Cyber Situational Awareness for Enterprise Security

Transcription

1 Cyber Situational Awareness for Enterprise Security Tzvi Kasten AVP, Business Development Biju Varghese Director, Engineering Sudhir Garg Technical Architect The security world is changing as the nature of cyber threats evolve. Although stopping attacks at the network boundary used to be an effective approach to enterprise security, many attacks today originate within the enterprise itself. This white paper highlights the importance of an enterprise s situational awareness in regards to advanced security measures and provides information on how to build such an awareness, from high-level processes to state-of-the-art tools.

2 Table of Contents Executive Summary... Current Security Threats Landscape Moving Towards a Unified Security Management Approach... 4 Developing Cyber Situational Awareness... 5 The Process... 5 Data Collection... 5 Data Processing... 5 Data Interpretation... 5 The Tools... 6 Network Profiling... 6 Asset Profiling... 6 Network Activity Awareness... 7 Conclusion... 7 GlobalLogic s Security Practice... 8 About the Authors... 8 GlobalLogic Inc. 2

3 Executive Summary Cyber threats to information security are evolving at an intimidating rate. Today s attackers are focused, patient, and extremely determined. If your network is under attack and most networks are it would be a grave mistake to assume that your ten-year-old security solution will continue to keep your organization safe. In the past, there have been generally two main lines of defense: network gateway solutions (e.g., firewalls, proxies) and client protection solutions (e.g., antivirus software). Although both solutions still deliver value, they do not provide enterprises with a comprehensive security system since most attacks today are executed from within an organization. Furthermore, cyber attackers may gain access to what are called zero-day vulnerabilities, or previously unknown vulnerabilities that cannot be identified by the known file signature (i.e., the way antivirus solutions typically work). And with the growing need for connectivity (e.g., mobile, cloud, internet-of-things, etc.), it s nearly impossible to eliminate attacks altogether. However, like the old adage says, the best defense is a good offense. Attacks take weeks or even months to execute, giving organizations who are truly focused an opportunity to detect the attack early on, identify who the attacker is, and understand what they are after. In this white paper, we will discuss a security philosophy called cyber situational awareness that enables enterprises to identify cyber attacks early on and take the appropriate measures to address them. We will also propose a high-level process for building cyber situational awareness within an organization and outline the specific tools to enable this process. Current Security Threats Landscape Enterprises have traditionally adopted a reactive approach to security attacks and focused primarily on threats outside the enterprise network boundary. It was considered sufficient to secure an enterprise s network border through threat intelligence information and security devices such as firewalls, VPN gateways, intrusion detection systems (IDS), and intrusion prevention systems (IPS). Over time, enterprises realized that they were far more vulnerable to internal threats, especially with the bring-your-own-device (BYOD) trend introducing an increasing number of uncontrolled network devices into the organization. In fact, some of the highest-profile information loss scandals in recent history have resulted from internal employees or contractors breaching their company s trust. IT personnel in particular have the potential to wreak havoc since the very nature of their work gives them access to a wide range of data resources. As enterprises began to realize the escalating consequences of internal threats, they also began looking for solutions that could address internal threat mitigation. In addition to educating employees on security measures that can prevent unintentional incidents, enterprises have taken various security measures such as endpoint security, internal network activity monitoring, access restrictions, etc. But even with these measures, sophisticated cyber attackers can exploit zero-day vulnerabilities that enable the attackers to access internal resources and thereby make the attack seem as if it s coming from inside the network. Since these threats are impossible to predict, it is essential for organizations to have a strong plan and set of tools for detecting and stopping the attacks once they have breached the network. GlobalLogic Inc. 3

4 Moving Towards a Unified Security Management Approach In order to achieve cyber situational awareness, enterprises need to be aware of the current activities both within and across their networks. By understanding a network s vulnerabilities and potential threats within a wider context (i.e., both internal and external realms), enterprises can identify security attacks early on and take decisive actions against them. To gain a comprehensive view of a network s activity, it is recommended to conduct both internal and external profiling (i.e., leveraging algorithms to identify patterns and other correlations across large amounts of data). While external profiling examines connectivity patterns such as those between internal resources and external servers and proxies, internal profiling reviews a network s assets, applications, endpoints, data access points, etc. Although many enterprises do currently conduct both types of profiling, they are treated as isolated solutions for two separate challenges. As shown in the figure below, this approach leaves a large swath of the threat landscape unattended. In order to minimize vulnerabilities, enterprises need to take a unified approach to threat management. By examining internal and external data through a single security platform, enterprises are more likely to notice incidents that could be advanced persistent threats (APTs). Unattended Threat Area Internal Profiling Identified Threats External Profiling Figure 1. Threat landscape gaps GlobalLogic Inc. 4

