to the remaining more advanced attacks that evade frontline defenses. There is also a natural positive feedback loop between prevention and detection/response.

5 3 FIGURE 2 Business Impacts Of A Breach What happened as a result of the discovery that your organization had been compromised? (Select all that apply) Diverted internal resources to respond to the attacks Network/business applications unavailable Customer records compromised Minor financial losses 27% Physical damage to computer systems Violated government regulations regarding data security Intellectual property theft/ compromised Other internal records lost or damaged Fraud 21% Legal liability 16% Identify theft 13% Alienated customers 13% Significant financial losses 13% None 3% Base: 135 IT security decision-makers at companies that have implemented or evaluated SIEM or security analytics technology and have experienced a business-impacting attack in the past year Source: A commissioned study conducted by Forrester Consulting on behalf of RSA, September 2015 SIEM Is Insufficient For Today s Threats 8% 16% 14% 14% 27% 32% 30% must be augmented with tools that provide additional visibility and analytics. HISTORY OF SIEM A quick look at the history of SIEM reveals why it is still viewed as a primary detection tool, in spite of its shortcomings. When SIEM hit its stride as a security monitoring solution in the early 2000s, collecting security data logs, aggregating them in a central repository, and conducting trend and correlative analysis was sufficient. However, as threats became more sophisticated and businesses stored higher-sensitivity data on more systems, thus requiring increased monitoring, the amount and type of data and analytics needed to keep SIEM solutions useful has overwhelmed it. Few enterprises have the resources to dedicate to the upkeep of SIEM for security detection and investigative purposes, but before SIEM became marginalized as a threat management technology, mandated log collection for compliance reporting increased demand for the technology. Today, many SIEM deployments are primarily driven by compliance reporting purposes thanks to PCI and other regulatory regimes driving log collection requirements (see Figure 3). Survey respondents corroborate this approach: A top reason for adopting SIEM is compliance/reporting. However, ultimately, SIEM has shown to be increasingly limited as an incident detection and response system due to its heavy dependence on log and security event sources of data and its lack of more sophisticated analytics. FIGURE 3 The Evolution Of SIEM Transitioning to Security Analytics An effective security strategy employs robust prevention tactics but also takes into account that determined, wellarmed adversaries can work around even the latest and greatest preventive controls. It is at this point that detection, investigation, and response must swing into action, and for that, your organization needs the right technology. There is no silver bullet technology for detection and response. The security professionals surveyed for this study turn to many technologies to combat threats to their organizations, and while SIEM is currently one of the most commonly used technologies, it provides an incomplete picture of security-relevant activity in a typical enterprise and Threat management Compliance reporting Security analytics Source: Forrester Research, Inc.

6 4 FIGURE 4 SIEM Fails To Live Up To Pre-Purchase Expectations What were the original reasons for adopting or using SIEM technologies at your organization? Which of these capabilities were actually used or realized once you adopted the SIEM technology? (Select all that apply) Incident detection Compliance and reporting Incident investigation To demonstrate the effectiveness of our security program Log management Event correlation Base: 107 IT security decision-makers at US, UK, German, and Brazilianbased companies that have implemented SIEM technology Source: A commissioned study conducted by Forrester Consulting on behalf of RSA, September 2015 SIEM S LIMITATIONS 23% 22% 23% 39% 36% 29% 35% 42% 40% 37% 56% 51% Original reasons for adopting SIEM Capabilities used/realized upon adoption The ugly truth is that even for organizations that do have the requisite resources and feed it the right logs and security events, SIEM has hit a ceiling for its effectiveness as a detection and investigative tool. Worse yet, most organizations aren t operating their SIEM at a high level of proficiency and might be misled into believing they can detect advanced threats, when they can t. Regardless of how well it is deployed, SIEM is ill-equipped to detect some of the most damaging malicious activity. SIEM is unable to: Detect unknown threats. Modern SIEM solutions were designed to look for known actions that are indicators of compromise, but they are much less effective at detecting the unknown. This is in part because SIEM solutions are adept at handling traditional log data, but not other data types such as network packet, threat intelligence, asset context, and endpoint data, which often provide greater detective visibility. 2 Survey respondents reported that bringing in new data sources is one of their top SIEM management challenges, second only to ongoing management costs. SIEM has hit a ceiling for its effectiveness as a detection tool, even for organizations that feed it the right logs and security events and have the requisite resources to monitor it. Detect and understand data exfiltration. There is an important distinction between an intrusion, when unauthorized entities gain access to the network, and exfiltration, in which data actually leaves the network (or, in other words, a breach is occurring). SIEM is neither equipped to conduct the analytics necessary to identify an exfiltration as it is occurring, nor is it able to determine post-facto what data may have been exfiltrated. Detect threats that are already inside the enterprise. SIEM tools are typically deployed to look at the perimeter of the network, yet this mentality can expose organizations to great risk. Outsiders that have already infiltrated the network, whether by stealing hardware or taking over an insider s account, can roam freely in a perimeter-centric security system. And it s not just the outsiders. Disgruntled employees or other insiders that have gone rogue pose a great risk, and they are already inside your network. If you look beyond the overall effectiveness of SIEM and investigate its performance in certain key areas, more cracks begin to show. Survey respondents were asked to indicate the original reasons for investing in SIEM, as well as those capabilities that were actually used upon implementation. Across all six factors, the reality failed to meet expectations (see Figure 4). Throw ongoing costs into the mix reported by respondents as their top challenge in maintaining a SIEM solution and the picture gets even more concerning. Issues with cost should come as no surprise, as SIEM is often mis-sold as a black box that will provide all the necessary information to support an effective detection and response strategy. Organizations are often blindsided by the cost of full-time employees who are needed to derive actionable insights. [SIEM] hasn t provided a lot of value... We have a lot of technology but don t really have the mature processes and people to tune [it]. -Chief information security officer at a North American medical school

