I D C A N A L Y S T C O N N E C T I O N



Similar documents
I D C T E C H N O L O G Y S P O T L I G H T. S e r ve r S e c u rity: N o t W h a t It U s e d t o Be!

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Sluggish Incident Response: Next-Generation Security Problems and Solutions

Continuous Network Monitoring

Extreme Networks Security Analytics G2 Vulnerability Manager

Requirements When Considering a Next- Generation Firewall

The Benefits of an Integrated Approach to Security in the Cloud

Strengthen security with intelligent identity and access management

End-user Security Analytics Strengthens Protection with ArcSight

SANS Top 20 Critical Controls for Effective Cyber Defense

IBM Security QRadar Vulnerability Manager

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

IBM QRadar Security Intelligence April 2013

How To Manage Security On A Networked Computer System

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Speed Up Incident Response with Actionable Forensic Analytics

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

Ecom Infotech. Page 1 of 6

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Continuous Cyber Situational Awareness

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

The SIEM Evaluator s Guide

FIVE PRACTICAL STEPS

Vulnerability Management

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD

Safeguarding the cloud with IBM Dynamic Cloud Security

How To Buy Nitro Security

On-Premises DDoS Mitigation for the Enterprise

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

E l i m i n a t i n g Au t hentication Silos and Passw or d F a t i g u e w i t h Federated Identity a n d Ac c e s s

Cloud and Data Center Security

Cisco Advanced Malware Protection

Symantec Advanced Threat Protection: Network

Extending Threat Protection and Control to Mobile Workers with Cloud-Based Security Services > White Paper

Analyzing HTTP/HTTPS Traffic Logs

ENABLING FAST RESPONSES THREAT MONITORING

Trend Micro Cloud Security for Citrix CloudPlatform

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

24/7 Visibility into Advanced Malware on Networks and Endpoints

CORE Security and GLBA

Trend Micro. Secure virtual, cloud, physical, and hybrid environments easily and effectively INTRODUCTION

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

CYBER SECURITY, A GROWING CIO PRIORITY

Helping Enterprises Succeed: Responsible Corporate Strategy and Intelligent Business Insights

Current IBAT Endorsed Services

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

REVOLUTIONIZING ADVANCED THREAT PROTECTION

SP Monitor. nfx One gives MSPs the agility and power they need to confidently grow their security services business. NFX FOR MSP SOLUTION BRIEF

Advanced Threat Protection with Dell SecureWorks Security Services

I D C S P O T L I G H T. Ac c e l e r a t i n g Cloud Ad o p t i o n w i t h Standard S e c u r i t y M e a s u r e s

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Breaking down silos of protection: An integrated approach to managing application security

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

IBM Security QRadar Risk Manager

I D C A N A L Y S T C O N N E C T I O N

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

Best Practices for Building a Security Operations Center

IBM Security QRadar Risk Manager

Global ediscovery Client Data Security. Managed technology for the global legal profession

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

I D C V E N D O R S P O T L I G H T

End-to-End Application Security from the Cloud

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

A BETTER SOLUTION FOR MAINTAINING HEALTHCARE DATA SECURITY IN THE CLOUD

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

How To Manage A Privileged Account Management

Endpoint Security for DeltaV Systems

THE TOP 4 CONTROLS.

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Cisco Security Intelligence Operations

I D C V E N D O R S P O T L I G H T. W o r k l o a d Management Enables Big Data B u s i n e s s Process Optimization

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

The Cloud App Visibility Blindspot

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

Cisco Security Optimization Service

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Cisco Advanced Malware Protection for Endpoints

Transcription:

I D C A N A L Y S T C O N N E C T I O N Robert Westervelt Research Manager, Security Products T h e R o l e a nd Value of Continuous Security M o nitoring August 2015 Continuous security monitoring (CSM) provides a window into an organization's risk posture and allows for that risk position to be monitored and improved. Organizations are looking for ways of optimizing their security infrastructure to cost-effectively deal with real threats. Continuous security monitoring tools and processes provide the knowledge and intelligence that enable IT professionals to coordinate cyberdefense. CSM products can be considered the "brains" of an organization's security efforts. The following questions were posed by Tenable to Robert Westervelt, research manager for IDC's Security Products group, on behalf of Tenable's customers. Q. Enterprises spend a considerable amount of money on security products, but serious breaches continue to plague those same organizations. Is there something else people can do to improve their security investments? A. The latest spate of high-profile breaches has prompted organizations to reassess their approach to securing their critical assets. One of the best ways to do that is by bolstering visibility through continuous security monitoring. The best approach is to use tools that pull in contextual data over network, user, and application activity within both the corporate confines and the extended network. Continuous security monitoring provides the context required to gain situational awareness and, in turn, accelerates response when security incidents are identified, which is sorely needed if enterprises are ever going to break this persistent litany of breaches. Having continuous security monitoring tools also bolsters the security program by supporting risk-based decisions over the shotgun approaches to security decisions we see so often when critical incidents occur. That kind of security decision making when organizations are already in crisis is costly and doesn't necessarily result in protecting the most critical assets. Building in threat information with the contextual data collected about changes to the network, user habits, and application use provides the salient information required to make sound impact assessments. This kind of decision making helps security teams focus on mitigating risks to the data that keeps the blood flowing in the organization. Q. Could you explain what is meant by "continuous security monitoring"? A. Continuous monitoring is the ability to gain situational awareness of all devices and applications on the network; proactively identify, prioritize, and remediate vulnerabilities and configuration weaknesses; and gain a clear understanding that all the deployed security controls supporting IDC 1977

