Risk-based security buyer s guide: Addressing Enterprise-class threats on an sme-class budget Executive Summary Every day we read about new breaches. They are so frequent, and the volume of records breached so astronomical, that people are starting to get desensitized. This is good and bad for information security professionals. On the positive side, there is no longer any issue convincing management that malware, hacking and breaches are serious issues. On the negative side, desensitization can lead IT security budget holders to wonder if continually adding more technology and the people and resources to run them - is a failed strategy. Organizations are in a cyber arms race they cannot win: bolting on increasingly sophisticated products to defend against increasingly sophisticated threats. There are diminishing returns with this approach and this is particularly true for Small- to Medium-sized Enterprise (SME) organizations. SMEs are increasingly facing the same threats as large enterprises, without the resources necessary to defend against these threats. The question every organization, particularly SME, must ask is what is the right option and how to get the maximum ROI from it. To succeed, we must change the rules of the game. This requires fundamental shifts in the way cyber defense is developed, deployed and operated. The shift begins by refocusing from a stopping-intruders-at-the-border strategy to an incident response strategy. It requires combining multiple functions into advanced platforms to reduce CapEx and reducing OpEx by shifting from a threat-based model to a risk-based model. This is the only way to get out of the cyber arms race and the only way SMEs have a fighting chance of reducing costs to affordable and sustainable levels. November 2014 page 1
All organizations are under attack Unlike large enterprises, SMEs typically follow a check box security approach, driven by compliance with industry, regulatory and legislative mandates. Vendors, too, approach SMEs differently, delivering lower-powered, stripped-down versions of their enterpriseclass solutions. Essentially, offering basic security matching SME budgets and needs. This logic had some validity a few years back, but today it is totally wrong: 61% of targeted attacks in 2013 were against companies with 2,500 or fewer employees. i To underscore this point, the 2013 breach of a major retailer did not start with a direct assault on their IT infrastructure. It started at an HVAC contractor that was working for the retailer. ii As described by numerous sources, hackers took advantage of weak security 61% OF TARGETED ATTACKS IN 2013 WERE AGAINST COMPANIES WITH 2,500 OR FEWER EMPLOYEES controls at the HVAC contractor combined with direct access to the retailer s network. Technology plays a critical role in detection and incident response Today, standard operating procedure for security organizations dealing with increasing threats is bolting on increasingly sophisticated technologies: anti-virus, router ACL lists, firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), web reputation services, web application firewalls, Security Information Event Management (SIEM), anti-malware gateways, endpoint virtualization, etc. Table 1 summarizes the current state of these technologies. Unfortunately, despite the billions of dollars spent buying these technologies (CapEx) and the 100s of billions of dollars spent implementing and operating them (OpEx), cyber defense is getting worse, not better. In 2013, the average time between infection and breach was days or less. Less than 1/4 of affected organizations discovered these breaches in the same timeframe: most organizations took weeks, November 2014 page 2
months or longer. And the trend lines are going in the opposite directions: time-tobreach is decreasing, while time-to-discover is increasing. iii Organizations of all sizes must find ways to reverse these trends without spending the entire IT budget on information security. Though this sounds crazy, in 2013, a United States Department of Commerce sub-agency actually spent more than half its annual IT budget on unnecessarily responding to a breach infection, including destroying $170,000 worth of IT equipment. iv According to a recent study, 77% of IT staff incorrectly reported the cause of security incidents to their executives. v Network Intended Key Key Location Purpose Characteristics Concerns Firewall (FW) Internet Block network In line, high Increasingly porous ingress/egress access by performance Onerous rule and network unauthorized stateful filtering management segmentation users, systems and inspection Significant overlap points (Physical and applications Proxy between FW, WAF and and virtual) NextGen FW Intrusion Network segment Detect Anomaly detection High false positive rates Detection level (NIDS) in suspicious Signature-based lead to defense erosion System (IDS) physical and network activity Detection Only detection virtual that may be Heuristics infrastructure malicious Host resident (HIDS) Intrusion Inline network Detect and Signature, anomaly Expensive to implement Prevention segment level block malicious and heuristic-based at speed. Similar false Systems (IPS) (NIPS) in physical activity detection positive issues as IDS. and virtual Protocol aware High availability Significant overlap infrastructure and can offer and throughput between IDS and IPS Host resident virtual patching (HIPS) Web At Internet Detect and Signature, black Often overlap with FW Reputation ingress/egress block malicious lists and anomaly services Services and/or cloud web traffic detection November 2014 page 3
