RSA’s First UK Data Security Summit – part 3: Defend with confidence against advanced threats

This talk covered three agenda items, with an obvious focus on RSA Security Analytics.

1. Why / how security investments need to shift

2. Building a SoC

3. Demo of the tool

Obviously I wont be capturing the Demo here, but below are my notes from this presentation;

Advanced threats are different…  Often following a similar set of steps;

– System intrusion – Attack begins – Cover-up discovery leap frog attacks – cover up complete, with the following characteristics;

  • Targeted
  • Stealthy
  • Interactive

How to defend;

  • decrease dwell time (time from successful breach until discovery)
  • speed response time (speed with which attacks are detected, and then remediated once discovered)

Relatively new attack discovered / named last year – ‘Waterholing’ – sit by the waterhole knowing prey will come to them – malicious users take over a site, knowing their targets are likely to visit it and trust it – then wait for them to arrive – malware etc. then delivered to users of the site.

Massive % of security spend currently on prevention, not detection..

71% of organisations have some sort of SoC (wider survey 66%)  most have plans to have one.  The question did cover from just some analysts who do investigations right through full on SoC capabilities.

SoC – level 1 adds, moves and changes, device health etc.

CIRC – manage security incidents, investigate suspicious behaviours, vulnerability analysis, threat management etc.

CIRC – even the specialists need to specialise!!

CIRCs can / should comprise the below 4 areas of responsibility.  Note, a person can have multiple roles, doesn’t need to be 4 people or more for smaller organisation1 – 4 suggested Tiers / areas of responsibility

  1. Front line – initial investigations, containment, triage, 24*7 etc
  2. Advanced tools, tactics and analysis – reverse engineering, host and network forensics, Cause and origin determination
  3. Analysis and tools support – Optimising the CIRC tools and processes; Integration, Content development, Reporting, Alert and Rule creation
  4. Cyber Threat Intelligence – understand the wider environment, analyse threat feeds, awareness of criminal / activist organisations etc.

EMC example – 1046 employees received a clear phishing email about fake wire transfers, 17 clicked on the link, 2 even clicked on the are you sure warning from the EMC gateway!  This sort of investigation should take minutes..  Does it for your organisation?

The maturity Journey – Control – Compliance – IT Risk – Business Risk

  • Your business needs to be moving from at least compliance to IT risk for levels 3 and 4 of the SoC to make sense.
  • Business, then IT risk SHOULD drive your security program and strategy.  Compliance is a byproduct of good security.
  • MSSP (Managed Security Service Provider)  – Make CIRC function more complete and affordable
    • What does it make sense to outsource from the CIRC functions?
      • Start with Tier 1, second most likely threat intelligence (as this can be somewhat stand alone, and an MSSP likely already has good contacts and threat intelligence they can share)
      • Tiers 3 and 4 can be, but these are harder and likely require in depth expertise and knowledge about the internal operation of the organisation.

To assist this organisations need;

  • Comprehensive visibility
    • view, collect and analyse everything
  • Agile analytics
    • efficient analysis and instigation of potential issues
  • Actionable intelligence
    • understand ‘normal’ aid identification and investigation of anomalies.  Make data machine readable
  • Optimised incident management

RSA Security Analytics is designed to meet these needs.  Well there had to be some product focus as it’s an RSA presentation..

My questions;

  • However, where does this fit into the overall business?
    • Can it be used by the wider business in order to offer a business wide solution to log management and analytics?

RSA response – Data is stored in Hadoop style storage so you can write tools to query it. But no there are no plans for them to provide any ops style dashboards and functionality that could be used by the wider IT team and the business.  For me this is a massive gap given the current market for log correlation and analysis type tools.  There is no way a business should want two of these solutions in place with logs shipped to both and all the associated licensing and management that goes with it.  Having two tools also leads to a potential situation where all logs may not get to the security tool and therefore you’ll miss potential threats.

So back to the talk;

RSA Security Analytics provides both a combination of both real time and longer term analytical abilities;

  • real time example – analysing data on the wire for attacks and suspicious behaviour
  • longer term – log on from two different locations – analyse distance between locations and time between logons 

Threat intelligence from feeds and incorporating business context. 

  • Look at all the data, use intelligence to narrow it down to provide a low number of real and useful alerts.

Security analytics demo;

  • Has full data set, can drill down to specific IP addresses, and the behaviour between it and others, identifies hacker tools etc.
  • Integrates with RSA threat feed etc.
  • Identifies high risk file types, windows cli commands etc.
  • Keeps suspicious IP address list from top suspicious IP list.
  • Can make network data back into the real data – e.g. can view emails as the email with cc etc, can view text files and images this looks a bit like man in the middle stuff – recompiles the actual conversation / traffic.
  • Currently a detective / investigative system.

