Advanced cyber-security intelligence



Similar documents
Room for improvement. Building confidence in data security. March 2015

From NO to KNOW. The secure use of cloud-based services. July 2015

The adoption of cloud-based services

SIEM is only as good as the data it consumes

CyberArk Privileged Threat Analytics. Solution Brief

SANS Top 20 Critical Controls for Effective Cyber Defense

INTRUSION PREVENTION SYSTEMS: FIVE BENEFITS OF SECUREDATA S MANAGED SERVICE APPROACH

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

Managed Print Services in the Cloud

Unified Security, ATP and more

Malware isn t The only Threat on Your Endpoints

Payment Card Industry Data Security Standard

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

White Paper. What the ideal cloud-based web security service should provide. the tools and services to look for

Compliance Guide: ASD ISM OVERVIEW

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

IBM QRadar Security Intelligence April 2013

SPEAR PHISHING UNDERSTANDING THE THREAT

Mobile Expense Management

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril.

Bio-inspired cyber security for your enterprise

How To Manage Log Management

SORTING OUT YOUR SIEM STRATEGY:

Caretower s SIEM Managed Security Services

CYBER SECURITY Audit, Test & Compliance

1 Introduction Product Description Strengths and Challenges Copyright... 5

Advanced Threat Protection with Dell SecureWorks Security Services

Combating a new generation of cybercriminal with in-depth security monitoring

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Advanced Threats: The New World Order

Stay ahead of insiderthreats with predictive,intelligent security

End-user Security Analytics Strengthens Protection with ArcSight

Secure Thinking Bigger Data. Bigger risk?

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Security strategies to stay off the Børsen front page

Privilege Gone Wild: The State of Privileged Account Management in 2015

IT Management for Small Businesses Using third parties to help take the strain

Boosting enterprise security with integrated log management

Sorting out SIEM strategy Five step guide to full security information visibility and controlled threat management

Protecting against cyber threats and security breaches

Cyber Security Metrics Dashboards & Analytics

Microsoft s cybersecurity commitment

ESG Brief. Overview by The Enterprise Strategy Group, Inc. All Rights Reserved.

LogRhythm and NERC CIP Compliance

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

CYBER RISK SECURITY, NETWORK & PRIVACY

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

Redefining Incident Response

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

CASSIDIAN CYBERSECURITY SECURITY OPERATIONS CENTRE SERVICES

IBM Security QRadar Risk Manager

White Paper. The benefits of a cloud-based service for web security. reducing risk, adding value and cutting costs

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Cisco Advanced Malware Protection for Endpoints

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Close the security gap with a unified approach. Detect, block and remediate risks faster with end-to-end visibility of the security cycle

The Cloud App Visibility Blindspot

Managing carbon reduction across your data centre assets

THE EVOLUTION OF SIEM

Endpoint Threat Detection without the Pain

The webinar will begin shortly

FIVE PRACTICAL STEPS

Intelligence Driven Security

Breach Found. Did It Hurt?

When Data Center Layers Converge

Using LYNXeon with NetFlow to Complete Your Cyber Security Picture

Managed print services: An SMB priority

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

Can Your Organization Brave The New World of Advanced Cyber Attacks?

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention. symantec.com

A BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

DOBUS And SBL Cloud Services Brochure

Securing and protecting the organization s most sensitive data

IBM Security QRadar Risk Manager

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

LogRhythm and PCI Compliance

A practical guide to IT security

IBM SECURITY QRADAR INCIDENT FORENSICS

Privilege Gone Wild: The State of Privileged Account Management in 2015

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

The Education Fellowship Finance Centralisation IT Security Strategy

Cisco Advanced Malware Protection for Endpoints

Content Security: Protect Your Network with Five Must-Haves

IBM Security re-defines enterprise endpoint protection against advanced malware

Simple Security Is Better Security

FEELING VULNERABLE? YOU SHOULD BE.

