Protecting Your Business with a More Mature IT Security Strategy

Transcription

1 Protecting Your Business with a More Mature IT Security Strategy In this issue: Data Security: Are Hackers Winning the Battle The Rise of Security Operations Centers Is Your Security Technology Out-Dated?

2 Contents Protecting Your Business with Contributors: Michael Stevens 2 2 Data Security: Are Hackers Winning the Battle? 4 Connecting the Dots: The Rise of Security Operations Centers Is Your Security Technology Out-Dated?

3 Data Security: Are Hackers Winning the Battle? By Michael Stevens T he chances are good that, within the previous week, the successful hack of a major brand was in the news and that s going to be true no matter when you happen to be reading this. In fact, these exploits are so common that they hardly qualify as news anymore. But in spite of the high level of awareness that now exists, and the fact that successful defenses are available, data breaches have become a fact of life for organizations of all sizes across all industries. Security managers can often be lulled into a false sense of security about the likelihood of an attack. Whether it s because of the size of their organization, because their business isn t a household name, or because they do not have credit card information for millions of consumers in their possession, they believe that the stringent security measures that prevent attacks do not apply to them. This is a mistake. The truth is cybercriminals will attack any vulnerable target. In fact, 18 percent of the security incidents with confirmed data loss that were recorded in a major 2013 Verizon study happened to small companies (defined as having fewer than 1,000 employees). While enterprisescale companies that make headlines when there s a data breach can often weather the consequences, smaller companies often cannot. According to the National Cyber Security Alliance, 60 percent of the small businesses who sustain a cyber attack will be forced to close their doors permanently within six months. HP has been deeply involved in the documentation and elimination of IT security threats for more than a decade, having formalized its Security Intelligence and Operations Consulting (SIOC) practice in HP has conducted formal security assessments for dozens of enterprises, and the insights derived from these assessments can serve as invaluable guidance for companies seeking to prepare themselves for the attacks that are bound to continue. Perhaps the most interesting data point from SIOC s 2014 report, Capabilities and Maturity of Cyber Defense Organizations, is that 24 percent of the companies assessed do not meet minimum requirements to provide consistent security monitoring. Many companies only move in the direction of a more mature security posture after they have suffered a direct financial loss. The areas where they were found lacking can point companies to areas where they can improve security, often at a very low cost. The Basics. Fundamental security practices are commonly overlooked. These include: User ID administration (passwords and access control) Asset management 2 Back to Contents Protecting Your Business with 2014, IT Business Edge, a division of QuinStreet, Inc.

4 Information classification Vulnerability management (i.e., patching) Some of these activities admittedly introduce friction into processes, as when employees forget their passwords or when a patch creates problems of its own, but enforcement of best practices can literally be a matter of life and death for companies. Prioritization. It is difficult and costly to protect everything. The risk and particularly the financial risk associated with the loss of any class of data should be analyzed, and protection should be commensurate with risk. Focus on Compliance. Quite simply, compliance-based security objectives set the bar too low. Collecting information to comply with internal audit requirements or even external regulations like PCI will not in itself result in effective threat detection. Reliance on ITIL. Performance, capacity and availabilitybased frameworks are also insufficient as a basis for maintaining security, because security operations require more process tools. While remaining diligent about these basics, companies must guard against another tendency that works against optimal threat detection: the tendency for companies to focus too much on technology, and too little on people and processes. Clearly, technology is extremely important. Tasks need to be automated wherever possible. There aren t enough hours in the day for humans to carefully review logs for anomalies, to cite one example where automation is critical. But people and processes deserve more attention. First and foremost, companies must understand that human thinking is required to detect and respond to many modern threats. Beyond that, there are many simple best practices that need to be instilled in the company culture. Employees need to be taught to create strong passwords, to not click on links in messages from an unknown source and avoid other obvious risks. Patch management processes have to be rigorous and timely. Software code written in-house needs to be written, from the beginning, with security in mind. Another broad security issue companies now face stems from the sheer number of technology-based security solutions that are now deployed. There s a reason why so many systems are running in parallel. The security problems that companies face malware from , advanced persistent threats, application-based exploits and so on arose over time, and companies of all sizes typically addressed them one by one, via point solutions. The unfortunate result of this approach is that these solutions require a lot of time and energy, and, worse, can t provide security managers with a complete picture of what s happening at any given time. As a result, managers can t always connect the dots and see, for example, the relationship between a suspicious pattern of inbound and anomalous behavior by a business-critical application. The bottom line here is that businesses need to become more proactive if they are to avoid a security disaster. Currently, 60 percent of enterprises globally spend more time and money on reactive measures than on proactive risk management. Put bluntly, this means that organizations are spending far too much energy on fire drills, and not enough on preventing the fires in the first place. The bright spot in this picture is that new approaches to security and risk management are emerging that can consolidate information to prepare for exploits, and neutralize them more effectively when the time comes. Centralization of resources, both technological and human, is becoming one of the most powerful concepts in IT security. 3 Back to Contents Protecting Your Business with 2014, IT Business Edge, a division of QuinStreet, Inc.