5 take aways things you could do;

  1. Analyse current / goal security spend by prevention, detection and response.
  2. Honestly assess your organisations security maturity.
  3. Expand / build-out SoC/CIRC via on-premise or MSSP (or on premise MSSP).
  4. Invest in breach readiness processes.
  5. Evaluate your security tooling – is it too perimeter / signature based? Does it align with your security strategy and desired posture?

Overall this was a useful talk with quite a few good points and outside of the demo relatively little product and marketing talk.

I am however very disappointed that RSA are intent on keeping Security Analytics 100% focussed on security only.  It’s undoubtedly a good product in this space, but there are other products now that appear to offer similar levels of functionality in this space while also being genuinely good products across ops / application support / business users etc. and also being potentially more flexible and extensible.  Take a look at both Splunk and LogRythm.

K

RSA’s First UK Data Security Summit – part 2: Verizon Data Breach Report 2013

The Verizon Data Breach Report 2013 was publicly released on Tuesday (23rd April).  We were given a world preview and initial review, with the headline of critical findings for business, as one of the key talks during the RSA UK Data Security Summit.

The report can be downloaded from here;

http://www.verizonenterprise.com/DBIR/2013/

How as an organisation can we better understand our threat landscape?

Who gets attacked?Everyone – no one is immune;

  • Finance companies account for 34% of attacks
  • Attacks occur across all verticals and all business sizes
  • We are subject to continuous, non stop attacks
  • 19% of all attacks investigated appear to be state sponsored espionage – this also impacts companies of all sizes!

Who are the attackers?

  • Activists – maximise disruption / cause embarrassment etc.
    • basic, opportunistic, sheer numbers
  • Criminals – financial gain – PII, card details, proprietary business data
    • More calculated and complex, but still often opportunistic, trade information for cash
  • Spies – get exactly what they want – will stick at it until they get what they want much more than the first two.
    • most sophisticated tools (often), most targeted attacks, relentless

What to worry about (what are the trends)?

  • Same as last years
  • 75% breaches – financial motives
  • 95% of espionage used phishing!
  • Don’t ignore well established threats

What do they target (assets)?

  • Desktops 25%, file servers 22%, laptops 22%
  • Unapproved hardware accounts for 43% of misuse cases
  • BYOD / consumerisation has had little impact on the figures so far (maybe due to report being US centric?)

Many data breaches have unintentional element – many attacks focus on perhaps less trained / savvy staff – 46% originated through call centre staff

 69% of breaches spotted by third party (9% were customers)

  • most breaches still not spotted by breached company despite all the log data etc in the company.

Minimal time to attack – 84% of cases attack to compromised data took hours or less.  ~20% took minutes or less!

  • How quickly can you react, how quickly can you find the breach?
  • 66% of cases breaches took months or even years to be discovered!  How much data could be stolen in this time, what could they find out, what would the repetitional damage be?

Most organisations are a target because of what they do;

  • What do you do, and who wants you data?
  • Investigate profiling threat actors.

Recommendations

  • Make security company wide
  • Create better, faster detection – people, process, technology
  • Don’t underestimate tenacity
  • Understand threat landscape

 Security awareness training is still key!

So overall despite the evolving threat landscape, in many ways little has changed..  However. this report is definitely worth a read, and the inclusion of state actors in addition to criminals and activists / hactivists keeps it relevant and an line with reality.

K

RSA’s First UK Data Security Summit – part 1

On Monday I attended RSA’s first UK Data Security Summit at the Barbican.  Unsurprisingly this event had two main focuses;

– ‘Big Data’ – What it is, what it means to businesses and security, and how security can leverage it to look for anomalies and advanced threats.

– Security analytics – The relatively new RSA log correlation and analysis product.

The agenda from RSA was listed as;

  • Big data and the hype
  • The changing threat landscape
    • Cyber criminals, nation states, activists and terrorists
  • Balancing risk of attack and prevention against ability to perform key tasks

As with my recent Splunk Live! post, the below will be relatively unformatted, but hopefully still of use.

The day started with some keynote talks from Art Coviello, Eddie Schwartz and Andrew Rose;

Art Coviello – Intelligence driven security: A new model using big data

Arts’ talk focused on the rapid changes to the IT environment over the last few years, with predictions for the future as well, then moved into the historic and current security  model and what this needs to look like in the future.

70’s – terminals – 1000s users

90’s – PCs – millions users

2010 – Mobile Devices – billions users

Digital content;

2007 – 1/4 Zettabyte

2013 – 2 Zettabytes

2020 – 100 Zettabytes

5* more unstructured than structured data, and growing 3* faster.

Apps;

2007 – web front end apps

2013 – Theres an app for that

2020 – big data apps everywhere..