Leverage security intelligence for retail organizations

TOP 3. Reasons to Give Insiders a Unified Identity

Cyber Security Evolved

Reducing the cost and complexity of endpoint management

Transcription:

Real time defence of business data and IT users through the use of next generation SIEM July 2012 Traditional IT security defences have been built using point security products. These are good for protecting against specific threats; for example firewalls limit access to networks, anti-virus software detects malware on given devices and encryption protects stored data. However, cyber security threats have now emerged that can only be detected by correlating information from a wide range of sources, including point security products themselves. Most organisations already have much of the required data to achieve this but not the tools needed to process it. This has led to the emergence of next generation SIEM (security information and event management) tools. These enable the real time correlation of IT intelligence data and for many advanced threats to be foiled or pre-empted that would have been previously undetectable. This paper presents a value proposition for investing in next generation SIEM tools. It should be of interest to any business, security or IT manager that wants to get ahead in the security stakes and make their organisation less likely to be a victim than the next one. Bob Tarzey Quocirca Ltd Tel : +44 7900 275517 Email: bob.tarzey@quocirca.com Clive Longbottom Quocirca Ltd Tel: +44 771 1719 505 Email: clive.longbottom@quocirca.com Copyright Quocirca 2012

Advanced cyber-security intelligence Real time defence of business data and IT users through the use of next generation SIEM Cyber security threats are becoming increasingly complex and can often only be detected by looking at data from multiple sources. This includes the logs from point security products, information about IT systems and the data that is used to store knowledge of users and their rights and other contextual information. A correlated view of all this data enables unforeseen attacks to be thwarted as they happen, as well as providing IT security teams with the insight to do their jobs more effectively and improve base security. Many security threats cannot be detected with point products IT security has become a big data problem Analysing large volumes of IT intelligence data requires new tools Next generation SIEM tools need to make finely balanced decisions IT intelligence data can also be used to improve base security To justify required investments it is necessary to look at added value as well as reduced risk Point IT security products, such as firewalls, anti-virus software and intrusion prevention systems, aim to stop individual threats as and where they occur but do not provide the advanced correlation needed to prevent many advanced cyber security threats. For example, a user request to attach to the network with a known device may look normal, but would not be valid if the device had been reported stolen the day before. Detecting complex threats in real time requires the cross correlation of large volumes of data in real time. Those charged with ensuring the security of their organisation s assets face a big data problem, similar to the broader business intelligence problem that comes with extracting value from the rapidly increasing volumes of electronically stored information. The use of log management and security information and event management (SIEM) tools has become commonplace in larger businesses over the last decade for reviewing events that have already occurred. Now the next generation of SIEM tools has emerged. By processing and correlating data in real time, enforcing pre-programmed rules and observing suspicious activity these tools enable the mitigation of cyber security threats that may otherwise go unnoticed. If the tools are too sensitive then a valid, but unusual, action by a bona fide user may be blocked, causing frustration and damaging productivity. Next generation SIEM tools not only detect advanced threats but also enable quick decisions to be made about when to block access, when to allow it and when to alert security staff. They also provide IT security teams with the insight needed to know when human intervention is required. It is not just about stopping individual events; the data gathered by such tools can provide a continuous feed to enable any organisation to improve its security posture and to adjust policy to allow users to work more effectively and reliably. IT intelligence data can also provide an insight beyond IT security itself, enabling better management of IT systems and applications to improve the efficiency of business processes and user productivity. Advanced cyber security intelligence is obviously about reducing risk, but that alone may not be enough to win the backing for the required investment in next generation SIEM tools. There are also cost savings that come from avoiding the clean up after cyber security failures and avoiding potential fines if an event leads to a leak of regulated data. Value must also be added to the equation; greater overall confidence in IT systems means business processes can be pushed harder, increasing productivity and freeing IT staff to spend time focussed on innovation rather than fire fighting. Conclusions: So much criminal activity and political activism has now been displaced from the physical world to cyber space, or at least extended to cover both, that IT security employees are now in the frontline when it comes to ensuring that the businesses they serve have the ability to function and that their continued good reputation is ensured. To this end they must be enabled with the tools that give them a broad insight into IT infrastructure, applications and user activity to protect their business from attacks tomorrow that no one can envisage today. Quocirca 2012-2 -

