Risk-based security buyer s guide:

Similar documents
End-user Security Analytics Strengthens Protection with ArcSight

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Continuous Network Monitoring

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

REVOLUTIONIZING ADVANCED THREAT PROTECTION

IBM Security QRadar Vulnerability Manager

Integrating MSS, SEP and NGFW to catch targeted APTs

RAVEN, Network Security and Health for the Enterprise

Extreme Networks Security Analytics G2 Vulnerability Manager

Fighting Advanced Threats

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Intrusion Detection Systems

High End Information Security Services

An New Approach to Security. Chris Ellis McAfee Senior System Engineer

Defending Against Data Beaches: Internal Controls for Cybersecurity

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Combating a new generation of cybercriminal with in-depth security monitoring

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

McAfee Network Security Platform

It s not a matter of if but when. Actionable Threat Intelligence, Accelerated Response

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

IBM Security IBM Corporation IBM Corporation

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

Using SIEM for Real- Time Threat Detection

Cisco Advanced Malware Protection

Overcoming PCI Compliance Challenges

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

The SIEM Evaluator s Guide

Defending Against Cyber Attacks with SessionLevel Network Security

IT Security Strategy and Priorities. Stefan Lager CTO Services

24/7 Visibility into Advanced Malware on Networks and Endpoints

Cisco Advanced Malware Protection for Endpoints

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

CyberArk Privileged Threat Analytics. Solution Brief

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Redefining Incident Response

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

IBM SECURITY QRADAR INCIDENT FORENSICS

Organizational Issues of Implementing Intrusion Detection Systems (IDS) Shayne Pitcock, CISSP First Data Corporation

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

SANS Top 20 Critical Controls for Effective Cyber Defense

Practical Threat Intelligence. with Bromium LAVA

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

IBM Advanced Threat Protection Solution

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

SOLUTION BRIEF. Next Generation APT Defense for Healthcare

The Four-Step Guide to Understanding Cyber Risk

What is Security Intelligence?

Network Security Monitoring: Looking Beyond the Network

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Modular Network Security. Tyler Carter, McAfee Network Security

GOING BEYOND BLOCKING AN ATTACK

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Trends in Zero-Day Kernel Exploits and Protection 2015

IBM Security QRadar Risk Manager

Enterprise Cybersecurity: Building an Effective Defense

SourceFireNext-Generation IPS

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

CylanceINFINITYENGINE: Applying Data Science to Advanced Threats

Whitepaper. Advanced Threat Hunting with Carbon Black

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Securing Remote Vendor Access with Privileged Account Security

BIG SHIFT TO CLOUD-BASED SECURITY

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Vulnerability Management

Security Controls Implementation Plan

Eliminating Cybersecurity Blind Spots

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

RSA Security Analytics

The Hillstone and Trend Micro Joint Solution

Content Security: Protect Your Network with Five Must-Haves

Critical Security Controls

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

WHITE PAPER WHAT HAPPENED?

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

Security Services. 30 years of experience in IT business

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Endpoint Threat Detection without the Pain

Analyzing HTTP/HTTPS Traffic Logs

Next-Generation Firewalls: Critical to SMB Network Security

ALERT LOGIC FOR HIPAA COMPLIANCE

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

1 Introduction Product Description Strengths and Challenges Copyright... 5

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Introducing IBM s Advanced Threat Protection Platform

whitepaper GLBA: How SolarWinds Ensures Compliance and Provides Proactive, Real Time Protection

Transcription:

Risk-based security buyer s guide: Addressing Enterprise-class threats on an sme-class budget Executive Summary Every day we read about new breaches. They are so frequent, and the volume of records breached so astronomical, that people are starting to get desensitized. This is good and bad for information security professionals. On the positive side, there is no longer any issue convincing management that malware, hacking and breaches are serious issues. On the negative side, desensitization can lead IT security budget holders to wonder if continually adding more technology and the people and resources to run them - is a failed strategy. Organizations are in a cyber arms race they cannot win: bolting on increasingly sophisticated products to defend against increasingly sophisticated threats. There are diminishing returns with this approach and this is particularly true for Small- to Medium-sized Enterprise (SME) organizations. SMEs are increasingly facing the same threats as large enterprises, without the resources necessary to defend against these threats. The question every organization, particularly SME, must ask is what is the right option and how to get the maximum ROI from it. To succeed, we must change the rules of the game. This requires fundamental shifts in the way cyber defense is developed, deployed and operated. The shift begins by refocusing from a stopping-intruders-at-the-border strategy to an incident response strategy. It requires combining multiple functions into advanced platforms to reduce CapEx and reducing OpEx by shifting from a threat-based model to a risk-based model. This is the only way to get out of the cyber arms race and the only way SMEs have a fighting chance of reducing costs to affordable and sustainable levels. November 2014 page 1

