Realize That Big Security Data Is Not Big Security Nor Big Intelligence



Similar documents
Market Guide for Data-Centric Audit and Protection

Managing the Risks of Running Windows Server 2003 After July 2015

Understanding Vulnerability Management Life Cycle Functions

This research note is restricted to the personal use of

Market Guide for Network Sandboxing

What's a Digital Marketing Platform? What Isn't?

SANS Top 20 Critical Controls for Effective Cyber Defense

Agenda Overview for Emerging Marketing Technology and Trends, 2015

Organizations Should Implement Web Application Security Scanning

Make Migration From Windows Server 2003 a Priority, Before Support Ends in July 2015

IBM Security QRadar Risk Manager

Selecting a Mobile App Development Vendor

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

IBM Security QRadar Vulnerability Manager

Rethinking IT and IT Security Strategies in an Era of Advanced Attacks, Cloud and Consumerization

1 Introduction Product Description Strengths and Challenges Copyright... 5

Establishing a Strategy for Database Security Is No Longer Optional

IAM can utilize SIEM event data to drive user and role life cycle management and automate remediation of exception conditions.

Responsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users

Organizations Must Employ Effective Data Security Strategies

How To Manage Security On A Networked Computer System

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Breaking down silos of protection: An integrated approach to managing application security

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

Q1 Labs Corporate Overview

Future of Money: Digital Payment Advisors Will Transform the Payment Landscape

Security and Identity Management Auditing Converge

The Edge Manifesto: Digital Business, Rich Media, Latency Sensitivity and the Use of Distributed Data Centers

FIVE PRACTICAL STEPS

Agenda Overview for Social Marketing, 2015

Extreme Networks Security Analytics G2 Vulnerability Manager

How to Develop an Effective Vulnerability Management Process

IBM Security IBM Corporation IBM Corporation

Agenda Overview for Marketing Management, 2015

The Outlook for IT to Michael Smith VP Distinguished Analyst January 31, 2014

Getting Started with Web Application Security

IBM Security QRadar Risk Manager

Key Issues for Data Management and Integration, 2006

Top 10 Technology Trends, 2013: Cloud Computing and Hybrid IT Drive Future IT Models

How To Manage A Privileged Account Management

SIEM and IAM Technology Integration

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Now Is the Time for Security at the Application Level

Fortify. Securing Your Entire Software Portfolio

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

IBM Security Intelligence Strategy

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

What is Security Intelligence?

IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

2012 North American Managed Security Service Providers Growth Leadership Award

Vulnerability Management

Continuous Network Monitoring

The SIEM Evaluator s Guide

X.509 Certificate Management: Avoiding Downtime and Brand Damage

Payment Card Industry Data Security Standard

End-user Security Analytics Strengthens Protection with ArcSight

Use a TCO Model to Estimate the Costs of Your Data Center

Agenda Overview for Digital Commerce, 2015

Selection Requirements for Business Activity Monitoring Tools

Boosting enterprise security with integrated log management

Highlights of the 2015 CEO Survey: Business Leaders Are Betting on Tech

Knowledge Management and Enterprise Information Management Are Both Disciplines for Exploiting Information Assets

Key Issues for Business Intelligence and Performance Management Initiatives, 2008

The Sophos Security Heartbeat:

Requirements When Considering a Next- Generation Firewall

Solution Path: Threats and Vulnerabilities

Complete Database Security. Thomas Kyte

Real-time hybrid analysis:

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

The Business Case for Security Information Management

Why CEOs Want A Digital Strategy This Year

Best Practices for Confirming Software Inventories in Software Asset Management

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Smarter Security for Smarter Local Government. Craig Sargent, Solutions Specialist

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Agenda Overview for Multichannel Marketing, 2015

CyberArk Privileged Threat Analytics. Solution Brief

How To Manage Log Management

Securing ephi with Effective Database Activity Monitoring. HIMSS Webcast 4/26/2011. p. 1

Real-Time Security Intelligence for Greater Visibility and Information-Asset Protection

