Business white paper Missioncritical defense Creating a coordinated response to application security attacks
Table of contents 3 Your business is under persistent attack 4 Respond to those attacks seamlessly 4 Run-time application monitoring 4 Real-time event correlation 6 Next-generation intrusion prevention 7 See risk before it sees you 8 The intelligent approach 8 HP Services
Your business is under persistent attack Attackers don t work in silos. And, if you want to defend against them, your defenses can t be siloed, either. The teams, tools, and solutions you use in the response must be quick, decisive, and adaptive. Disparate teams must come together; information must be shared; and, it all must happen in near real time. It is our belief that a solution should be greater than the sum of its parts, so we strategically crafted solutions that can be uniquely combined to deliver market-leading threat intelligence, software security, network security, encryption, and real-time security information and event management to bridge functional and technological divides. Picture this scenario: 1. A malicious user attempts a SQL injection attack against an online application. 2. Run-time application monitoring detects the malicious behavior and alerts a security information and event management (SIEM) solution. 3. The SIEM s real-time correlation engine prioritizes the event based upon multiple data points and initiates the incident response workflow. 4. A command is sent to an IPS to block the attack, a help desk ticket is opened and situational awareness dashboard updated. 5. The IPS notifies the SIEM when complete and the SIEM closes the ticket and updates the dashboard. 6. Security activity is rolled up into executive-level, businessfocused risk and compliance reports and dashboards. Figure 1 Cyber security risks 50,000,000 40,000,000 30,000,000 20,000,000 10,000,000 0 2009 2010 2011 PHP file include SQL injection Cross-site scripting It is, therefore, completely logical to conclude that web applications must be monitored in real time for malicious behavior but the devil is in the details. Most applications only log events that are focused on application performance, availability, and debugging. Considering how dependent businesses are on their ability to serve customers quickly and frustration-free, that makes sense. But how can you tell when the bad guys are trying to misuse your application? Are there development cycles to build in security logging? Does R&D understand what the information security team finds of value? What if you could get the logging functionality from outside the application and without changing the application code? Response to any cyber-attack needs to be seamless and immediately effective. Today s mission-critical web apps demand it. Web applications provide the greatest attack surface and are the favorite point of entry in most breaches and that shouldn t be surprising. Development life cycles have dropped from years to months as businesses strive to outperform their competition. Unfortunately, this means that secure code within applications tends to be a nice-to-have rather than a must-have. When an application is released to production, all too often exceptions for vulnerabilities are necessary to meet a rigorous release schedule rather than to delay the release to remedy the vulnerability. This means that tried and true attack vectors remain open to the bad guys. HP DVLabs reported a more than 300% increase in SQL injection attacks between 2010 and 2011 in its 2011 Cyber Security Risks Report as shown in Figure 1, for example. 3
Figure 2 HP Enterprise Security Products Network security Information security Application security Cloud security SOC/NOC collaboration IT risk and compliance Regulatory compliance Adaptive threat defense Fraud monitoring Real-time application security Real-time threat intelligence IPS reporting engine Respond to those attacks seamlessly Mitigating risks in today s hybrid environments requires security and compliance solutions that can defend against any advanced threats even threats you don t even realize are out there. By combining market-leading products from ArcSight, Fortify, and TippingPoint, you ll get advanced correlation, application protection, and network defense technology to protect today s applications and IT infrastructures from sophisticated cyber threats. Run-time application monitoring Detecting irregular application user behavior HP Fortify technology provides real-time web application monitoring and response with no need to modify your applications as event logs are not required. We provide the logging. By monitoring API calls, we are able to record application authentication events, monitor for malicious user activity, and so on for real-time monitoring and historical analysis. We also look for the type of data that is expected by the application. Therefore, when a user attempts to execute a database query in a name field, for example, it is obvious that a SQLinjection attack is being attempted. An event is sent to the SIEM and incident response flow initiated. Powerful in and of itself, application monitoring combined with real-time SIEM event correlation adds vital context to behavior throughout the network. Real-time event correlation Security information and event management (SIEM) correlation is about much more than linking event A to event B. It must add contextual elements such as geography, user rights and roles, historical context, business context, threat intelligence feeds, and so on to realize its true value. For instance, a VPN login and a badge swipe at a data center may seem like innocuous occurrences. But, what if the user account for the VPN session and the badge number used to get into the data center belong to the same person? He can t be in two places at once. Would you know if a disabled user was still accessing your sensitive data? Would you know if your vital business systems were slowly leaking information to remote command and control servers? Your SIEM should give you the answers to these questions and so much more. 4
HP ArcSight consumes event data from hundreds of off-the-shelf and custom network devices, operating systems, databases, identity management solutions, anti-virus and vulnerability scanners, malware detection solutions, and the list goes on. The sea of event data generated by all of those sources is passed through the realtime correlation engine pinpointing anomalous behavior, malicious insiders, advanced persistent threats, and myriad other threats to your organization. From disparate data sources, seemingly unrelated data points coalesce into a clear image of your security landscape. Now add to that web application monitoring during run time and you have vision into your web application users behavior and in context with your overall security posture. Situational awareness Once the SQL injection attack attempt event is received, the power of the SIEM is brought to bear. Automated responses, workflow, and notifications are initiated. Situational awareness dashboards are updated giving the security operations center a real-time view of the most pressing security events. Response The SIEM may take actions via third-party systems, such as an IPS, as automated responses to a triggered correlated event and/ or an action may be initiated manually