All organizations are under attack Unlike large enterprises, SMEs typically follow a check box security approach, driven by compliance with industry, regulatory and legislative mandates. Vendors, too, approach SMEs differently, delivering lower-powered, stripped-down versions of their enterpriseclass solutions. Essentially, offering basic security matching SME budgets and needs. This logic had some validity a few years back, but today it is totally wrong: 61% of targeted attacks in 2013 were against companies with 2,500 or fewer employees. i To underscore this point, the 2013 breach of a major retailer did not start with a direct assault on their IT infrastructure. It started at an HVAC contractor that was working for the retailer. ii As described by numerous sources, hackers took advantage of weak security 61% OF TARGETED ATTACKS IN 2013 WERE AGAINST COMPANIES WITH 2,500 OR FEWER EMPLOYEES controls at the HVAC contractor combined with direct access to the retailer s network. Technology plays a critical role in detection and incident response Today, standard operating procedure for security organizations dealing with increasing threats is bolting on increasingly sophisticated technologies: anti-virus, router ACL lists, firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), web reputation services, web application firewalls, Security Information Event Management (SIEM), anti-malware gateways, endpoint virtualization, etc. Table 1 summarizes the current state of these technologies. Unfortunately, despite the billions of dollars spent buying these technologies (CapEx) and the 100s of billions of dollars spent implementing and operating them (OpEx), cyber defense is getting worse, not better. In 2013, the average time between infection and breach was days or less. Less than 1/4 of affected organizations discovered these breaches in the same timeframe: most organizations took weeks, November 2014 page 2

months or longer. And the trend lines are going in the opposite directions: time-tobreach is decreasing, while time-to-discover is increasing. iii Organizations of all sizes must find ways to reverse these trends without spending the entire IT budget on information security. Though this sounds crazy, in 2013, a United States Department of Commerce sub-agency actually spent more than half its annual IT budget on unnecessarily responding to a breach infection, including destroying $170,000 worth of IT equipment. iv According to a recent study, 77% of IT staff incorrectly reported the cause of security incidents to their executives. v Network Intended Key Key Location Purpose Characteristics Concerns Firewall (FW) Internet Block network In line, high Increasingly porous ingress/egress access by performance Onerous rule and network unauthorized stateful filtering management segmentation users, systems and inspection Significant overlap points (Physical and applications Proxy between FW, WAF and and virtual) NextGen FW Intrusion Network segment Detect Anomaly detection High false positive rates Detection level (NIDS) in suspicious Signature-based lead to defense erosion System (IDS) physical and network activity Detection Only detection virtual that may be Heuristics infrastructure malicious Host resident (HIDS) Intrusion Inline network Detect and Signature, anomaly Expensive to implement Prevention segment level block malicious and heuristic-based at speed. Similar false Systems (IPS) (NIPS) in physical activity detection positive issues as IDS. and virtual Protocol aware High availability Significant overlap infrastructure and can offer and throughput between IDS and IPS Host resident virtual patching (HIPS) Web At Internet Detect and Signature, black Often overlap with FW Reputation ingress/egress block malicious lists and anomaly services Services and/or cloud web traffic detection November 2014 page 3