5 Connecting the Dots: The Rise of Security Operations Centers By Michael Stevens T he multiplicity of incompatible systems that today s businesses have deployed over time to defend against different types of threats makes seeing the big picture difficult, but this state of affairs is also a fact of life. One of the most promising approaches to dealing with the complex and fragmented nature of today s security sprawl is the creation of security operations centers (SOCs). SOCs, now often being re-branded as cyber defense centers, are focused on data collection and analysis. By centralizing and integrating input from all of a company s IT security systems, SOCs provide information and insights that can lead to a more comprehensive and effective response to attacks. Not every business suffers security issues on the same scale as global enterprises, but they do have the same problems. For this reason, the implementation of SOC philosophy and functionality makes good sense for any organization, particularly the main concept of the SOC approach: security data centralization. HP s Security Intelligence and Operations Consulting (SIOC) unit has adapted Carnegie Mellon University s widely accepted Capability Maturation Model for Integration as a framework for its ongoing program of assessments for enterprise SOCs. The resulting Security Operations Maturity Model defines five levels of SOC maturity: Level 1: Minimal security monitoring exists, but there is no documentation and actions are taken on a catchas-catch-can basis. Level 2: Compliance requirements are met. Tasks are documented, repeatable, and can be performed by any staff member. Level 3: Operations are well-defined, qualitatively evaluated and flexible. Processes come under review and are defined or modified proactively. Level 4: Quantitative evaluation is added to Level 3. Level 5: Formal, proactive improvement programs are in place. Processes are rigid, and program maintenance involves significant overhead. HP s SIOC unit can make very price precise assessments using this model. For example, Corporation A might achieve a 3.2 maturity score while Corporation B might score 2.7, based on a detailed assessment of dozens 4 Back to Contents Protecting Your Business with 2014, IT Business Edge, a division of QuinStreet, Inc.

6 of functions. For large enterprises, HP has determined that a score of 3.0 is ideal for an internal IT security organization. This level of precision is not necessary for every business. While respecting the principles of the maturity model centralization, compliance, defined processes, repeatability, documentation and regular evaluation some businesses can be quite successful in achieving their security aims with a less formalized, thee-step approach to creating an SOC that meets their needs. Compliance. The first step is ensuring regulatory compliance as well as compliance with any internal audit requirements that may exist. While regulatory compliance in itself does not ensure adequate threat protection, it is certainly an important step in the right direction. Furthermore, compliance is an objective, highly visible measure of success for an IT security group, and failure in this area can have very negative career consequences for IT managers. The ideal technology to support a compliance-oriented SOC in its early stages of development is a security information and event management (SIEM) solution such as the HP ArcSight Security Intelligence platform. The ArcSight platform provides complete visibility into activity across the entire IT infrastructure. This includes external threats such as malware and hacker exploits, as well as internal threats such as data breaches and fraud. Equally important, ArcSight has capabilities that extend far beyond minimal compliance requirements, so that SOCs can grow in sophistication over time. Alignment with Business Goals. The third stage involves aligning security efforts with business goals. No company of any size has enough money to protect every bit of data it controls. Choices must be made, but many decisions are relatively easy. For every company, there are types of data where compromise would be catastrophic, such as data in the financial systems. Conversely, there are types of data that are trivial, in terms of company survival, such as employee vacation schedules. For gray areas, attempting to quantify the impact of compromised data can be helpful. For example, if the theft of intellectual property would mean loss of a competitive advantage in a particular market, the value of that loss can be estimated, based on market size, the percentage of deals that would be lost instead of won, profit margins and so on. Admittedly, such calculations have a significant subjective component. Nonetheless, they are an excellent starting point for making decisions about security budgets. Even a modest SOC can substantially reduce the risk of a damaging attack, but hacker organizations are becoming more and more sophisticated, and there is no defense strategy that can absolutely guarantee that a breach will never occur. For this reason, companies must also prepare for the worst-case scenario and implement an appropriate backup and recovery system, including a regular test program to ensure that it works as intended. With an SOC and a strong backup system in place, companies are in a strong position to deal with any cyber threat that may arise. Application-Level Security. The second stage for SOCs is to look beyond anti-virus and firewall security and include application security. Today, 84 percent of data breaches result from application-level exploits. This makes the ability to look for unusual behavior more important than ever as a step towards comprehensive security protection. 5 Back to Contents Protecting Your Business with 2014, IT Business Edge, a division of QuinStreet, Inc.