5 Developing Cyber Situational Awareness We ve already confirmed that the best way to manage the threat landscape is through cyber situational awareness, or taking into account all of an enterprise s data and network activities to proactively identify and manage threats. However, this is often a daunting task. Managing such a huge repository of data often requires building an expensive infrastructure and implementing methodical processes. Below we will outline various tools and processes to help enterprises develop cyber situational awareness within a realistic budget and timeline. The Process Developing cyber situational awareness within an enterprise requires three basic steps: data collection, data processing, and data interpretation. Data Collection Data collection is conducted through internal and external profiling, which we described earlier. This step of the process requires the cooperation of every single device that exists both within the network and on the network perimeter, including firewall logs, IDP/IPS logs, database event logs, system logs, authentication/access logs (e.g., directory logs, AAA server logs, etc.), endpoint activity events, and more. The goal is to capture every single activity occurring within and across an enterprise s network. Data Processing After collecting data from all the network resources and devices, the next step is to process it by extracting metadata, filtering events, and aggregating the relevant data. Empirical research suggests that effective data processing should reduce the collected data to 10% or less of its original volume. Data Interpretation Inspecting, cleaning, transforming, and modeling the relevant data can be done either in real-time or through advanced analytics via a batch processing mode. This step helps correlate events over both short and long periods of time in order to generate situational alerts and to build further intelligence on security threats. Internal Profiling Event Aggregation + } Event Filteration Cyber Situational Awareness Real Time & Advanced Analytics External Profiling Threat Intelligence Event Correlation Figure 2. The process of cyber situational awareness GlobalLogic Inc. 5

6 The Tools Developing cyber situational awareness requires an exhaustive coordination of activities across and within a network. No single tool can provide a comprehensive view of an enterprise s network; it requires support from all network elements. Various components such as endpoint monitoring tools, database log collectors, firewall log collectors, IDP/IPS log collectors, and network activity monitoring tools must all work in unison to create an accurate snapshot of a network s total sum activity. That being said, we suggest leveraging a network probe for network activity monitoring. A network probe is a device that is capable of understanding a rich set of networking protocols and applications in order to capture data at the highest levels possible. In addition to collecting information from multiple sources, it contains security components that can extract data at various levels. A network probe can also seamlessly process network events from both internal and external devices, which is crucial for internal and external profiling. By delivering a comprehensive snapshot of all activities occurring within an enterprise, a network probe provides a central platform for security management. As we have stated before, this complete situational awareness is key to identifying and reacting to APTs. Next we will explore the various components and functionalities of a network probe in greater detail. Network Profiling The network profiling function is an important element of the network probe. It enables better threat management by analyzing an enterprise s current security posture and identifying possible vulnerable paths within the network. Manually tracking all the various components and devices within a network is very difficult especially with policies like BYOD gaining popularity and such efforts usually require many resources and are prone to error. However, a network probe s profiling function automatically identifies new devices in real-time and therefore provides a continuously updated snapshot of the network. Asset Profiling Enterprises must take proactive measures to prevent internal or external attackers from taking advantage of compromised or vulnerable assets within the network itself. As with network profiling, it s simply not effective (nor cost-effective) to manually monitor a network s assets. A network probe helps identify active services running on each network endpoint. Armed with a full arsenal of information about each network endpoint, enterprises can detect anomalies automatically via configured policies. This asset profiling function also helps identify endpoint security requirements as a preventative measure. GlobalLogic Inc. 6

7 Network Activity Awareness As mentioned before, detailed analysis of the data flowing both within a network and between a network and the outside world can reveal existing and impending attacks, as well as identify APTs. A network probe can mine this network data at various levels and even serve as an ETL tool in the security space. This particular function works by: (1) Extracting data at the network, transport, and application layer; (2) Transforming the data to create metadata at the flow, session, and application level; and (3) Loading the data to the security and surveillance analytics systems after attaching syntax and semantics to the metadata for faster consumption. A network probe can be viewed as a security data mining tool that delivers detailed information from the network layer to the application layer. The data that is provided at each level can then be leveraged to take specific security measures, as shown in the figure below. Conclusion As the security threat landscape becomes more challenging and as the implications of these threats become more significant it is important for an enterprise to re-evaluate how it delivers security. Taking a more unified approach to security management by collecting and analyzing all forms of network data both internal and external is crucial for developing cyber situational awareness within an organization. It will also become increasingly important to leverage state-of-the-art technologies like a network probe to gain an edge over potential attackers, whether that attacker is a professional hacker or an opportunistic employee. As network vulnerabilities become more complex and APTs grow more sophisticated, an enterprise s security plan must adapt and leverage every tool and data point available. Network Level Security Measures Application - Application scouting - Security policies - Appsecure - Application profiling - Application anomaly - Bandwidth management Protocol - Security policies - Bandwidth management - Protocol anomaly Network - Network profiling - Asset profiling - Security policies - Network anomaly - Bandwidth management Transport - Asset profiling - Security policies - Connection identification - Network anomaly - Bandwidth management Figure 3. A layered view of security data mining GlobalLogic Inc. 7

8 GlobalLogic s Security Practice Because Information Security is such an important aspect across multiple markets, we have leveraged our global team of security experts to take a leadership role in this area. We collaborate with our customers to develop security-oriented products and services that excel across all standards. For more information about our services and areas of expertise, please visit About the Authors Sudhir Garg is a Technical Architect at GlobalLogic, specializing in cyber security solutions. Biju Varghese is a Director of Engineering at GlobalLogic whose expertise includes big data, telecommunications, and networking. Tzvi Kasten is GlobalLogic s Associate Vice President of Business Development and leads the company s Security Practice Organization. GlobalLogic Inc. 8

9 About GlobalLogic Inc. GlobalLogic is a full-lifecycle product development services leader that combines deep domain expertise and cross-industry experience to connect makers with markets worldwide.using insight gained from working on innovative products and disruptive technologies, we collaborate with customers to show them how strategic research and development can become a tool for managing their future. We build partnerships with market-defining business and technology leaders who want to make amazing products, discover new revenue opportunities, and accelerate time to market. For more information, visit Contact Emily Gunn emily.gunn@globallogic.com