Security Information Event Management (SIEM) Antivirus (AV) Anti- Malware Gateway (AMG) Network Location Centralized location (SOC or NOC) Endpoint, host and network deployments. Supports virtual and physical infrastructure Typically network based virtual execution sandboxes. Sometimes integrated with FW, AV and IPS. Table 1- Cyber Defense Technologies Intended Purpose Collect and correlate events and alerts from security, application and network functions. Detect malware on endpoints and hosts Provides a safe environment to watch malicious code as it executes. Key Characteristics Data analytics to isolate security events. More often used for audit and compliance purposes only due to the difficulty of root- cause analysis. Signature, anomaly and heuristic- based detection and analysis Anomaly, signature and heuristics- based analysis Can detect complex malware. Key Concerns Can be expensive (proprietary) or open source. Requires significant human capital investment to build and tune custom rules on an ongoing basis. Can be resource intensive and expensive to implement and manage correctly Increasingly ineffective in malware detection To determine a file s malware likelihood requires evaluation of entire file. Susceptible to underlying kernel exploits and code obfuscation. Back to basics: incidents and incident response Industry research is clear that networks are, or will be compromised; it is only a matter of time. The days of stopping the intruders at the gate are over. A successful cyber defense must identify incidents and respond in time to prevent breach or unsustainable damage. The first step to accomplishing this is proper instrumentation, historically requiring three core technologies from Table 1: Firewall, Intrusion Detection System (IDS) and Security Information and Event Management (SIEM). For this discussion, we assume all organizations have already deployed a firewall. November 2014 page 4

The challenge for all-sized organizations - and SMEs in particular - is the cost to procure, operate and leverage these technologies may easily exceed information security budgets. As an example, IDS and SIEM CapEx ranges from free to $100,000+. The loaded costs of operating these products and successfully interpreting and leveraging their outputs can easily range from $100,000 to $1,000,000 per year! Clearly, OpEx is the greater challenge. Maximizing CapEx while minimizing OpEx requires two key steps: 1) Separating form from function 2) Shifting from threat-based security to risk-based security Separating form from function As discussed above, implementing an incident response system requires IDS and SIEM functionality. Each one delivers a specific function: IDS detecting possible intrusions and SIEM correlating security events. The differences between one vendor s products and another vendor s products include ease of implementation, performance, accuracy and of course, cost. To reduce product cost, vendors are starting to combine IDS and SIEM functionality. The good news is this reduces CapEx. The bad news is it does nothing to reduce OpEx. This is because current IDS and SIEM products (separate or combined) are built on a threat-based security model. As discussed below, this model is outdated, increasingly ineffective and OpEx intensive. Achieving affordable and sustainable IDS and SIEM costs (CapEx and OpEx) requires combining both functions into one product and shifting to a risk-based security model. November 2014 page 5

Threat-based security The fundamental goal of threat-based security is finding the proverbial needle in the haystack in time to protect the organization from a likely attack. Unfortunately, the haystack is usually a daily onslaught of millions of events and alerts! As a real-world example, a Fortune 500 insurance company s Intrusion Detection System (IDS) alone generates over 830 million alerts a month. A threat-based approach consolidates and correlates all of these alerts to identify the threats (malware, exploits, etc.) and take action to mitigate and remediate the threat. This is an OpEx-intensive process, and is often conducted offline rather than in real time. Threat-based security by definition looks for threats by relying heavily on alerts triggering signature and anomaly-based detection; though sandbox approaches are also gaining momentum. The advantage of this approach is threats are eventually discovered, though often it is long after the exploit has run its course and the damage is done. The downside is this approach feeds the arms race: Threat-based systems generate a high percentage of false positives wasting significant staff time tracking down nonexistent threats Figure 1 - Threat-based approach This drives the need for ever-faster and more sophisticated technologies (shown in Table 1) with the hope of keeping up with the increasing volume of alerts and sophistication of attacks while lowering the incidence of false positives November 2014 page 6

Taking a risk-based approach In contrast, a risk-based approach builds contextual relevance over time to identify systems having the greatest evidence of compromise. It doesn t start with technology, but rather a risk management framework such as those developed by NIST, ISACA, OCTAVE and ISO. Discussing these frameworks is beyond the scope of this paper, but these frameworks typically describe the mechanics of Figure 2 - A New Approach evaluating and assigning risk to the organization s IT assets. Reference links can be found at the end of the paper. Once the organization defines its risks, it must consider potential exploits in the context of these risks. But more than context alone, organizations must also evaluate behavioral relevance over time. For example, on the 15 th and 30 th of the month, a payroll application connecting to ADP is a normal event. Or, is it? What if an attempted escalation of privileges occurred on the payroll application server on the 14 th? And, maybe on the 1 st of the month, there were new registry entries on a user s computer in the HR department? This is the point Figure 3 - Contextual Risk-based Analysis where we bring in technology. A tremendous amount of intelligence and processing is needed to visualize in real time the potential targets against the IT asset s value (from a risk perspective). If it walks like a Duck and talks like a Duck. There is a fundamental difference between a threat-based approach and risk-based approach: rather than looking for specific threats, a risk-based approach looks for November 2014 page 7

