The Importance of. Reputation. Proactive enterprise security involves turning data into actionable information that s where reputation comes in.

Transcription

1 The Importance of Reputation Proactive enterprise security involves turning data into actionable information that s where reputation comes in. 1 Information Security Media Group 2013

2 THE IMPORTANCE OF REPUTATION Proactive enterprise security involves turning data into actionable information that s where reputation comes in. In the past, security meant tall, strong walls as in forts, citadels, castles, etc. (think Great Wall of China). Eventually, warring parties figured ways around those vertically oriented defenses. The same dynamic is at play today in the electronic realm. In the hyper-dynamic environment of the Internet, the fortress mentality of IT security is a throwback. With evolving online models such as mobile computing and the cloud, and sophisticated malware such as botnets and advanced persistent threats, an information security defense strategy oriented around securing an enterprise s perimeter is misguided and inadequate. What is needed is a way to leverage IT s most valuable asset: data. As is true in every area of IT, security technology generates a plethora of data which can be something of a mixed blessing. What companies are wrestling with is the fact that security has a lot of data associated with it, says industry analyst Steve Hunt, author of the Security Dreamer blog. But only when that data is organized, contextualized, does it become security information, he adds. Turning security data into actionable information is key. In the context of today s constantly shifting security environment, adequate defense demands not only reactive data collected from internal networks, but active, up-to-the-minute reputation data reconnoitered from the wilds of the Internet, combined in the most effective manner to generate meaningful recommendations and remediations. Such reputation data can make the difference between passive resistance and proactive security. The Threat Landscape It is important to understand the hothouse environment that surrounds IT security these days. Public outrage over increasing reports of data compromises, along with political reaction in the form of widespread public disclosure laws, has made finding breaches and minimizing data loss a corporate priority. Malicious motivations have changed over the years, as have their means to an end. Sophisticated criminal gangs, along with spies sponsored by nation-states and agenda-oriented hacktivists, have replaced teenage tinkerers as the most menacing digital marauders. Alongside brute-force virus attacks have come stealth tactics that emphasize the long, slow, multi-stage exfiltration of data and resources, such as the widespread surreptitious implementation of robot networks and the personalized targeted incursions known as spear phishing. It is also important to understand where security threats come from. While much handwringing goes on over the threat represented by internal 2 Information Security Media Group 2013

3 Given the stealth nature of many of these outsider attacks, it is not surprising that many organizations have security problems and do not know it. In a recent analysis of security trends, Forrester Research called out this blindness to vulnerability as a major concern: Most organizations don t have the visibility or awareness to know if their networks are breached. 3 Security = Data personnel, the fact is that most security breaches come from the outside. More than three quarters (86%) of the breaches examined by Verizon security researchers for the company s most recent data-breach report had no internal element. 1 Given the stealth nature of many of these outsider attacks, it is not surprising that many organizations have security problems and do not know it. Two-thirds of the breaches examined by Verizon s researchers took months, even years, to discover. 2 Information security has always been about data. Intrusion detection systems were intended to monitor networks and detect and report anomalies, while intrusion prevention systems checked for malware against lists of known signatures. Unfortunately, early versions of both tended to suffer from a surfeit of data, frustrating effective remediation with an overload of false positives. With its sensors and dashboards, data collection and interpretation is the point of security 3 Information Security Media Group 2013

4 Up-to-date reputation data can serve as a watchlist for organizations to guard their own Internet status and reputations. information and event management technology (SIEM). SIEM found its foothold in the enterprise as a tool to document compliance with industry and governmental regulations. Still, the ability to collect and correlate massive amounts of data and make recommendations based on defined rules has made SIEM an important security tool for mid-size and large organizations. As the malware landscape evolved, signature data became an important element in the fight against the rising tide of malicious code. Viruses, worms and Trojan horses were captured and catalogued, their identifiable characteristics added into the lists used by anti-virus applications. Also, software vendors tracked vulnerabilities inadvertently incorporated into their applications and systems and began publishing regular patches to address those potential problems. In the online world, just as important as the what of malicious code is the where, who and how. Toward that end, some third-party organizations took it upon themselves to monitor the Internet for emerging threat areas. For instance, the SANS Institute, a computer security-training firm, provides an online public service known as the Internet Storm Center, which collates data on infrastructure events from sensors covering over 500,000 IP addresses in more than 50 countries, and adds analysis in the form of a daily blog. 4 It is a valuable public resource for monitoring and evaluating emerging Internet attack trends. The Necessary Element Security technology providers have realized the significance of such online reputation services to their customers overall defense postures and to the effectiveness of their products. Being able to provide data about the most recent Internet threat areas means customers can use networkmonitoring technology to detect even extremely subtle intrusions. Perhaps more importantly, users can check outgoing network traffic for communication with known bad actors, such as botnet command-and-control servers, to spot security threats already implanted within the enterprise. Being made aware of just how riddled with vulnerabilities your network is can be traumatic, says George Daglas, chief operations officer of Obrela Security Industries, a managed security services provider. One customer compared it to, Daglas says, living in a dark room, and suddenly someone turned on the lights, and all around us were dragons and snakes (see sidebar Case Study: Obrela Security Industries, pg. 7). Up-to-date reputation data can serve as a watchlist for organizations to guard their own Internet status and reputations whether your Web assets (and those of customers and partners) are harboring malignant entities. This is a more efficient and effective (and less embarrassing) way to uncover internal security vulnerabilities than by being 4 Information Security Media Group 2013