Introduction; beyond point security products Nation states have known for centuries that putting point security measures in place, such as border controls and passports, to protect their territory, citizens and other assets is not enough. The best levels of protection are only achieved through proactively monitoring potential enemies and foiling their actions in real-time or, better still, preempting them. There will still be security breaches, but the constant gathering and effective use of intelligence ensures the number is minimised and that those with responsibility for security are able to make better informed decisions. Security failures have occurred in the past due to poor correlation of security intelligence. Some analysts consider that the failure of the FBI and CIA to share intelligence meant the planning for Sept 11 th 2001 terrorist attacks in the USA went undetected 1. Even if good intelligence exists, not correlating it well with other information can lead to poor decision making with the consequent serious results. Businesses have always had to focus on security too. For example, banks have always worried about armed robbers walking through the doors of branches; to counter this threat point security products, such as bullet proof glass screens and video surveillance cameras were installed. However, the effect was to displace the crime elsewhere; when bank branches had become too hard to raid criminals started to target the vans that moved cash to and from them. The past decade has seen a massive displacement of threats for both governments and businesses from the physical to the virtual world. The savvy bank robber no longer covers their face with a stocking but hides behind an anonymising internet proxy or passes themselves off as an insider on IT systems using a stolen identity. The opening up of the online world is a reality that businesses have not been able to ignore, not least because they need to exploit the opportunities that abound. Businesses must also recognise that protection online requires going beyond the use of traditional point IT security tools. That is not to say they are no longer necessary, but that they do not offer the level of defence required. For example: Anti-virus software may not detect a zero day attack on a given server. Correlating server access logs to identify that the same server is being used to contact many other servers and user end-points on the same private network and is sending messages home to an unusual IP address would give an early warning that something is amiss (Figure 1). The recently identified Flame malware worked in a similar way to this. An intrusion prevention system (IPS) may prevent multiple failed attempts to access a server from a particular IP address, but may not see that data is already being copied from that server due to a single successful penetration from the same IP address (Figure 2). Correlating log and event files could identify that two such events are related and lead to the prevention of a data theft. A so-called advanced persistent threat (APT) could have this sort of profile. Quocirca 2012-3 -

Recent research conducted by OnePoll 2 amongst IT decision makers at UK-based organisations suggests some already understand these deficiencies; around half the respondents believed that it is doubtful breaches can be prevented or are, indeed, inevitable regardless of the security measures in place (Figure 3). Proactive real time intelligence gathering and correlation is needed to foil and pre-empt the wide array of increasingly sophisticated threats. However, many businesses lack the necessary tools and visibility to achieve this; 47% admitted that data is only analysed after an event has occurred (Figure 4). Good cyber security intelligence is fundamental to preventing advance security threats and enabling security staff to do their jobs effectively. The real time use of correlated security intelligence can identify activities that may otherwise go unnoticed and prevent them from happening in the first place. Such intelligence also enables good decision making; IT staff need to react to fast moving events and be confident to raise the alarm and know how loud it should be: however, they do not want to be accused of crying wolf. This paper presents a value proposition for investing in next generation SIEM tools that enable a business to make use of a wide range of information sources to achieve these goals. It explains how proactive use of IT intelligence can counter threats as they happen rather than uncovering them after the event. It should be of interest to any business, security or IT manager that wants to get ahead in the security stakes and make their organisation less likely to be a victim than the next one. Quocirca 2012-4 -