behaviors that may lead to threats, even without knowing what the threat is. Though this sounds counter intuitive, it is possible to minimize risk without knowing the exact threat underway. For example, malware almost always follows a set of behaviors. By closely tracking these key steps (see our advanced infection lifecycle model) mapped against the relative system risk over time, it is possible to discern a potential attack without ever seeing the actual attack itself. Essentially, it is possible to categorize suspicious behavior into a profile independent of a confirmed exploit or malware sample. Rather than spending days sifting through individual alerts and events, a risk-based approach allows IT personnel to focus on what s most important: the assets they protect. Going back to the Fortune 500 Insurance company example, the company was using an integrated appliance with IDS and SIEM functions built upon a risk-based security model. The 830 million alerts were automatically distilled down to 67,000 behavior profiles. Each profile was automatically monitored and mapped against the risk determination of each system. The end-result was 16 systems (out of 37,000 in total) were identified as potentially at risk. Perhaps most importantly, there were zero false positives and staff did not waste time on forensic evidence collection and investigation. The company did not need to identify specific malware binaries to identify high-risk behaviors or to generate the evidence needed for early intervention. In the process, the company significantly reduced its OpEx associated with incident response. Changing the rules of the game To increase effectiveness, reduce OpEx and reverse the breach detection and response trends, companies must move quickly from a cyber-alert- and threat-based security model to an evidence- and risk-based model. Though a risk-based approach still processes the same number of events, it provides Figure 4 - Real Time Risk Dashboard November 2014 page 8

contextual, real-time risk and exploit visualization: visualizing risk over the entire duration; analyzing events and alerts in context of the malware advanced infection life cycle; and, prioritizing risk according to an organization s risk appetite based on both historical and current network state. A new approach for SMEs As discussed above, SMEs are already under attack and often do not have the resources (staff and technology) to launch a successful threat-based cyber defense. A risk-based cyber defense provides the following benefits: 1. Breaks the habitual act of throwing new technology at the problem. SMEs have the opportunity to significantly improve cyber defense without dedicating half of its IT budget to information security 2. Presents defense in behavioral context of risk. It gives IT security professionals the tools to prioritize its defense and response to exploit in relation to real-time risk 3. Separates form from function and takes the argument of anomaly-based detection versus signature versus sandboxing off the table because it is not necessary to know the exact exploit while still protecting the corporate assets 4. Presents a means to visualize corporate assets risk and prioritize incident response Shifting to a risk-based cyber defense strategy is the only way SMEs will successfully address enterprise-class threats on an SME-class budget. This paper began with the assertion that SMEs are in a no-win situation facing everincreasing attack sophistication along with the associated increasing cost of defense (primarily OpEx). Technology plays a key role in cyber defense, though a risk-based approach with the right exploit and asset visualization limits the necessary OpEx associated with these technologies. November 2014 page 9

Top 5 Questions to ask your vendors To figure out how to minimize OpEx while instrumenting for incident response and a risk-based security model, ask any current and potential technology vendor the following questions: 1) By how much can you demonstrably reduce the response time, i.e. the time between exploit, detection and the associated response? 2) How do you quantify the incremental benefit of adding your security technology to my information security architecture? 3) How does your solution augment or replace any of my current security technology? 4) How does your solution map into a threat-based or risk-based approach? 5) What are the projected CapEx and OpEx for your technology? In Year 1, Year 2, Year 3? Risk management framework links: NIST - http://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53r4.pdf ISACA - http://www.isaca.org/knowledge-center/risk-it-it-risk- Management/Pages/default.aspx OCTAVE - http://www.cert.org/resilience/products-services/octave/ ISO - http://www.iso.org/iso/home/standards/management-standards/iso27001.htm i Symantec Internet Security Threat Report 2014. 2013 Trends Volume 19. April 2014. ii http://krebsonsecurity.com/2014/02/email- attack- on- vendor- set- up- breach- at- target/ iii Verizon 2014 Data Breach Investigations Report iv Agencies Need to Improve Cyber Response Practices, GAO- 14-354, April 2014 v Emulex 2014 Visibility Survey. July 15, 2014 November 2014 page 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information