5 made aware by some third-party source, which is how most organizations find out. According to the Verizon report, 69% of the breaches they studied were spotted by external parties 9% by customers. 5 Reputation data has a performance aspect to it as well. By helping to block unknown and unwanted communication from inside the organization to outside sources, reputation data can help increase network performance for mission-critical applications. Benefiting From Benchmarks It is worth noting that not all reputation security services are created equal. Some security technology providers rely on reputation research from publicly available sources, such as SANS, as well as that from major vendors, versus expending the resources to generate research of their own. Not that public data has no value, but it does not necessarily furnish security technology providers or their potential customers with a competitive advantage. That is why it is important that organizations look closely at where reputation data comes from and how the security technology provider makes use of that data. One of the criteria for evaluating a security vendor is to look at their threat intelligence research organization what their linkage is to services and products, says security analyst Chris Christiansen, program vice president for IDC s Security Products and Services group. 5 Information Security Media Group 2013

6 When evaluating a security technology provider, especially in terms of threat research and reputation service, potential customers should pay close attention to these benchmarks: The extent and currency of the reputation data how much, from where, and how often is it updated? Commitment is the key to currency, and currency is the key to actionable reputation data. A viable scoring mechanism for reputation data. Practical scoring provides potential customers with the ability to determine the granular level at which they want to filter potential threats. The integration of reputation data with existing technology. Reputation data can be a very powerful add-on to an IPS, ensuring filters are kept valid and purposeful. Similarly, reputation data can be used in connection with a SIEM system to bolster the effectiveness of the correlation engine and policy-based recommendations. Extensive, proactive research regarding reputation data as well as tight integration with existing products will not happen by accident. It must be a part of a provider s dynamic effort to keep security technology and services as close to the cutting-edge as possible. Potential customers will benefit from close scrutiny of such practices before committing. A Proactive Strategy If there is one thing the last few tumultuous years have taught us, it is that information technology is not static it is a dynamic process that companies must leverage or risk being left behind. In the same way, enterprise security can no longer be a static, defensive stance but must take the form of a dynamic, proactive strategy or organizations continue to risk being victims. Due to its currency and relevance, data is the most dynamic aspect of IT. The catch-phrase big data points to its potential, through analytics and data mining, for providing actionable insights. That same potential applies to security. More data points related to the evolving threat landscape as it mutates and multiplies on the Internet can mean more effective security technology better adapted to address current and future security vulnerabilities. But such reputation data is only as effective as it is made to be. Potential customers must examine closely how such data is employed by security service providers where it comes from, how current it is, and how it is leveraged in existing technology. When used correctly, reputation data, and the services and technologies related to it, represent the next most effective weapon in the war on information security. Footnotes 1. Verizon 2013 Data Breach Investigations Report 2. Ibid. (62% of breaches took months to discover; 4% took years) 3. Forrester Research, Inc.: Top 15 Trends S&R Pros Should Watch: Q2 2013; April 9, Verizon 2013 Data Breach Investigations Report 6 Information Security Media Group 2013

7 Case Study: Obrela Security Industries Headquarters: Athens, Greece. Mission: Provide managed services in the areas of risk management and information security for complex enterprise environments. Obrela is a beta class startup, three years into the startup scene and expanding rapidly, says Kimon Skarlatos, chief commercial officer. Customers: Financial services, payment processors, public sector, telecommunications. Problem: Find flexible, extendable, interoperable, scalable, multi-platform, multi-tenant SIEM system with sophisticated correlation engine on which to base growing security-as-a-service business. Solution: HP ArcSight Enterprise Security Manager plus HP RepSM service. Reason for using HP ArcSight: We were looking for something open enough to allow us to build our own content, our own rules, (along with) multiple levels of correlation not be the limiting factor of what we wanted to do, says George Daglas, co-founder and chief operations officer. Reason for using HP RepSM: With RepSM being constantly updated, we are able to correlate normal internal behavior with what is happening on the outside, says Daglas. We have identified threats in financial organizations that had been there for years, that information was being transmitted and collected by malicious third- parties for years we were able to identify this very quickly with the RepSM environment, he says. HP Reputation Services Among the reputation solutions offered by HP: HP DVLabs Research organization focused on vulnerability discovery and analysis Maintains a database of 1-million-plus IPv4 and IPv6 addresses and 1-million-plus DNS names Receives reputation data from three sources: public providers, such as SANS; open source providers, including various malware/phishing/botnet communities; generates own threat data from honeypot network, ThreatlinQ network, and community of TippingPoint customers Aggregates and normalizes these data sources into one coherent database Scores database entries (0 to 100) based on threat potential HP Reputation Digital Vaccine (RepDV) An add-on service to HP s TippingPoint NGIPS (next generation intrusion prevention system) Based on data feeds from HP DVLabs Automatically updates every two hours HP Reputation Security Monitor (RepSM) An add-on service to HP s ArcSight SIEM (security information and event management) Enterprise Security Manager system Based on data feeds from HP DVLabs Automatically updates every six hours HP ArcSight Security Intelligence Platform HP s SIEM (security information and event management) solution, which offers visibility into security and compliancerelated data across the IT infrastructure Enables organizations to identify and respond quickly to security threats, transform Big Data into security intelligence, and automate compliance Collects, stores, and analyzes data from any device, any source, and in any format from 350+ connectors Closely integrated with HP RepSM for a complete view of security-related data 7 Information Security Media Group 2013

8 About ISMG Headquartered in Princeton, New Jersey, Information Security Media Group, Corp. (ISMG) is a media company focusing on Information Technology Risk Management for vertical industries. The company provides news, training, education and other related content for risk management professionals in their respective industries. Contact (800) [email protected] This information is used by ISMG s subscribers in a variety of ways researching for a specific information security compliance issue, learning from their peers in the industry, gaining insights into compliance related regulatory guidance and simply keeping up with the Information Technology Risk Management landscape. 902 Carnegie Center Princeton, NJ Information Security Media Group 2013