Sources of IT intelligence data Businesses have a problem with data; they are increasingly overwhelmed by it and are often unable to extract the expected value. This applies to both the business data that IT systems are there to gather, manage and provide access to in the first place, and also the data gathered about the use of business data itself and the IT systems that process and store it. This includes log data and audit trails; the gathering and analysing of all this IT intelligence data is essential to protecting against advanced security threats. IT intelligence data is the key to providing the insight that enables proactive threat mitigation and protection of business data from theft and misuse. By understanding how IT systems are being used and the threats that surround these systems and their users, the core security and value of IT can be better ensured. The struggle to get to grips with, and extract value from, overwhelming volumes of business data has been dubbed the big data issue in recent years. A similar struggle exists with IT intelligence data, which is also generated in large volumes. For example, the latest high performance network routers and switches may have gigabytes of solid state storage to hold log information about the millions of packets of data they process per second. Security products are constantly generating log files too, whilst file servers and databases maintain logs of who has accessed what and when. All this can only be made sense of in the context of access rights extracted from identity and access management systems and other contextual information. Another complication is introduced by the increasing use of on-demand (cloud-based) services. Information needs to be gathered from the providers of such services about the traffic flowing to and from them. Furthermore, to provide pervasive security coverage, security staff also need to be aware of the use of these services directly by lines of business and employees, something which is increasingly done without the upfront endorsement of the IT department. The growing diversity and mobility of devices used to access IT applications and data add more complexity (this includes the growing use of employee-owned devices). User devices can be both a cause of data leaks and a source of security threats. Point security products, including data loss prevention (DLP), end-point security tools and encryption can help, but recognising that a known device is being used in an unusual way requires reviewing it in the context of broader network, geographic and temporal information. Table 1 lists the range of sources for IT intelligence data. The need to gather, store and process so much IT intelligence data from so many sources is the reason IT security has become a big data issue. Addressing the problem requires new tools with the capability to process this data in real time. Some of the vendors of SIEM tools are now adapting their products to address the problem; so-called next generation SIEM. Quocirca 2012-5 -

Table 1: Sources of IT intelligence data IT infrastructure Network devices: logs from routers, switches, information from network access control (NAC) tools, NetFlow data Security devices: logs from firewalls, IPS, other security appliances Servers: log files from servers in data centres, branch offices; physical, virtual and public cloud based User end-points: device information, network context, access history, records of ownership and records losses SCADA (supervisory control and data acquisition) infrastructure: data about the operation of and access to industrial control systems, their network mapping and access history Access data Databases: access logs Other data access information: monitoring the use of content, data from data loss prevention systems and content filtering systems Business applications: access logs both for onpremise and on-demand applications Web access data: includes information about what is being downloaded to and from web sites; feeds from DLP tools and web filtering systems Email records: who has been sending what to whom? Vulnerability information 3rd party feeds: from other IT vulnerability assessment and mitigation systems, e.g. Rapid 7, Qualys and FireEye Software integrity information: patch state of operating systems, firmware, database and applications, list of known flaws Known malware: List of known malware that may be used as part of more complex attacks User information User records: data from directories that defines who are authorised users and what groups they are assigned to, this includes information about current and past job roles Access rights: current access rights for a given user or group of users Privileged access rights: records of the temporary or permanent assignment of privileges to named users Guest access rights: information from network access control systems about areas of networks enabled for guest access Third party access rights: records of outside organisations and users that have been authorised to access infrastructure and applications Machine access rights: not all access is by people; software applications and devices are also regularly assigned access rights, for example to carry out automated sys-admin tasks Other data Change control systems: list approved sys-admin activities Locational data: IP and cellular geolocation where access requests are coming from Regulatory/standard information: for example IS0 27001, which many organisations have adopted as an IT security baseline Industry bodies: provide advice to members on known complex attack types and how to coordinate defence against them Social media feeds: may identify that a given organisation is likely to be subject to attack, pressure group campaigns etc. Weather: unusual weather conditions in a certain area may account for observed large scale changes in user activity Time: accurate coordination is not possible without good timekeeping; an accurate source of time is needed across different systems and often needs to be added to records to make them useful Quocirca 2012-6 -