Security Information Event Management (SIEM) Antivirus (AV) Anti- Malware Gateway (AMG) Network Location Centralized location (SOC or NOC) Endpoint, host and network deployments. Supports virtual and physical infrastructure Typically network based virtual execution sandboxes. Sometimes integrated with FW, AV and IPS. Table 1- Cyber Defense Technologies Intended Purpose Collect and correlate events and alerts from security, application and network functions. Detect malware on endpoints and hosts Provides a safe environment to watch malicious code as it executes. Key Characteristics Data analytics to isolate security events. More often used for audit and compliance purposes only due to the difficulty of root- cause analysis. Signature, anomaly and heuristic- based detection and analysis Anomaly, signature and heuristics- based analysis Can detect complex malware. Key Concerns Can be expensive (proprietary) or open source. Requires significant human capital investment to build and tune custom rules on an ongoing basis. Can be resource intensive and expensive to implement and manage correctly Increasingly ineffective in malware detection To determine a file s malware likelihood requires evaluation of entire file. Susceptible to underlying kernel exploits and code obfuscation. Back to basics: incidents and incident response Industry research is clear that networks are, or will be compromised; it is only a matter of time. The days of stopping the intruders at the gate are over. A successful cyber defense must identify incidents and respond in time to prevent breach or unsustainable damage. The first step to accomplishing this is proper instrumentation, historically requiring three core technologies from Table 1: Firewall, Intrusion Detection System (IDS) and Security Information and Event Management (SIEM). For this discussion, we assume all organizations have already deployed a firewall. November 2014 page 4
The challenge for all-sized organizations - and SMEs in particular - is the cost to procure, operate and leverage these technologies may easily exceed information security budgets. As an example, IDS and SIEM CapEx ranges from free to $100,000+. The loaded costs of operating these products and successfully interpreting and leveraging their outputs can easily range from $100,000 to $1,000,000 per year! Clearly, OpEx is the greater challenge. Maximizing CapEx while minimizing OpEx requires two key steps: 1) Separating form from function 2) Shifting from threat-based security to risk-based security Separating form from function As discussed above, implementing an incident response system requires IDS and SIEM functionality. Each one delivers a specific function: IDS detecting possible intrusions and SIEM correlating security events. The differences between one vendor s products and another vendor s products include ease of implementation, performance, accuracy and of course, cost. To reduce product cost, vendors are starting to combine IDS and SIEM functionality. The good news is this reduces CapEx. The bad news is it does nothing to reduce OpEx. This is because current IDS and SIEM products (separate or combined) are built on a threat-based security model. As discussed below, this model is outdated, increasingly ineffective and OpEx intensive. Achieving affordable and sustainable IDS and SIEM costs (CapEx and OpEx) requires combining both functions into one product and shifting to a risk-based security model. November 2014 page 5
Threat-based security The fundamental goal of threat-based security is finding the proverbial needle in the haystack in time to protect the organization from a likely attack. Unfortunately, the haystack is usually a daily onslaught of millions of events and alerts! As a real-world example, a Fortune 500 insurance company s Intrusion Detection System (IDS) alone generates over 830 million alerts a month. A threat-based approach consolidates and correlates all of these alerts to identify the threats (malware, exploits, etc.) and take action to mitigate and remediate the threat. This is an OpEx-intensive process, and is often conducted offline rather than in real time. Threat-based security by definition looks for threats by relying heavily on alerts triggering signature and anomaly-based detection; though sandbox approaches are also gaining momentum. The advantage of this approach is threats are eventually discovered, though often it is long after the exploit has run its course and the damage is done. The downside is this approach feeds the arms race: Threat-based systems generate a high percentage of false positives wasting significant staff time tracking down nonexistent threats Figure 1 - Threat-based approach This drives the need for ever-faster and more sophisticated technologies (shown in Table 1) with the hope of keeping up with the increasing volume of alerts and sophistication of attacks while lowering the incidence of false positives November 2014 page 6
Taking a risk-based approach In contrast, a risk-based approach builds contextual relevance over time to identify systems having the greatest evidence of compromise. It doesn t start with technology, but rather a risk management framework such as those developed by NIST, ISACA, OCTAVE and ISO. Discussing these frameworks is beyond the scope of this paper, but these frameworks typically describe the mechanics of Figure 2 - A New Approach evaluating and assigning risk to the organization s IT assets. Reference links can be found at the end of the paper. Once the organization defines its risks, it must consider potential exploits in the context of these risks. But more than context alone, organizations must also evaluate behavioral relevance over time. For example, on the 15 th and 30 th of the month, a payroll application connecting to ADP is a normal event. Or, is it? What if an attempted escalation of privileges occurred on the payroll application server on the 14 th? And, maybe on the 1 st of the month, there were new registry entries on a user s computer in the HR department? This is the point Figure 3 - Contextual Risk-based Analysis where we bring in technology. A tremendous amount of intelligence and processing is needed to visualize in real time the potential targets against the IT asset s value (from a risk perspective). If it walks like a Duck and talks like a Duck. There is a fundamental difference between a threat-based approach and risk-based approach: rather than looking for specific threats, a risk-based approach looks for November 2014 page 7
