The Importance of. Reputation. Proactive enterprise security involves turning data into actionable information that s where reputation comes in.



Similar documents
Next Generation IPS and Reputation Services

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

I D C A N A L Y S T C O N N E C T I O N

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

The Growing Need for Real-time and Actionable Security Intelligence Date: February 2014 Author: Jon Oltsik, Senior Principal Analyst

Defending Against Data Beaches: Internal Controls for Cybersecurity

Symantec Cyber Security Services: DeepSight Intelligence

Continuous Network Monitoring

Whitepaper. Advanced Threat Hunting with Carbon Black

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Fighting Advanced Threats

The Future of the Advanced SOC

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

Extreme Networks Security Analytics G2 Vulnerability Manager

Getting Ahead of Advanced Threats

Gaining the upper hand in today s cyber security battle

End-user Security Analytics Strengthens Protection with ArcSight

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Threat Intelligence: What is it, and How Can it Protect You from Today s Advanced Cyber-Attacks A Webroot publication featuring analyst research

Cyber and Operational Solutions for a Connected Industrial Era

The Benefits of an Integrated Approach to Security in the Cloud

McAfee Network Security Platform

Attack Intelligence: Why It Matters

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Defending Against Cyber Attacks with SessionLevel Network Security

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

Introducing IBM s Advanced Threat Protection Platform

Combating a new generation of cybercriminal with in-depth security monitoring

Security Operations Metrics Definitions for Management and Operations Teams

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

Overcoming Five Critical Cybersecurity Gaps

Changing the Enterprise Security Landscape

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Cisco Advanced Malware Protection for Endpoints

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

24/7 Visibility into Advanced Malware on Networks and Endpoints

The Value of QRadar QFlow and QRadar VFlow for Security Intelligence

IBM Security QRadar Vulnerability Manager

IBM Advanced Threat Protection Solution

Using LYNXeon with NetFlow to Complete Your Cyber Security Picture

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

WHITE PAPER: THREAT INTELLIGENCE RANKING

Threat Intelligence for Dummies. Karen Scarfone Scarfone Cybersecurity

The Hillstone and Trend Micro Joint Solution

Endpoint Threat Detection without the Pain

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Speed Up Incident Response with Actionable Forensic Analytics

The Next Generation Security Operations Center

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

Решения HP по информационной безопасности

Into the cybersecurity breach

HP ENTERPRISE SECURITY. Protecting the Instant-On Enterprise

Sikkerhet Network Protector SDN app Geir Åge Leirvik HP Networking

A Case for Managed Security

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

IBM Security QRadar QFlow Collector appliances for security intelligence

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Swordfish

Open Source Software for Cyber Operations:

Unknown threats in Sweden. Study publication August 27, 2014

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

Italy. EY s Global Information Security Survey 2013

QRadar SIEM and FireEye MPS Integration

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

SPEAR PHISHING AN ENTRY POINT FOR APTS

Requirements When Considering a Next- Generation Firewall

How To Create An Insight Analysis For Cyber Security

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

Things To Do After You ve Been Hacked

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

IBM Security IBM Corporation IBM Corporation

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

RETHINKING CYBER SECURITY

Advanced Threat Protection with Dell SecureWorks Security Services

The Evolution of Application Monitoring

Cisco Advanced Malware Protection for Endpoints

HP ESP 2013 Solution Roadmap

A New Perspective on Protecting Critical Networks from Attack:

Transcription:

The Importance of Reputation Proactive enterprise security involves turning data into actionable information that s where reputation comes in. 1 Information Security Media Group 2013

THE IMPORTANCE OF REPUTATION Proactive enterprise security involves turning data into actionable information that s where reputation comes in. In the past, security meant tall, strong walls as in forts, citadels, castles, etc. (think Great Wall of China). Eventually, warring parties figured ways around those vertically oriented defenses. The same dynamic is at play today in the electronic realm. In the hyper-dynamic environment of the Internet, the fortress mentality of IT security is a throwback. With evolving online models such as mobile computing and the cloud, and sophisticated malware such as botnets and advanced persistent threats, an information security defense strategy oriented around securing an enterprise s perimeter is misguided and inadequate. What is needed is a way to leverage IT s most valuable asset: data. As is true in every area of IT, security technology generates a plethora of data which can be something of a mixed blessing. What companies are wrestling with is the fact that security has a lot of data associated with it, says industry analyst Steve Hunt, author of the Security Dreamer blog. But only when that data is organized, contextualized, does it become security information, he adds. Turning security data into actionable information is key. In the context of today s constantly shifting security environment, adequate defense demands not only reactive data collected from internal networks, but active, up-to-the-minute reputation data reconnoitered from the wilds of the Internet, combined in the most effective manner to generate meaningful recommendations and remediations. Such reputation data can make the difference between passive resistance and proactive security. The Threat Landscape It is important to understand the hothouse environment that surrounds IT security these days. Public outrage over increasing reports of data compromises, along with political reaction in the form of widespread public disclosure laws, has made finding breaches and minimizing data loss a corporate priority. Malicious motivations have changed over the years, as have their means to an end. Sophisticated criminal gangs, along with spies sponsored by nation-states and agenda-oriented hacktivists, have replaced teenage tinkerers as the most menacing digital marauders. Alongside brute-force virus attacks have come stealth tactics that emphasize the long, slow, multi-stage exfiltration of data and resources, such as the widespread surreptitious implementation of robot networks and the personalized targeted incursions known as spear phishing. It is also important to understand where security threats come from. While much handwringing goes on over the threat represented by internal 2 Information Security Media Group 2013