Next generation SIEM defined The capability to collect and analyse IT intelligence data has been available for a number of years, enabled by tools for log file management, security event management (SEM), security information management (SIM) and file integrity monitoring. One of the reasons that log management tools, in particular, emerged was that, due to the growing volumes of log data being generated, log files were being overwritten, especially on old devices with limited storage; maintaining a central database is the only way to ensure log data is available in the long term for compliance purposes. In 2005, Gartner coined the term SIEM (security information and event management) to characterise products that brought many of these capabilities together into an integrated product set. SIEM tools were mainly about taking a retrospective view of what had happened for compliance and governance purposes. Pulling together information from disparate sources could show auditors who had been accessing what and when. However, this was all after the event; more timely use of IT intelligence data could prevent unwanted events happening in the first place. This required an upgrade of existing SIEM tools to enable the real time processing of big data. This has led to the emergence of next generation SIEM tools that can do just this; analyse and correlate IT intelligence in real time. This includes data currently being generated and the huge volumes of existing log and event data. By doing this it is possible to recognise and stop advanced threats as they happen. Of course, more than fast processing is required; the tools must have the intelligence to evaluate irregularities and decide whether they represent true threats or not; this is important as over sensitivity will lead to annoying disruptions in the day-to-day use of IT and damage productivity. Table 2 lists the capabilities to be expected in next generation SIEM tools. Table 2: features of next generation SIEM tools The ability to process and analyse large volumes of IT intelligence data in real time Advanced correlation engine to process information from disparate sources The ability to enforce advanced rules that link disparate events and prescribe what should happen if there is an anomaly The intelligence and insight to act and prevent security breaches as they happen The ability to adapt and improve future responses The use of data from external sources to provide information on the new types of threat that have been observed elsewhere The capacity for the long term storage of IT intelligence data in a central repository Intuitive interface to enable IT security staff with the insight into historic data and what is happening now Quocirca 2012-7 -

Applying next generation SIEM through advanced correlation The key to understanding the value proposition for investing in next generation SIEM is to understand the insight provided by correlating IT intelligence data. This includes finding links between seemingly disparate events and the ability to apply policy in real time by linking existing logs, records of past events and other data with current activities. The ability to do this provides a new level of security that no individual security device or measure can offer stand-alone. This is best illustrated through a series of examples of advanced cyber security threats and how they can be countered through such correlations using next generation SIEM. Impossible access requests: it may be normal for a known user to access a given application remotely and out of office hours, but not if the request is coming from a location where they cannot physically be (Figure 5). Correlating each access request against the previous successful access request and checking the geographic location of the devices used can identify a physically impossible event such as a user having moved from London to Paris in the space a few minutes or hours, even if the bona fide user s job role could see them legitimately in both locations. Mobile network service providers use similar techniques for detecting fraud in their networks. Non-compliant movement of data: it might be usual for an employee to access customer information; it may also be usual for them to download it to a file for reporting reasons. However, for them to copy the data to a noncompliant location, for example a cloud storage resource in a certain country, should raise an alarm (Figure 6). There may be no malicious intent here; perhaps this is an example of a line-of-business commissioning its own cloud resources (an increasingly common practice). This requires rules that understand user access rights and compliance rules and the ability to correlate these in real time with attempts to copy data and the location of the target storage service. Absence of an event: SCADA systems are often controlled using human machine interfaces (HMI); this requires someone to be present, which, with a physical security measure in place, should be preceded by a record of the employee involved having used an ID badge to enter the premises in question. So, if an action is logged on an HMI system at a remote location that is not preceded by a valid record of physical entry, then either someone has gained unauthorised access or the HMI has been hacked remotely. An advanced correlation rule that looks for the presence of the badge reader log within a specified time prior to and HMI access request enables such a breach to be detected (Figure 7). Quocirca 2012-8 -