Devices;

2007 – Smart phones

2013 – dawn of really smart phones and smart phone / tablet ubiquity

2020 – Internet of things (everything from fridges to coke machines as well as all the usual phone / pc / tablet etc devices)

Social media

2007 – MySpace

2013 – Focus on monetizing

2020 – Total consumerisation of social media: absence of privacy..

Perimeter;

2007 – holes

2013 – is there a perimeter?

2020 – no direct control over physical infrastructure..

Threats;

2007 – Complex intrusion attacks

2013 – Disruptive attacks – can’t launch physical attacks over internet yet, but can be very disruptive

2020 – Destructive attacks? with no physical / user interaction required?

Historic security model;

  • Reactive
    • Perimeter based
    • Static / signature based
    • Siloed
      • Firewall, IDS, AV etc – all reactive, don’t play together or support each other

New model;

  • Intelligence driven
    • Risk based
    • Dynamic / agile
    • leveragable / contextual
      • Look for anomolys, be more heuristic / intelligent, work together – correlate events across the enterprise

Impediments to change;

  • Budget inertia: reactive model
    • 70% on prevention (likely more like 80 % in many firms)
    • 20% Detection and monitoring
    • 10% Response
    • Skilled Personel shortage
    • Information sharing at scale – industry groups, sharing data of attacks and breaches etc at ‘wire speed’
    • Technology maturity
      • Some commentary about archer, silver tail etc. RSA has bought or invested in

Look at security maturity model;

  • Stage 1 – Unaware (wish security would go away, install a box to fix it all)
  • Stage 2 – Fragmented (compliance gathering – focus on box ticking to get compliance rather than doing security right)
  • Stage 3 – Top Down (security understood but driven from management down, not yet pervasive)
  • Stage 4 – Pervasive (good security team, work with c-level on budgets etc)
  • Stage 5 – Networked  (working across the business and integrated with the business)

Big data transforms security;

  • Security management
    • Scalable to analyse all data
    • generates a mosaic of information
    • accelerates responsiveness
  • Controls
    • task specific
    • behaviour orientated
    • self learning
  • enables view of attacks in real time

Need this detailed analysis in order to prevent / see sophisticated attacks such as man in the middle and man in the browser

Intelligence driven security needs to be resilient, feed into controls and in and out of GRC stack (grc feeds into and educates controls.  controls feed into GRC to confirm compliance)

 

Eddie Schwartz – Embracing the uncertainty of advanced attacks with big data

Pecota forcasts – analytics platform used by bookies to work out odds one sports / sports players – baseball – movie – money ball.

– ‘big data analytics’ changed the way baseball players were assessed and consequently paid..

Facebook data mines images as well as text on your page to drive targeted advertising

Amazon etc. – preference engine – you bought this, you want these..

* They are information rich and using high quality analytics.  Why are we not using data like this in security?

Why? – too much time having to say yes we are ok, yes we pass xx audit..

Attackers do not have these checklists – they will work hard to breach any opening regardless of whether you are complaint with whatever regulation..

  • Read ‘the signal and the noise‘ – Nate Silver – why so many predictions fail and some don’t.
    • The signal is truth, the noise is what distracts us from the truth.

How much do we really know about our adversaries?

  • Are we researching the tools, techniques and processes of our adversaries
  • Do we know who they are?
  • Insiders, hackers, hactivists, criminal organisations, nation states etc.
  • Do we know what they look like?
    • Old world (SIEM) – finite, rule sets, wait for rule to be breached
    • New world – infinite – unknown unknowns, uncertainty, hackers may look like legitimate users – what signs can we look for to identify them?
  • Do we understand the ‘Kill Chain’ – Prepare, Infect, Interact, Exploit
    • Cost to remediate goes up dramatically as you move along the chain
    • detection sweet spot – when they first exploit / attempt to exploit – they have to reveal themselves, so fast detection here will catch / print before data exfilitration.

Need to move to more spend and more intelligence on ‘internal’ protection / detection / capture – away from the traditional perimeter.

What are your drivers for IT security investment?

34% compliance, 16% audit

ONLY 6% strategy!

Big data transforms security – 4 areas for shift..

  1. Security management
  • Comprehensive visibility – not just event logs – what are my critical processes, what information do I need to see to understand if they are at risk.
  • Actionable intelligence – must be available in a timely manner
  • Agile analytcs – security environment must be able to change as the environment changes – your environment is at least somewhat unique, also threat landscape changes
  • Centralised incident management – can security teams follow an incident from end to end? – many point solutions.. Do logs all go to one place, can they be effectively analysed?