Given the stealth nature of many of these outsider attacks, it is not surprising that many organizations have security problems and do not know it. In a recent analysis of security trends, Forrester Research called out this blindness to vulnerability as a major concern: Most organizations don t have the visibility or awareness to know if their networks are breached. 3 Security = Data personnel, the fact is that most security breaches come from the outside. More than three quarters (86%) of the breaches examined by Verizon security researchers for the company s most recent data-breach report had no internal element. 1 Given the stealth nature of many of these outsider attacks, it is not surprising that many organizations have security problems and do not know it. Two-thirds of the breaches examined by Verizon s researchers took months, even years, to discover. 2 Information security has always been about data. Intrusion detection systems were intended to monitor networks and detect and report anomalies, while intrusion prevention systems checked for malware against lists of known signatures. Unfortunately, early versions of both tended to suffer from a surfeit of data, frustrating effective remediation with an overload of false positives. With its sensors and dashboards, data collection and interpretation is the point of security 3 Information Security Media Group 2013

Up-to-date reputation data can serve as a watchlist for organizations to guard their own Internet status and reputations. information and event management technology (SIEM). SIEM found its foothold in the enterprise as a tool to document compliance with industry and governmental regulations. Still, the ability to collect and correlate massive amounts of data and make recommendations based on defined rules has made SIEM an important security tool for mid-size and large organizations. As the malware landscape evolved, signature data became an important element in the fight against the rising tide of malicious code. Viruses, worms and Trojan horses were captured and catalogued, their identifiable characteristics added into the lists used by anti-virus applications. Also, software vendors tracked vulnerabilities inadvertently incorporated into their applications and systems and began publishing regular patches to address those potential problems. In the online world, just as important as the what of malicious code is the where, who and how. Toward that end, some third-party organizations took it upon themselves to monitor the Internet for emerging threat areas. For instance, the SANS Institute, a computer security-training firm, provides an online public service known as the Internet Storm Center, which collates data on infrastructure events from sensors covering over 500,000 IP addresses in more than 50 countries, and adds analysis in the form of a daily blog. 4 It is a valuable public resource for monitoring and evaluating emerging Internet attack trends. The Necessary Element Security technology providers have realized the significance of such online reputation services to their customers overall defense postures and to the effectiveness of their products. Being able to provide data about the most recent Internet threat areas means customers can use networkmonitoring technology to detect even extremely subtle intrusions. Perhaps more importantly, users can check outgoing network traffic for communication with known bad actors, such as botnet command-and-control servers, to spot security threats already implanted within the enterprise. Being made aware of just how riddled with vulnerabilities your network is can be traumatic, says George Daglas, chief operations officer of Obrela Security Industries, a managed security services provider. One customer compared it to, Daglas says, living in a dark room, and suddenly someone turned on the lights, and all around us were dragons and snakes (see sidebar Case Study: Obrela Security Industries, pg. 7). Up-to-date reputation data can serve as a watchlist for organizations to guard their own Internet status and reputations whether your Web assets (and those of customers and partners) are harboring malignant entities. This is a more efficient and effective (and less embarrassing) way to uncover internal security vulnerabilities than by being 4 Information Security Media Group 2013

made aware by some third-party source, which is how most organizations find out. According to the Verizon report, 69% of the breaches they studied were spotted by external parties 9% by customers. 5 Reputation data has a performance aspect to it as well. By helping to block unknown and unwanted communication from inside the organization to outside sources, reputation data can help increase network performance for mission-critical applications. Benefiting From Benchmarks It is worth noting that not all reputation security services are created equal. Some security technology providers rely on reputation research from publicly available sources, such as SANS, as well as that from major vendors, versus expending the resources to generate research of their own. Not that public data has no value, but it does not necessarily furnish security technology providers or their potential customers with a competitive advantage. That is why it is important that organizations look closely at where reputation data comes from and how the security technology provider makes use of that data. One of the criteria for evaluating a security vendor is to look at their threat intelligence research organization what their linkage is to services and products, says security analyst Chris Christiansen, program vice president for IDC s Security Products and Services group. 5 Information Security Media Group 2013