Anomalous sys-admin activity: if a system administrator account has been compromised there may be an attempt to create a new account for future use. Correlating this activity with a change control system will identify that the creation of such accounts has not been authorised (Figure 8). Unexpected access routes: some databases are only normally accessed via certain applications, for example credit card data is written by an e-commerce application and only read by the accounts application; access attempts via other routes should raise an alarm if the tools are in place to correlate such events and observe that a rule about the normal access route is being broken (Figure 9). Sys-admin failures: next generation SIEM is not just about preventing security breaches, it can also help ensure sys-admin tasks are complete; for example a backup process is started, but no log for backup completed is generated (Figure 10). Searching logs and correlating them to check the various events in the backup process have all happened ensures that the task has been successfully completed. Quocirca 2012-9 -

Taking action Detecting a threat in real time or in advance is all well and good, but what action should be taken? In some cases an immediate and drastic action to block access to an individual or stop an application or process may be justified, but this is not always the case. If security settings are over sensitive then this can lead to annoying disruptions to the valid use of IT. Poor intelligence may lead security staff to hit the panic button too soon or too late. There may also be good reasons for taking another course on certain occasions; for example, letting a criminal action continue long enough to gather forensic evidence for a prosecution. Furthermore, it may not be possible to stop complex attacks, such as those that form part of an APT, by taking any one single action; this may require putting the whole organisation on alert including taking proactive PR measures to limit reputational damage. If an attack is part of a broader campaign against an organisation then countermeasures may be required at all sorts of levels beyond IT systems, including in the news rooms and law courts, and there must be a team armed with necessary intelligence to coordinate this. Sony s slow and awkward response to an attack by the hacking organisation Anonymous in 2011 is an example of an organisation failing to achieve these goals. What should be done in all cases is that an alarm is raised to security staff, so that even if automated actions are not taken they are in a position to intervene and make executive decisions as quickly as possible. They can also be better informed when making those decisions. Over time, next generation SIEM tools can provide even greater insight as they can adapt; recognising if anything similar has been seen before, what happened on the last occasion, the action that was taken and what was the outcome. Businesses know they cannot fend off every attack; 28% of respondents were so gloomy in the OnePoll research that they said it is doubtful that breaches can be prevented (see Figure 3). Thankfully, many more are less pessimistic, but even they must plan for falling foul of an advance cyber security attack at some point. Planning for this means ensuring there is immediate access to the information required to provide forensic support for the cleanup. However one of the main aims of having advanced cyber security tools in place should be to stop attacks in real time or pre-empt them by improving an organisation s overall security posture. To this end many IT security managers will need to make the case for investment new or upgraded technology. Quocirca 2012-10 -

Conclusion: a total value proposition for next generation SIEM Quocirca s total value proposition (TVP) analysis looks at the expected return from any given investment in terms of risk reduction, cost saving and value creation. There are a number of factors in all three areas that can be put into a proposition for the investment in next generation SIEM. The case certainly needs to be made. 52% of respondents to the OnePoll research stated that the proportion of IT budget spent on security had not gone up in the last five years (Figure 11). However, respondents felt that the emergence of new regulations is one of the best ways of engaging with senior level management involved in the IT security decision making process (Figure 12). Financial risk is also a good way to get the ear of those who control the purse strings; 77% stated that the growing threat of data breach penalties could help motivate and increase spending (Figure 13). But once the discussion is underway, a more positive case can and should be made for the investment in proactive cyber security intelligence. This discussion should focus on reduction of business risk, the control of business cost and the creation of business value. Risk reduction From the evidence presented in this report it should be clear where next generation SIEM tools could help reduce risk. These include: Insight into risks that cannot be seen using point security tools IT security teams empowered with the information to act (or take no action) with confidence Improved base security Rapid response to limit reputational damage Cost saving Security failures can be an expensive business, investing upfront to avoid them is far better than unbudgeted spending to clear up the mess after the event: Avoidance of penalties for data breaches Automation of time-consuming data analysis Less money and time spent cleaning up incidents after they have happened Quocirca 2012-11 -