Risk-based solutions for managing application security

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

Application and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium

NEXT GENERATION APPLICATION SECURITY

Mobile Marketing Primer for 2016

How To Create An Insight Analysis For Cyber Security

The New PCI Requirement: Application Firewall vs. Code Review

Survey Analysis: Adoption of Cloud ERP, 2013 Through 2023

The Web AppSec How-to: The Defenders Toolbox

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

PCI Requirements Coverage Summary Table

The Value of Integrating Configuration Management Databases With Enterprise Architecture Tools

The Five Competencies of MRM 'Re-' Defined

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Transcription:

G00245789 Realize That Big Security Data Is Not Big Security Nor Big Intelligence Published: 19 April 2013 Analyst(s): Joseph Feiman Security intelligence's ultimate objective, enterprise protection, is mainly fulfilled by security policy enforcement and scanner technologies, not by big security data repositories. Security leaders should prioritize their security strategies and investments based on that fact. Key Challenges Security repositories, even filled with "big" amounts of security data, inherently possess a fundamental weakness: They cannot protect enterprise assets. Enterprises often mistakenly equate "big" amounts of security data (such as SIEM) with security intelligence. Enterprises often mistakenly believe that only big security data repositories are intelligent, while policy enforcers and scanners are not. Recommendations Prioritize investments in policy enforcers and scanners, because they often yield better returns than big security repositories. Invest in having policy enforcement and scanning technologies interact and share their platform-specific intelligence directly. Architect big security data repositories to support security intelligence protection and detection capabilities fulfilled by policy enforcers and scanners. Strategic Planning Assumption Through 2016, 80% of organizations will fail to make big security data useful. Introduction There are two fundamental flaws in the common assumptions about security intelligence (SI):

1. SI is analogous to business intelligence (BI). 2. "Big" collection of security data for example, security information and event management (SIEM) is SI or a mandatory component of SI, and is the key to enterprise security. In this research, we will challenge both assumptions. There is an unfortunate tendency to draw a direct analogy between BI and SI. Yet, there is a fundamental difference between them: BI enables business analytics and advice, while SI must above all enable enterprise asset protection: blocking attacks, filtering malicious input, raising real-time alerts and detecting vulnerabilities with high precision. Policy enforcement is the class of technologies that fulfills the main security objective protection. These technologies include network firewalls, intrusion prevention systems (IPSs), Web application firewalls (WAFs), database audit and protection (DAP), data loss prevention (DLP) and authorization management systems. There is another class of security technologies that plays a critical role: security scanners, such as application, network and database vulnerability scanners. These technologies conduct security analysis, offer remediation advice and can provide input directly to the policy enforcement technologies (such as WAF or IPS) in order to increase efficiency of the latter. Repositories stoked with security data such as SIEM are unable to achieve the ultimate security objective, which is protection of assets. Therefore, they are not SI. They can be part of SI architecture, but they are not the incarnation of SI. Postfactum analytics (typically fulfilled by SIEM and other big security data repositories) is an important component of SI, but its role is to support SI protection and detection capabilities by making them more accurate, cross-siloed and multilayered. It helps to create a unified view of security events across the enterprise, which enables rapid detection of targeted attacks that bypass protection technologies. We argue that the key to security resides in the interaction of numerous detection and protection technologies: network and application firewalls; intrusion prevention systems; authentication managers; database monitors; and application, data and network security scanners of all kinds. They are intelligent technologies capable of detection, analysis and unlike repositories protection against attacks (such as termination or blocking of malicious sessions), rather than just notification after the fact which is the essence of repositories. When practical, they should feed their input into big security data repositories and get back the results of analysis conducted on this big security data. Policy enforcers, monitors and scanners on the one hand and big security data repositories on the other are intelligent, but their intelligence is achieved and expressed differently. Both types of intelligence have their advantages and weaknesses, and should be utilized differently. Policy enforcers and scanners have built-in intelligence, enabling them to act fast, detect vulnerabilities, raise alerts and deter attacks in real time. Big security data repositories have to learn their intelligence: They collect and normalize data, correlate it with contextual data, and then conduct contextual analysis. This enables them to conduct cross-siloed analysis, but does not allow for real-time detection and protection. Page 2 of 7 Gartner, Inc. G00245789