7 5 Build A Strong Foundation For Breach Detection And Response Given today s threat environment, S&R pros have to take on a new mindset: Assume you are breached and continually hunt for indicators of those breaches. SIEM is not reliable or effective for this purpose. Forrester interviewed a SIEM architect at a global financial institution who put it bluntly: [SIEM] provides comfort, but it s becoming obvious that organizations need analytics on top of it. Security and risk professionals must enact a breach detection and response strategy that leverages comprehensive visibility beyond logs, offers actionable threat intelligence to identify potential threats, prioritizes remediation of vulnerabilities and architectural adjustments, and helps identify and understand attacks already in progress. SECURITY ANALYTICS PROVIDES A COMPREHENSIVE VIEW OF ACTIVITY ON YOUR NETWORK Security analytics is the new technical foundation of an informed, reliable detection and response strategy. An SA system takes multiple types of IT telemetry from across the enterprise, as well as the correlating and reporting functions of SIEM, detection capabilities of malware analysis, data leak protection, network analysis and visibility (NAV), and endpoint visibility, behavioral analysis, and investigative tools from the forensics world. 3 It combines and integrates them to provide security analysts a platform with both enterprise-scale detection and investigative capabilities. SA will not only help identify events that are happening now, but will also assess the state of security within the enterprise in order to predict what may occur in the future and enable more proactive security decisions. Forrester uses the acronym INTEL to describe the situational awareness, advanced reporting, and predictive capabilities SA delivers (see Figure 5). 4 This is the intelligence that security and risk professionals need to help make better risk management decisions for the organization. MATURE ORGANIZATIONS HAVE MADE THE LEAP TO SECURITY ANALYTICS laggards. Mature organizations were defined as those with dedicated threat detection and response teams that are reaping benefits from threat intelligence and have implemented certain security policies and processes, such as the regular usage of security performance metrics. 5 Our analysis showed that mature organizations are ahead of the game in evolving their strategy beyond SIEM to include technologies that support a comprehensive breach detection and response strategy, namely, security analytics. Mature organizations are blazing the trail: Two-thirds (67%) are currently using SA, compared with 44% of less-mature organizations. While these numbers may seem high, adoption of the technology alone is not sufficient to reap the fullest rewards. The survey also shows that mature organizations are further along the path toward benefitting from their SA deployment compared with their lowermaturity peers, as demonstrated by: Monitoring assets under attack. The most relevant evidence of attacks evolves over time. The source of the attack, existence of vulnerabilities, and vulnerabilities exploited were the solid places to look in the SIEMdominated world. Nowadays, it is critical to expand beyond this myopic approach to include identification of assets under attack. Nearly half (48%) of mature organizations reported that they routinely use their SA system to identify assets under attack, while only 35% of low-maturity peers do. FIGURE 5 Firms Gain INTEL From Security Analytics Information: NAV tools feed information into a SIM, which correlates this data with syslog information to maximize visibility. Notification: SA system notifies responders in the event of information gathered via the intersection of SIM and NAV tools. Threats: The data analytics engine of the SA identifies likely threats based on the information feed from the NAV tools. Evaluation: Enterprise IT security reviews, configures, and operationalizes SA in addition to evaluating reported metrics. Leadership: Information and data analytics will enable leaders to make better security and IT decisions for the organization. Source: Forrester Research, Inc. In our survey, we included a series of breach detection and response maturity indicators that we then used to separate out the advanced or high-maturity organizations from the