Value creation The more confidence a business has in the use of IT the better positioned it is to exploit the huge business value that it provides: Better protection of IT assets means higher availability More IT staff time is freed up to focus on core value There is more confidence to innovate with IT in the knowledge that its use is more secure Confidence to fully exploit business processes An open communications environment for employees, partners and customers where the business is protected from the potentially harmful actions of users, be they intentional or accidental So much criminal activity and political activism has now been displaced from the physical world to cyber space, or at least extended to cover both, that IT security staff are now in the front line when it comes to ensuring that their businesses can continue to function and ensuring its continued good reputation. To this end they must be enabled with the tools that give them a broad insight into IT infrastructure, applications and user activity to protect their business from attacks tomorrow that no one can envisage today. References 1 Wedge: From Pearl Harbor to 9/11, The Secret War Between the FBI and CIA, Mark Riebling, 1994 (updated 2002) 2 OnePoll research commissioned by LogRhythm, into 200 UK-based at businesses with more than 1,000 employees (Spring 2012) Quocirca 2012-12 -

About LogRhythm LogRhythm is the leader in cyber threat defence, detection and response. The company s SIEM 2.0 security intelligence platform delivers the visibility, insight and remediation required to detect the previously undetectable and address the mutating cyber threat landscape. LogRhythm also provides unparalleled compliance automation and assurance as well as operational intelligence to Global 2000 organisations, government agencies and mid-sized businesses worldwide. For more information on LogRhythm please visit http://www.logrhythm.com, follow on Twitter: @LogRhythm or read the LogRhythm blog. LogRhythm Inc. 4780 Pearl East Circle, Boulder CO., 80301 Get Directions info@logrhythm.com Phone: (303) 413-8745 Fax: (303) 413-8791 LogRhythm Ltd. Siena Court The Broadway Maidenhead Berkshire SL6 1NJ United Kingdom info@logrhythm.com Phone: +44 (0)1628 509 070 Fax: +44 (0)1628 509 100 LogRhythm Asia Pacific Ltd 8/F Exchange Square II 8 Connaught Place, Central Hong Kong info@logrhythm.com Phone: +852 2297 2812 Fax: +852 2297 2289 LogRhythm France SARL 171 bis, Boulevard Charles de Gaulle 92200 Neuilly sur Seine info@logrhythm.com LogRhythm Germany GmbH Landsberger Strasse 302, D - 80687 München info@logrhythm.com Phone +33 1 40 88 11 80 Phone +49 89 90405 245

REPORT NOTE: This report has been written independently by Quocirca Ltd to provide an overview of the issues facing organisations seeking to maximise the effectiveness of today s dynamic workforce. The report draws on Quocirca s extensive knowledge of the technology and business arenas, and provides advice on the approach that organisations should take to create a more effective and efficient environment for future growth. About Quocirca Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-world practitioners with first-hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption the personal and political aspects of an organisation s environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to provide advice on the realities of technology adoption, not the promises. Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca s mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocirca s clients include Oracle, Microsoft, IBM, O2, T-Mobile, HP, Xerox, EMC, Symantec and Cisco, along with other large and medium-sized vendors, service providers and more specialist firms. Details of Quocirca s work and the services it offers can be found at http://www.quocirca.com Disclaimer: This report has been written independently by Quocirca Ltd. During the preparation of this report, Quocirca has used a number of sources for the information and views provided. Although Quocirca has attempted wherever possible to validate the information received from each vendor, Quocirca cannot be held responsible for any errors in information received in this manner. Although Quocirca has taken what steps it can to ensure that the information provided in this report is true and reflects real market conditions, Quocirca cannot take any responsibility for the ultimate reliability of the details presented. Therefore, Quocirca expressly disclaims all warranties and claims as to the validity of the data presented here, including any and all consequential losses incurred by any organisation or individual taking any action based on such data and advice. All brand and product names are recognised and acknowledged as trademarks or service marks of their respective holders.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information