Analysis Understand the Intelligence of Policy Enforcers, Monitors and Scanners Policy enforcers, monitors and scanners do not need to transform security and context data into information, and information into knowledge but such transformations have been preliminarily done, because scanners and policy enforcers have direct access to a built-in knowledge repository and can conduct their detection and protection capabilities intelligently at their runtime. For example, an application security testing technology such as static application security testing (SAST) uses knowledge of hundreds of security programming best practices to check the tested application's code for compliance with these practices, which results in the intelligent detection of a potential vulnerability in the code. Technologies such as dynamic application security testing (DAST) use knowledge of hundreds of attack scenarios to verify whether or not these attacks can harm an application. Technologies such as WAF use their knowledge of attack patterns to see whether these patterns are present in the data stream approaching an application, and therefore can intelligently react to a detected attack (for example, ring an alarm or block the session). Direct access to the knowledge repository enables detection actions, followed by reporting and recommendation on how to remediate and protect after the fact of detection. These enabled actions are mostly automated real-time protection actions and real-time responses to threats (for example, dynamic masking of sensitive data, or blocking SQL injection sessions). One challenge that policy enforcers, monitors and scanners face is that their knowledge repositories are usually siloed (for example, they contain knowledge of only data security, application security or network security), so they have an incomplete view of the attack and defense surface. Another challenge is that enforcers, scanners and monitors often produce only reports of their discoveries and actions, instead of, or in addition to, storing their results in some repository for postfactum analysis that might serve in the enterprise's risk management and resource and budget planning. We recommend having these results stored and shared among various enforcers, monitors and scanners in other words, cross-siloing them, like SIEM does. Utilize the Intelligence of Big Security Data Repositories When Appropriate Big security data repositories or SIEM, as intelligence enablers, offer the advantage of integrating and correlating data across multiple security silos. They can also collect context and enable correlation of security and context. Analyzed security and contextual information becomes knowledge, engendering intelligent (that is, optimal) risk and business decisions, strategic planning, and resource, budget and skill management. It also enables analytics that could be fed into scanners, monitors and policy enforcers to add to the intelligence of the latter. It helps with early breach detection, as well as early detection of targeted attacks and employee misuse of privileges that bypass policy enforcers. SIEM also has challenges. Intelligent actions are based on the analysis, often conducted manually by security personnel, that is conducted not at the real-time moment that the event (such as an attack) occurs. Some analyses are automated and fast enough for SIEM uses cases, but not for real-time protection. SIEM has been expanding its capabilities toward quasi-real-time actions, such Gartner, Inc. G00245789 Page 3 of 7