8 6 More reliable risk assessments. Sixty-seven percent of high-maturity organizations regularly use SA-generated data to improve estimates of the likelihood and impact of threats during risk assessments, compared with only 30% of low-maturity organizations. Greater application support. High-maturity organizations are more likely than their less-mature counterparts to support their applications with security analytics across the board, but in some areas the contrast is particularly sharp. Fifty percent of mature organizations use SA to support operational visibility/intelligence, compared with only 30% of low-maturity organizations a 20-point gap. Similarly, threat correlation (+20 points) and event correlation (+17 points) are supported by SA far more often in mature organizations. An effective detection and response strategy must be informed by a comprehensive understanding of all activity on the network. SIEM alone provides only part of the picture but leaves wide gaps that malicious entities will exploit to infiltrate your organization. It s time to evolve past SIEM to security analytics. SIEM alone provides part of the picture but leaves wide gaps that malicious entities will exploit to infiltrate your organization. It s time to evolve past SIEM to security analytics.

9 7 Key Recommendations Given today s threat environment, the value of SIEM is limited. A solid foundation for modern breach detection and response is built using security analytics. Mature security organizations recognize this and are leading with building their security analytics capabilities today. And they are not the only ones. Their peers who operate less-mature security organizations also increasingly recognize the need, with 40% planning to implement security analytics within the next year. Regardless of your organization s current security maturity, you can take steps to improve. Assess where you are with your breach detection and response foundation today with the following considerations: How. How are you using security analytics? Do you understand the limitations of SIEM in detection, investigation, and response? How will you close the visibility, detection, and investigative gaps that SIEM has left behind? Where. Where do you use security analytics, and why? Where else would you want to use security analytics, and how would you prioritize expanding your coverage? How can you expand this to provide enterprise-scale coverage? What. What types of data are you collecting and trying to analyze versus what you need to be more effective and efficient with your incident detection, prioritization, investigation, and response? If you are primarily or exclusively focusing on log data, you re missing critical sources of visibility and intelligence. Assess what is currently going into your analysis to determine your existing blind spots, and craft a plan to expand your visibility through added data sources and improved analytics. Who. Do you have FTEs dedicated to threat detection and response, and how would a security analytics system help them? Identify the expected or current benefits for using security analytics. Learn what your FTEs in this area require to help them do their jobs more efficiently and identify which FTEs you require that you don t currently have. Assess if you should work with a specialized security monitoring MSSP and how an MSSP could augment your own team or take on threat detection and response tasks, so as to free up your security resources for other tasks.

10 8 Appendix A: Methodology In this study, Forrester conducted a survey of 180 security and risk professionals at US, UK, German, and Brazilian organizations, as well as interviewed two security professionals responsible for SIEM management at their organizations, to evaluate their use of SIEM and security analytics. Survey participants included decision-makers in risk, compliance, and IT security roles. Respondents were offered an honorarium as a thank you for time spent on the survey and interviews. The study began in August 2015 and was completed in September Appendix B: Supplemental Material RELATED FORRESTER RESEARCH Forrester s Targeted-Attack Hierarchy Of Needs: Assess Your Core Capabilities, Forrester Research, Inc., January 7, 2015 Forrester's Targeted-Attack Hierarchy Of Needs: Assess Your Advanced Capabilities, Forrester Research, Inc., July 24, 2014 Dissect Data To Gain Actionable INTEL, Forrester Research, Inc., August 9, 2012 Appendix C: Endnotes 1 Source: Forrester's Targeted-Attack Hierarchy Of Needs: Assess Your Advanced Capabilities, Forrester Research, Inc., July 24, Source: Dissect Data To Gain Actionable INTEL, Forrester Research, Inc., August 9, Source: Transform Your Security Architecture And Operations For The Zero Trust Ecosystem, Forrester Research, Inc., December 11, Source: Dissect Data To Gain Actionable INTEL, Forrester Research, Inc., August 9, Forrester assigned point values to response options of specific survey questions (more points for responses indicating higher maturity), and then totaled the points for each respondent. Forrester marked those equal to or greater than the median score as high maturity, and those less than the median score as low maturity. The following questions were used as a basis for the maturity assessment: Does threat intelligence play a role in your IT security strategy? Has your organization realized the benefits of analyzing internally generated threat intelligence? Does your organization have a centralized team within the security organization responsible for threat detection and response? Approximately what percent of your organization s full-time IT employees are dedicated to information security? Does your organization do any of the following? [various responses around security processes] How would you rate your organization s security maturity? What are the desired outcomes from increasing your organization s security?