The Emergence of Security Business Intelligence: Risk

Transcription

1 The Emergence of Security Business Intelligence: Risk Management through Deep Analytics & Automation Mike Curtis Vice President of Technology Strategy December, 2011

2 Introduction As an industry we are rich in data, but poor in information and even further away from true intelligence. We continue to chase the advanced persistent threat that inevitably evolves as we adopt new technology. Protection technologies advance to address new threats and slowly but surely, more mature solutions will begin to reach their end of productivity. As they ride the point solution conveyor belt, most enterprises today have amassed a vast, disparate and complex cadre of solutions deployed throughout their security architecture. These solutions sit at various points of the information stack to perform their specific functions inside of the layered security model. The problem is, each solution is specialized for its job and it presents risk, state, event, compliance fill in the blank data that is specific to its purpose. The result is that we are quite proficient at generating data and a lot of it, but that data is siloed, fragmented even owned and used by different constituents in the organization. This leads to inefficient and incomplete security processes. Security practitioners are forced to act in the absence of good information. So the question is How do we synthesize our understanding of risks across all the layers of the stack and then enable a unified, coordinated response? How often are we able to transform that data into real insight that enables action? How do we create true intelligence that helps us better understand the threat environment as well as leverage our security architecture in new and powerful ways to protect ourselves? This is the challenge we are confronted with.simply how do we reach the next plane of operational effectiveness in security? As the threat vector morphs along with new technology shifts like virtualization, consumerization of IT, mobile computing and cloud this only gets more difficult. The security industry is roughly 30 years old since the dawn of the first firewalls and anti-virus solutions. We ve spent those 30 years amassing point solution after point solution to

3 chase new threats. SIEM and ITGC solutions have come along in recent years to begin to help enterprises make sense of it all. But we must still push forward beyond correlating and providing visibility and coordination with key controls. We must achieve a better understanding of security risk and provide new ways to articulate security and compliance requirements inside of the critical business services that are fundamental to an organization. Fuse these elements with big data analytics and automation and you can deliver Security Business Intelligence. Current State of the Industry While the security and compliance world is fast maturing, the promise of completely solving security through technology remains very far out on the horizon. This means the fundamental process of assessing risk and compliance against policies will not go away anytime soon. Even today, with the creation of standards like Open Vulnerability and Assessment Language (OVAL) and Security Content Automation Protocol (SCAP), the vulnerability management process is a challenging one, often involving manual efforts with less than perfect information on which to prioritize effort. Vulnerability assessment still largely revolves around a scan-and-patch paradigm, but there are numerous operational and business obstacles that make it difficult to simply patch or otherwise directly mitigate every discovered issue. It s very difficult to drive a consistent, complete risk assessment process spanning network, application and web layers from pre-production software development through to standard operating systems, off-the-shelf software and network devices. This is because these tools operate in different worlds and involve differing mitigation strategies. The effectiveness and level of integration between risk assessment and protection solutions is limited.

4 Interoperability among solutions is mostly centered on standard ways to express vulnerabilities, software and weakness, events and configuration state. Interoperability to drive smarter more automated remediation is just beginning. Although some converged security solutions are emerging, most enterprises have numerous security products deployed that address varying types of risks and threats operating at a specific layer throughout their defense in depth model. As a result, we have layer specific data resulting in siloed processes and information. Security and operations functions are still in the process of converging. Those responsible for performing a remediation task and those in the security organization have information needs that differ. This causes challenges when trying to facilitate a security process across functional areas. It s very difficult to compare an already complex and challenging risk assessment process with both the existing security countermeasures that are in place as well as new applicable countermeasures, so that the optimal mitigation strategy is deployed. Of course, all of this must also be carried out under the umbrella of corporate security & compliance policy. This gap creates exposure, duplication of effort, non-compliance and overall inefficiency and higher costs to secure the environment and comply with regulations. The Next Chapter: Security Business Intelligence As an industry, we are at the point where the ability to generate massive amounts of layer specific data is in place. We are even beginning to turn data into intelligence in some situations based on smart vendors and practitioners solving problems. The next step will be to create true knowledge out of data, in the process making enterprise wide security intelligence immediately actionable to mitigate risk. In parallel with this, we must of course always keep pace with the evolving threat vector and changing computing environment. When we combine advanced security intelligence with new models of expressing risk inside of key business services we can better understand how security and compliance both impact and enable business. We can

5 begin to view security as something that can be visualized, optimized and fine-tuned, instead of always playing from behind. Big data analytics combined with the evolution of standards and next level automation are the tools to deliver on security business intelligence. Big data analytics will be applied to security to enable a smarter, more agile approach to risk management. More and more security processes will become automated using policy based workflows First generation solutions such as stateful firewall and signature based antivirus already becoming increasingly ineffective in the face of new threat vectors will become obsolete. Risk data will be assimilated and unified throughout the different risk inputs including vulnerabilities, software weaknesses, configuration state data and malware data. Next generation remediation decision frameworks will identify how discovered risks are already being mitigated by presently installed countermeasures. Interoperability will become more prevalent with more evolved, useful applications. A common platform to facilitate seamless processes across security, compliance and operations must emerge New ways to express risk and compliance requirements inside of a business service context will emerge. Next generation intelligence platforms will show risks and threats with added situational context (identity, time of day, business application) to enable better security processes. What chief information security officers really need is a solution that unifies the elements of risks, articulates the attributes of those risks and intelligently maps them to the most effective countermeasures based on those attributes to enable action. The Role of Standards Going Forward Beginning with common vulnerabilities and exposures (CVE) and now with OVAL and SCAP, the standards community has created the framework to automate the assessment of risk and the

6 validation of configuration compliance. By creating standard ways to define software flaws/vulnerabilities, misconfigurations, software weaknesses and system names, a foundation for interoperability is put in place. OVAL acts as the chassis to enable a standardized approach to performing vulnerability or system characteristic assessment Extensible Configuration Checklist Description Format (XCCDF) acts as a meta policy language to formalize security policy guidance into sets of OVAL checks SCAP is the fundamental protocol or set of specifications that connects all these components Newer efforts are building on the pieces described above to apply the same approach to create standard ways to articulate emerging attack patterns and facilitate interoperability among risk sources and threat protection solutions. It s this next frontier that presents an opportunity to automate not just assessment and compliance validation, but also the rest of the incident lifecycle through to remediation. The connective tissue the standards represent provides opportunities for vendors to build new and powerful linkages to create the next generation of security management solutions. Critical Watch ACI will be at the forefront of this effort.

7 ACI Platform (Active Countermeasure Intelligence) Critical Watch has built the first and only Active Countermeasure Intelligence technology to respond to these challenges. It enfuses security solutions with the deep analytics and intelligent automation needed to address the modern risk management challenge. It is a flexible software framework designed for rapid deployment and integration across a wide range of disparate devices and risk input sources with a central intelligence engine built on Big Data technology. Risk Collection Agents collect risk data and normalize it through appropriate risk input API s into to the ACI Recommendation Engine which holds a set of core taxonomies of Recommendation Analytics that link risks to the most effective countermeasures. Countermeasure Control Agents gather state and configuration data from countermeasures as well as perform remediation tasks orchestrated through Countermeasure Policy Workflows. - Taxonomy - Collection & Control - Policy - Rapid Deployment - Flexible / Agnostic - Built on Big Data