as alerts and session blocking. It begins profiling applications and other assets and events for anomaly detection, which can be used to call an API to block a transaction in real time. Architect Policy Enforcers, Monitors and Scanners to Interact and Share Their "Not Big" Security Data Most organizations have already invested (and will keep investing) in firewalls, IPSs, WAFs, DLP and DAP, as well as in network, database and application security scanners. We have demonstrated in this research that policy enforcers, monitors and scanners are intelligent technologies. Many (if not most) scanners, monitors and policy enforcers have their own scaleddown repositories that enable platform-specific analytics. These repositories contain such security data as application security vulnerabilities detected by application scanners, or suspicious IP addresses detected by network firewalls. This data can be and often is analyzed in search of better remediation, detection, or protection patterns and practices. There is an evolving trend of having scanners, monitors and policy enforcers interact with one another and share their accumulated knowledge. One of the fundamental principles of SI is to make different technologies work together (see "Prepare for the Emergence of Enterprise Security Intelligence"). The essence of this principle is straightforward: When several technologies collaborate, they can achieve the following critical advantages: (1) The accuracy of detection and effectiveness of protection rises, because discoveries made by one technology can be confirmed or disproved by another, different technology; and (2) the breadth of coverage is expanding, because several technologies, when they work together, typically cover a broader spectrum of phases and processes than each technology can in isolation. For example, a DAST scanner can share its knowledge with a WAF, making the WAF more accurate in attack prevention. 1 In turn, a WAF monitor can share its knowledge with DAST, making DAST more accurate in its security vulnerability detection (see "Application Security Detection and Protection Must Interact and Share Knowledge"). Today, many policy enforcers are used in monitoring mode due to a fear of their inaccuracy, but their interaction and knowledge sharing with other technologies such as DAST make organizations more willing to turn a WAF from monitoring to enforcing mode because of increased accuracy. A static data masking (SDM) technology can share its knowledge of discovered (scanned) sensitive data with a dynamic data masking (DDM) monitor, thus making the latter more intelligent (for example, more accurate) for real-time data protection (see "Securing Production Data With Dynamic Data Masking"). SAST and DAST scanners share their knowledge to improve the overall accuracy of vulnerability detection. An interactive application security testing (IAST) technology enhances accuracy of vulnerability detection by making static and dynamic components of its technology interact in real time (see "Evolution of Application Security Testing: From Silos to Correlation and Interaction"). This interaction of scanners and monitors does not require big security data repositories like SIEM. Their interaction among themselves is cost-effective and technologically effective, and yields strong detection, prevention and protection capabilities. We believe that the next wave of market consolidation will be fulfilled by policy enforcer or monitor vendors acquiring scanner vendors (and Page 4 of 7 Gartner, Inc. G00245789

vice versa) to enable a higher degree of security intelligence through interaction of those technologies. However, big security data repositories offer important analytical capabilities. Their immediate value is apparent when an exploit has taken place and preventive controls have proven ineffective. Repositories can help to identify the combination of events that could lead to an exploit, and help to enable early detection of breaches. Such analysis can help advance the accuracy of detection and prevention systems, and postfactum analytics of big repositories can feed security policy enforcers and scanners with additional knowledge, thus enabling them to act with higher accuracy. This is the area that distinguishes enforcers and scanners from repositories: Security policy enforcers and scanners enable attack protection and prevention, while security data repositories increase the potential to enhance accuracy and breadth of enforcers and scanners. Recommendations: Security leaders seeking to increase their enterprises' SI: Invest in having already owned policy enforcement, monitor and scanning technologies interact with one another. Evolve "not big" platform-specific data repositories collected by monitors, policy enforcers and scanners, and make them share knowledge with one another. When possible or necessary, invest in acquisition and operation of SIEM or any other big security data repositories. Recommended Reading Some documents may not be available as part of your current Gartner subscription. "Prepare for the Emergence of Enterprise Security Intelligence" "Application Security Detection and Protection Must Interact and Share Knowledge" "Evolution of Application Security Testing: From Silos to Correlation and Interaction" "Enterprise Content-Aware DLP Architecture and Operational Practices" "Best Practices for Managing Identity Data and Log Models to Optimize Identity Data Quality" Evidence 1 Sample vendors enabling DAST-to-WAF knowledge sharing: DAST vendor WhiteHat Security offers native integration with F5 and Imperva WAFs, as well as Sourcefire's Snort IPS engine. Other vendors' WAF or IPS can be supported via XML API. Gartner, Inc. G00245789 Page 5 of 7

DAST vendor Cenzic offers a feature that exposes generic XML-based vulnerability protection information produced by its DAST analysis for Barracuda Networks, Citrix, F5, Imperva and Trustwave WAFs. DAST vendor NT OBJECTives introduced technology that generates rules for WAF and IPS, with-out-of-the-box support for ModSecurity, Sourcefire Snort, Nitro Snort, Imperva and DenyAll. Page 6 of 7 Gartner, Inc. G00245789

GARTNER HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 USA +1 203 964 0096 Regional Headquarters AUSTRALIA BRAZIL JAPAN UNITED KINGDOM For a complete list of worldwide locations, visit http://www.gartner.com/technology/about.jsp 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity. Gartner, Inc. G00245789 Page 7 of 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information