behaviors that may lead to threats, even without knowing what the threat is. Though this sounds counter intuitive, it is possible to minimize risk without knowing the exact threat underway. For example, malware almost always follows a set of behaviors. By closely tracking these key steps (see our advanced infection lifecycle model) mapped against the relative system risk over time, it is possible to discern a potential attack without ever seeing the actual attack itself. Essentially, it is possible to categorize suspicious behavior into a profile independent of a confirmed exploit or malware sample. Rather than spending days sifting through individual alerts and events, a risk-based approach allows IT personnel to focus on what s most important: the assets they protect. Going back to the Fortune 500 Insurance company example, the company was using an integrated appliance with IDS and SIEM functions built upon a risk-based security model. The 830 million alerts were automatically distilled down to 67,000 behavior profiles. Each profile was automatically monitored and mapped against the risk determination of each system. The end-result was 16 systems (out of 37,000 in total) were identified as potentially at risk. Perhaps most importantly, there were zero false positives and staff did not waste time on forensic evidence collection and investigation. The company did not need to identify specific malware binaries to identify high-risk behaviors or to generate the evidence needed for early intervention. In the process, the company significantly reduced its OpEx associated with incident response. Changing the rules of the game To increase effectiveness, reduce OpEx and reverse the breach detection and response trends, companies must move quickly from a cyber-alert- and threat-based security model to an evidence- and risk-based model. Though a risk-based approach still processes the same number of events, it provides Figure 4 - Real Time Risk Dashboard November 2014 page 8
contextual, real-time risk and exploit visualization: visualizing risk over the entire duration; analyzing events and alerts in context of the malware advanced infection life cycle; and, prioritizing risk according to an organization s risk appetite based on both historical and current network state. A new approach for SMEs As discussed above, SMEs are already under attack and often do not have the resources (staff and technology) to launch a successful threat-based cyber defense. A risk-based cyber defense provides the following benefits: 1. Breaks the habitual act of throwing new technology at the problem. SMEs have the opportunity to significantly improve cyber defense without dedicating half of its IT budget to information security 2. Presents defense in behavioral context of risk. It gives IT security professionals the tools to prioritize its defense and response to exploit in relation to real-time risk 3. Separates form from function and takes the argument of anomaly-based detection versus signature versus sandboxing off the table because it is not necessary to know the exact exploit while still protecting the corporate assets 4. Presents a means to visualize corporate assets risk and prioritize incident response Shifting to a risk-based cyber defense strategy is the only way SMEs will successfully address enterprise-class threats on an SME-class budget. This paper began with the assertion that SMEs are in a no-win situation facing everincreasing attack sophistication along with the associated increasing cost of defense (primarily OpEx). Technology plays a key role in cyber defense, though a risk-based approach with the right exploit and asset visualization limits the necessary OpEx associated with these technologies. November 2014 page 9
Top 5 Questions to ask your vendors To figure out how to minimize OpEx while instrumenting for incident response and a risk-based security model, ask any current and potential technology vendor the following questions: 1) By how much can you demonstrably reduce the response time, i.e. the time between exploit, detection and the associated response? 2) How do you quantify the incremental benefit of adding your security technology to my information security architecture? 3) How does your solution augment or replace any of my current security technology? 4) How does your solution map into a threat-based or risk-based approach? 5) What are the projected CapEx and OpEx for your technology? In Year 1, Year 2, Year 3? Risk management framework links: NIST - http://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53r4.pdf ISACA - http://www.isaca.org/knowledge-center/risk-it-it-risk- Management/Pages/default.aspx OCTAVE - http://www.cert.org/resilience/products-services/octave/ ISO - http://www.iso.org/iso/home/standards/management-standards/iso27001.htm i Symantec Internet Security Threat Report 2014. 2013 Trends Volume 19. April 2014. ii http://krebsonsecurity.com/2014/02/email- attack- on- vendor- set- up- breach- at- target/ iii Verizon 2014 Data Breach Investigations Report iv Agencies Need to Improve Cyber Response Practices, GAO- 14-354, April 2014 v Emulex 2014 Visibility Survey. July 15, 2014 November 2014 page 10