the security program are performing effectively. Continuous security monitoring enables organizations to ensure adequate protection of sensitive corporate and customer data. It involves correlating data from endpoint and network devices, security appliances, and software to identify internal threats and signs of attackers already present on the network. The result of an ongoing monitoring program is gaining a clear understanding at all times of the organization's true security posture. A program uses a mixture of automation and manual processes to achieve this complete situational awareness. Organizations typically pull in log data from the network, endpoints, and applications, analyzing and correlating events to identify potential problems that require further investigation. Forward-leaning organizations interviewed by IDC also use a mixture of passive and active vulnerability scanning to identify vulnerabilities and configuration errors in systems and applications and also identify evidence of malware and botnet activity. Those scans probe systems regularly and examine network traffic for anomalous activity that could signal a serious threat or a growing performance issue before it disrupts business operations as well as evidence of cloud services use, the presence of virtual systems, and mobile devices attempting to connect to corporate resources. It also involves regularly assessing system status across the corporate environment and its extended environments to verify the resiliency of the infrastructure as part of a proactive risk mitigation program. The data gleaned from vulnerability scanning and log management can be combined with information pulled from support systems that manage help desk requests, asset and configuration management, and incident response activities to gain additional insight. Some organizations are also adding external threat intelligence feeds both static and customized feeds to rapidly deploy protective measures when new attacks are detected and investigate whether system activity shows any known indicators of compromise associated with those attacks. Organizations that have been successful at this also gain buy-in from senior leadership and pull in lines-of-business leaders with the most knowledge of the company's core assets and business mission. They combine their knowledge with those of IT operations and security practitioners who understand the infrastructure and security controls in place to enforce data governance policies. Having these individuals involved can help everyone gain a clear understanding of the organization's risk tolerance. Q. It's generally difficult to quantify the value of security. Given that, what are the benefits an organization should expect from continuous security monitoring? A. Organizations that maintain continuous network monitoring programs improve their agility, creating a proactive security program rather than one that is consistently reacting to security incidents. Continuous monitoring enables the IT team to identify newly introduced security weaknesses before they are targeted by an attacker. The increased visibility also enables chief information security officers (CISOs) to allocate resources based on the relative impact an identified weakness has on valuable assets. If an organization is conducting passive vulnerability scanning and network traffic analysis, the data gleaned can be correlated with log data from workstations, servers, and network security gear to identify malware and other threats. This approach has also been proven to identify advanced threats, including new zero-day malware often used in targeted attacks. The data collected pulls together suspicious log-in activity, changes in network traffic that indicates botnet communication, or running processes that could be evidence of the presence of malware or criminal lateral movement within the organization. 2 2015 IDC