7 Is Your Security Technology Out-Dated? By Michael Stevens S ecurity technology in organizations can be fragmented, consisting of a firewall that is separate from the anti-virus system, which is in turn separate from the user identity management system, and so on. As a result, it is difficult to identify patterns that signal a threat when those patterns involve behaviors on more than one system. Enterprise-scale companies have attacked this problem through security operations centers (SOCs) that centralize security log data in one place. The same approach seems more and more appropriate for organizations of every size, as they come to realize that they are just as likely to be attacked as the retail and finance giants that have been so frequently in the news. One of major barriers to adopting the SOC approach has been the cost of implementation, both in dollars and resources. Although mid-sized businesses face the same enemies as enterprise scale companies, for example, they don t have the same deep pockets. There is, however, good news. The technology that lies at the foundation of enterprise security is available to midsized businesses as well: HP s ArcSight Express security and information management (SIEM) solution, which has achieved industry-leader status in the highly respect Gartner Magic Quadrant for 11 years in a row, including A Three-Pronged Solution A solution that can quickly identify and neutralize exploits must have three broad capabilities. The first is data collection. Precisely speaking, however, simply collecting the data is not enough. The various security systems working in a business typically produce logs in formats that are incompatible with one another, which makes event correlation and pattern recognition impossible for all practical purposes. HP s SIEM technology remedies this situation. Specifically, ArcSight Logger normalizes and categorizes security events from multiple systems into a common event format, so that every security event looks the same no matter what its source. This is extremely important, because it enables the next capability: analysis. Certain events that by themselves seem unimportant may point to a potential exploit when correlated with other events detected by another system. For example, increased network activity associated with a particular application might go unnoticed, but when correlated with access to that application by a de-provisioned contractor, that same activity could indicate a potential data breach. The heuristic analysis approach taken by ArcSight ThreatDetector can identify malicious event patterns such as these, as well as those displayed by zero-day exploits and advanced persistent threats designed to thwart conventional detection strategies. Furthermore, ThreatDetector can 6 Back to Contents Protecting Your Business with 2014, IT Business Edge, a division of QuinStreet, Inc.

8 identify patterns that are benign, thereby reducing false positives. When an exploit occurs, ThreatDetector can alert security technicians so they can take immediate action. It can also be used to generate business rules that will evoke instant, automated responses. ThreatDetector s capabilities are complemented by HP NetFlow Analysis, which looks at network traffic to identify anomalies. In any security strategy the activities of insiders both employees and contractors deserve special attention. (In a recent study conducted by Forester, 25 percent of respondents said that abuse by a malicious insider was the most common breach to occur in the past 12 months.) ArcSight IdentityView provides comprehensive tracking of insiders, including log-ins by privileged users and attempts to log in by de-provisioned users such as terminated employees who may still have direct access to applications. IdentityView can also map IP addresses to specific users and attribute the use of a shared account to an individual user. When a threat is detected, it s important to act fast, and ArcSight Threat Response Manager (TRM) enables an instant response. ArcSight TRM communicates directly with network infrastructure devices (routers, switches, etc.) to build a detailed model the network s topology. Triggered by ArcSight Express (or other security solutions from HP), it can immediately take action to quarantine a node, disable a node s switch port or filter node traffic. These actions can be automated based on business rules, or executed manually based on alerts. Payment Card Industry Data Security Standards (PCI-DSS). Often, they must also meet internal audit requirements. To simplify the burdensome task of preparing these reports, HP offers a suite of Compliance Insight Packages that provides log review and security monitoring specifically tailored to meet regulatory requirements. The HP Compliance Insight Packages seamlessly install and immediately leverage HP ArcSight Express and Logger. Gaining Momentum The idea of a centralized, integrated approach to cyber threats led by a SOC is gaining momentum, and HP provides all the technology to support this approach technology that is both effective and affordable. Companies that have not yet taken this step should at minimum evaluate their current systems. Again, HP can help, with a broad network of value-added resellers and channel partners who are experts in analyzing and finding solutions for the security needs of different organizations. For more information on how you can mature your security program, please visit hp.com/go/arcsight. Beyond Threat Protection In today s business environment, IT groups must not only implement the security process in place to protect themselves. They must also document these processes in order to satisfy government or industry regulatory requirements such as Sarbanes-Oxley (SOX) and the i html 7 Back to Contents Protecting Your Business with 2014, IT Business Edge, a division of QuinStreet, Inc.