When evaluating a security technology provider, especially in terms of threat research and reputation service, potential customers should pay close attention to these benchmarks: The extent and currency of the reputation data how much, from where, and how often is it updated? Commitment is the key to currency, and currency is the key to actionable reputation data. A viable scoring mechanism for reputation data. Practical scoring provides potential customers with the ability to determine the granular level at which they want to filter potential threats. The integration of reputation data with existing technology. Reputation data can be a very powerful add-on to an IPS, ensuring filters are kept valid and purposeful. Similarly, reputation data can be used in connection with a SIEM system to bolster the effectiveness of the correlation engine and policy-based recommendations. Extensive, proactive research regarding reputation data as well as tight integration with existing products will not happen by accident. It must be a part of a provider s dynamic effort to keep security technology and services as close to the cutting-edge as possible. Potential customers will benefit from close scrutiny of such practices before committing. A Proactive Strategy If there is one thing the last few tumultuous years have taught us, it is that information technology is not static it is a dynamic process that companies must leverage or risk being left behind. In the same way, enterprise security can no longer be a static, defensive stance but must take the form of a dynamic, proactive strategy or organizations continue to risk being victims. Due to its currency and relevance, data is the most dynamic aspect of IT. The catch-phrase big data points to its potential, through analytics and data mining, for providing actionable insights. That same potential applies to security. More data points related to the evolving threat landscape as it mutates and multiplies on the Internet can mean more effective security technology better adapted to address current and future security vulnerabilities. But such reputation data is only as effective as it is made to be. Potential customers must examine closely how such data is employed by security service providers where it comes from, how current it is, and how it is leveraged in existing technology. When used correctly, reputation data, and the services and technologies related to it, represent the next most effective weapon in the war on information security. Footnotes 1. Verizon 2013 Data Breach Investigations Report 2. Ibid. (62% of breaches took months to discover; 4% took years) 3. Forrester Research, Inc.: Top 15 Trends S&R Pros Should Watch: Q2 2013; April 9, 2013 4. https://isc.sans.edu/ 5. Verizon 2013 Data Breach Investigations Report 6 Information Security Media Group 2013

Case Study: Obrela Security Industries Headquarters: Athens, Greece. Mission: Provide managed services in the areas of risk management and information security for complex enterprise environments. Obrela is a beta class startup, three years into the startup scene and expanding rapidly, says Kimon Skarlatos, chief commercial officer. Customers: Financial services, payment processors, public sector, telecommunications. Problem: Find flexible, extendable, interoperable, scalable, multi-platform, multi-tenant SIEM system with sophisticated correlation engine on which to base growing security-as-a-service business. Solution: HP ArcSight Enterprise Security Manager plus HP RepSM service. Reason for using HP ArcSight: We were looking for something open enough to allow us to build our own content, our own rules, (along with) multiple levels of correlation not be the limiting factor of what we wanted to do, says George Daglas, co-founder and chief operations officer. Reason for using HP RepSM: With RepSM being constantly updated, we are able to correlate normal internal behavior with what is happening on the outside, says Daglas. We have identified threats in financial organizations that had been there for years, that information was being transmitted and collected by malicious third- parties for years we were able to identify this very quickly with the RepSM environment, he says. HP Reputation Services Among the reputation solutions offered by HP: HP DVLabs Research organization focused on vulnerability discovery and analysis Maintains a database of 1-million-plus IPv4 and IPv6 addresses and 1-million-plus DNS names Receives reputation data from three sources: public providers, such as SANS; open source providers, including various malware/phishing/botnet communities; generates own threat data from honeypot network, ThreatlinQ network, and community of TippingPoint customers Aggregates and normalizes these data sources into one coherent database Scores database entries (0 to 100) based on threat potential HP Reputation Digital Vaccine (RepDV) An add-on service to HP s TippingPoint NGIPS (next generation intrusion prevention system) Based on data feeds from HP DVLabs Automatically updates every two hours HP Reputation Security Monitor (RepSM) An add-on service to HP s ArcSight SIEM (security information and event management) Enterprise Security Manager system Based on data feeds from HP DVLabs Automatically updates every six hours HP ArcSight Security Intelligence Platform HP s SIEM (security information and event management) solution, which offers visibility into security and compliancerelated data across the IT infrastructure Enables organizations to identify and respond quickly to security threats, transform Big Data into security intelligence, and automate compliance Collects, stores, and analyzes data from any device, any source, and in any format from 350+ connectors Closely integrated with HP RepSM for a complete view of security-related data 7 Information Security Media Group 2013

About ISMG Headquartered in Princeton, New Jersey, Information Security Media Group, Corp. (ISMG) is a media company focusing on Information Technology Risk Management for vertical industries. The company provides news, training, education and other related content for risk management professionals in their respective industries. Contact (800) 944-0401 info@ismgcorp.com This information is used by ISMG s subscribers in a variety of ways researching for a specific information security compliance issue, learning from their peers in the industry, gaining insights into compliance related regulatory guidance and simply keeping up with the Information Technology Risk Management landscape. 902 Carnegie Center Princeton, NJ 08540 www.ismgcorp.com 8 Information Security Media Group 2013

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information