Data breach investigations consistently identify that the common point of failure for victim organizations is the lack of proactive monitoring including oversight of remote access connections, which are frequent targets of criminals. Changes in outbound communication could also signal malware communication to remote servers or data exfiltration already in progress. Attackers often cloak their malicious activity using encryption, but abnormal traffic can trigger immediate action and further investigation. The key is to have a strong correlation engine that can identify issues and also provide the context required behind the identified issues to support rapid incident response. It is easier said than done, and most organizations have not assessed their incident response procedures, an essential component that makes continuous monitoring truly effective. Once all the continuous monitoring components are in place, maintained, and consistently used by the IT team, the enriched security program could give a company a competitive advantage. Senior executives will have the metrics in place to demonstrate to potential business partners and customers evidence of a strong security posture. The enhancements also support risk-based decision making or a data-driven approach to risk mitigation. The data gleaned from continuous monitoring can be used to measure the effectiveness of existing security investments and establish the foundation for a securityminded culture among employees. Compliance initiatives are also bolstered by having a clear validation of regulatory compliance status at all times. But more importantly, the IT security team gains a continuous knowledge of all the assets within the organization and prioritizes efforts to reduce the attack surface. The CISO can corroborate budget requests for future technology investments with data that can be easily understood by senior leadership within the organization. Q. What are the components of a continuous security monitoring solution, and which features should an enterprise concentrate on when evaluating such a solution? A. Before an organization begins evaluating continuous security monitoring solutions, an assessment should identify existing security infrastructure, the location of sensitive assets, and data flow. A clear understanding of the operational processes in place and the goals for the program is also necessary to develop requirements for evaluating solutions. A continuous security monitoring solution should have a flexible deployment model with components that support on-premises, cloud-based, or hybrid approaches. It must have the ability to pull in data from a variety of sources, including existing third-party log management, data loss prevention, and file integrity monitoring products. It must be able to assess and gauge the effectiveness of intrusion prevention systems, firewalls, and other network defenses. The solution should be scalable and have the flexibility to adapt to infrastructure changes. It must be capable of proactive auditing to maintain a constant snapshot of system statuses and alert when configuration weaknesses or vulnerabilities are detected. The solution should be agile enough to support rapid response and have the ability to measure the effectiveness of mitigation efforts, including modified security controls and the addition of new security technologies. Look for reporting capabilities that are intuitive and customizable and that provide mitigation guidance and workflows for rapid response when issues are identified. More robust solutions can prioritize risks based on system configurations, the organization's risk posture, and the sensitivity of the assets at risk. Ease of use is important, and report templates should support a variety of use cases. The analytics engine should support incorporating threat intelligence feds and be agile enough to process data about new threats. It should be capable of correlating activity from endpoint agents, logs, and data generated by emerging advanced threat detection products. 2015 IDC 3

Dashboards must be configurable, display high-level information, allow drilldown for more granular data, and give the organization the ability to tailor the display to individual use cases. Management controls should support customization based on the organization's risk posture and the ability to tune alerts to eliminate false positives. Any generated alerts must have the context behind them to help investigators identify, scope, and contain a threat quickly. Q. Many talk about the IT security ecosystem as consisting of people, process, and technology, yet it seems technology gets the lion's share of attention. Should organizations be looking at security more holistically? A. Absolutely. In recent years, we have seen what happens when organizations fail to calculate the full impact of adopting new security technology. Despite the adoption and deployment of modern security systems capable of detecting advanced threats, there have been countless data breaches that stem from the failure to prioritize and investigate alerts, process breakdowns, inadequate or nonexistent training, and a lack of planning. Failing to thoroughly vet the impact of a new technology results in not getting the full value out of the investment or worse it can cause a false sense of security. A thorough evaluation includes understanding the immediate and long-term impact of the new solution, including the need for potential changes to the incident response workflow and ongoing maintenance and optimization requirements when changes take place. Reports detailing data breaches consistently find attackers targeting mainly known vulnerabilities and using configuration weaknesses to their advantage. Criminals bypass poorly configured and maintained network security appliances and steal account credentials to spoof a valid user and avoid being detected. Organizations can greatly reduce the potential for these lapses by becoming, achieving, and maintaining a proficient security program and using proactive monitoring to make it more costly for criminals to carry out attacks against their network. The essential technology ingredients at the heart of any continuous network monitoring program are vulnerability scanning tools to probe systems and monitor network traffic for threats and an analytics engine capable of correlating and analyzing an extensive amount of log data, network, and endpoint activity. This involves bridging silos of data, addressing weak or inadequate processes, assessing and updating policies, and communicating those policies effectively. Modern security technologies must be flexible enough to integrate with diverse security infrastructure to enable organizations to create agile security systems. Rather than layering or bolting on security technology, forward-leaning organizations are linking detached systems to interoperate when a security incident occurs. If done the right way, these systems can share threat data to become situationally aware. These intelligent security systems can respond when a threat is detected and apply protections to the rest of the network if they are needed. A B O U T T H I S A N A L Y S T Robert Westervelt is a research manager within IDC's Security Products group. He provides insight and thought leadership in the areas of cloud security, mobile security, and security related to the Internet of Things (IoT). Westervelt is also responsible for research and analysis around a wide range of evolving security markets, including endpoint security, security and vulnerability management (SVM), and identity and access management (IAM). 4 2015 IDC

A B O U T T H I S P U B L I C A T I ON This publication was produced by IDC Custom Solutions. The opinion, analysis, and research results presented herein are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Custom Solutions makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee. C O P Y R I G H T A N D R E S T R I C T I O N S Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires prior written approval from IDC. For permission requests, contact the IDC Custom Solutions information line at 508-988-7610 or gms@idc.com. Translation and/or localization of this document require an additional license from IDC. For more information on IDC, visit www.idc.com. For more information on IDC Custom Solutions, visit http://www.idc.com/prodserv/custom_solutions/index.jsp. Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com 2015 IDC 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information