through a simple right-click menu in the operator console. These third-party actions may be initiated by direct integration, APIs, or even a custom script. The SIEM dynamically passes vital event data points such as source IP address, port information, user data, and similar information that the third-party system requires to execute the action. Workflow Response teams are alerted via text, email, and/or screen pop-ups and automated escalation timers are engaged so a missed text doesn t fall through the cracks. Cases are opened and assigned to the appropriate owners while service level agreements are tracked in real time. Tickets may be automatically created in a help desk system and tracked within the SIEM workflow. If an investigation is particularly sensitive, the case may be opened and kept solely within the SIEM. Key data points about the event such as the attacker s IP address, user name, and other event data are dynamically added to watch lists in order to correlate events from other network and application sources to detect whether the same attacker may be trying a different tack. These lists are also used to detect future events from known-bad users, devices, IP spaces, countries of concern, and so on. Dynamic priority escalation and reduction ensure event priorities are current and relevant. Figure 3 HP ArcSight real-time dashboard 5
Figure 4 Workflow case management dashboard Next-generation intrusion prevention The most secure network is one that is powered off and disconnected, but that approach isn t particularly conducive to your business. The question then becomes How do I protect my network from malicious users without interfering with legitimate business? Network response must be intelligent, coordinated, and flexible. HP TippingPoint delivers network security through centrally managed intrusion prevention systems (IPS), firewalls, and a world-class threat research lab HP DVLabs. The IPS in action The HP TippingPoint intrusion prevention system intelligently analyzes event data to determine an appropriate response, including: 1. Quarantine 2. Redirection to a remediation page or a secure VLAN 3. Forced removal from a network switch 4. IP/MAC correlation for Layer 2 and Layer 3 monitoring and response 5. Generation of a syslog, SNMP and/or email event for realtime correlation, response team notification, and to initiate remediation through a network management system Explicit responses may also be called from the HP ArcSight SIEM in order to direct a specific action in response to a specific correlation event. Malicious behavior must be stopped and stopped quickly, so the SIEM sends a command to trigger an IPS quarantine of the offending source. A network-wide quarantine command is sent to all of the IPS devices to monitor all entry points should the attacker try another avenue. While the device is capable of taking direct action, the option is available to integrate with a network management system to channel remediation actions through that system and for change management tracking. The IPS will notify the SIEM of the actions it has taken so that the workflow and situational dashboards may be updated accordingly in real time. 6
See risk before it sees you IT security seen in the context of the business provides you the intelligence to allocate budget and resources to mitigate risks as efficiently and as effectively as possible. HP EnterpriseView maps IT devices to the business services those devices support and then aggregates metrics from risk modeling, regulatory, and policy compliance state, SIEM event statistics, system and application vulnerability scans, and security configuration management systems to calculate risk scores from the very top of the organization and every level down to the individual systems. Risk calculations also factor in the business-criticality of your different services to help you focus your efforts where they are most impactful. Figure 5 Risk management dashboard Is my online shopping application vulnerable to this type of attack? Are the online shopping servers configured per best practices? What are the potential impacts to areas such as revenue, reputation, safety, regulatory compliance, and so on if this type of attack is successful? Knowing the answers to these questions will help you decide how best to improve your defenses. For example, it may be more impactful to invest in additional network security now while working to update the application development process over time. Key performance indicators and trending keep you informed of how effective your risk mitigation and compliance efforts are over the near- and long-term. Security in context Event statistics from the SIEM are pulled, by default, every hour and are mapped to the devices in the risk management database. SIEM event priority scores are also pulled with the event statistics and the default scores may be used or weighted in a way that makes the most sense in your environment. SIEM event statistics are included in the risk calculations in order to add a security element to the overall risk picture. If there is a sudden uptick in security events targeting your online shopping infrastructure, the overall risk score increases. 7
The intelligent approach The threats that you face are complex and your defenses must be adaptive, integrated, and up to date with the latest threat intelligence. You also must know what all of this means to your business as a whole. HP ESP gives you a top to bottom view of the activity occurring in your organization right now and for historical analysis through coordinated monitoring and response at the user, application, system, and network layers. Rolling all of this information into a business-focused view gives you the decision intelligence you need to help you move from responding in the here and now to preparing for the future. Figure 6 HP Enterprise Security solution About HP Enterprise Security HP is a leading provider of security and compliance solutions for the modern enterprise that wants to mitigate risk in their hybrid environment and defend against advanced threats. Based on market-leading products from HP ArcSight, HP Fortify, and HP TippingPoint, the HP Security Intelligence Platform uniquely delivers the advanced correlation, application protection, and network defenses to protect today s hybrid IT infrastructure from sophisticated cyber threats. HP Services HP ESP Global Services take a holistic approach to building and operating cyber security and response solutions and capabilities that support the cyber threat management and regulatory compliance needs of the world s largest enterprises. We use a combination of operational expertise yours and ours and proven methodologies to deliver fast, effective results and demonstrate ROI. Our proven, use-case-driven solutions combine market-leading technology together with sustainable business and technical process executed by trained and organized people. Learn more about HP ESP Global Services at hpenterprisesecurity.com. Block address For more information To read more about HP Enterprise Security Products, go to hpenterprisesecurity.com. Get connected hp.com/go/getconnected Get the insider view on tech trends, support alerts, and HP solutions. Share with colleagues Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. 4AA4-3918ENW, Created October 2012