2. Intelligence driven security

    • Ah-hoc – Bystander – End User – Creator; Crawl – Walk – Run – Advanced – World Class
    • Monitoring and detection, incident response, threat intelligence, systems and analytics; Where should we be – risk based – do you need to be world class in everything? Where do we need to focus, what are our risks?
    • Critical Incident Response Centre (CIRC) – Cyber threat intelligence, Advanced tools, tactics and analysis; Critical Incident response team, Advanced specialists

3. Live intelligence

 

  • Threat intelligence, rules, parsers, alerts, feeds, apps, directory services, reports and custom action.
  • Need long term technology, process and architecture plans
  • Visibility, control, governance, intelligence are all interrelated and must be considered as parts of a whole.

4. Risk based authentication

 

  • Active input – username, password, one time password, certificate, out of band, security questions, biometrics
  • access time, access location, geo location by IP, location by access point,
  • What does ‘good behaviours’ look like vas. ‘bad behaviour’; profile behaviour
  • Criminals cannot replicate your unique use profile.
    • Velocity, page sequence, origin, contextual information; velocity, behaviour, parameter injection, man in the middle, man in the browser.

Shift discussion in GRC from meeting compliance regulations to focusing IT and security staff on the key work

  • right assets and processes based on criticality and importance
  • assest intelligence, threat intelligence, event focus, investigations – Analyst prioritisation
    • requires accurate, timely and complete data.
  • read – Big data fuels intelligence driven security – RSA white paper

US – Data sharing bill – both businesses and liberal groups have objected.

  • how to share without compromising privacy.
    • criminals already violating our privacy every day
    • who should protect our privacy – benign government, corporations, criminals?
    • laws protecting customer privacy can make it hard not to breach laws protecting employee privacy in the EU?

 

Andrew Rose – principle analyst – security and risk management – Forester – ‘An external perspective’

Information classification – how mature

  • 26% have a policy that’s widely ignored, 28% have a policy for some data or systems..

The world we live in (largely as previous presentations)

  • Increasingly capable attackers (threat is real – activists, china etc..)
  • Budgets relatively static or slow growth, enough for triage of known issues, not whole treatment and improving security posture.
  • ROI – hard to define / prove – if not breached are we good or just lucky.  No good model seems to exist yet.
  • Yes rather than no security culture – have to work with business and enable – increase risk and complexity to deal with, but not necessarily staff and budget..
  • Competitive recruitment environment
  • Even the best firms have flawed security – e.g. RSA breach – have to prepare to fail!

Forester and IBM reports has IT at the top of the list of most important reasons for business success.

However business and IT (business especially) do not rate the success / competency of IT very highly – not agile, can’t accommodate change, can’t deliver projects on time etc.

 

RSA yearly IT security challenges included;

  • Third highest issue (76%) – changing business priorities
  • Forth (74%) – day to day tasks taking too much time
  • 8th (55%) lack of visibility of security – fixing this one will likely improve other issues at lot.
  • adoption of ISO / cubit etc not helping these keep getting higher up the issues scale

 Business innovation does not slow down because of security threats…

Complexity vs. manual ability – can better analytics help?

Vendors – vendor space is buzzing..

  • security commercialisation is in full swing
    • But what are the differentiators – everyone users the same buzzwords to sell products (e.g. big data, threat intelligence etc.)
  • Disruptors needed
    • need innovation, not re-hash or updates
    • services, not more hardware
  • solutions fragmented
    • how many products required to ‘solve’ security
    • what do I need now
    • what order should I buy them
    • what is the value / roi?
    • how much resource does it take to manage?
    • too many niche products – e.g. IAM, remove admin rights etc.  Need a ‘BIG’ tool / solution, to solve many / most issues and integrate existing products / solutions.

SIEM

5% get great value, 30% have not implemented, 65% get little or limited value

So is Big data the solution?

  • Big data just means lots of high velocity, structured and unstructured data – it is there to be used – so it is what you do that counts with it, not it in its self (my comment, not speakers)
  • supply chain complexity
  • technical complexity
  • internet of things

 

For me same conclusion as before – need something to aggregate and bring all the data together from apps, security tools, systems and then analyse it.  intelligent, fast correlation – look for real connections and real relationships – be mindful of coincidences in the noise.

 

2 books – anti fragile, signal to noise.

Common pitfalls –

  • starting with the data – need context and understanding as well.
  • overlooking the value of metadata.  data tagging increases value of data
  • believing more data is better
    • think simplicity and actionability

 Take away points;

  • Understand and identify your data
    • information classification is key – get this accepted and rolled out across the business
  • Be ‘hypothesis-led’ – think of what you cold do, not just what you know – then see if you can find the data to achieve it
  • Look for business partners for any big data initiative – again – one engines / dwh etc.

I’ll complete my write up of the day shortly, I hope you’re finding it useful.

K

Splunk Live!

I attended the Splunk Live! London event last Thursday.  I am currently in the process of assessing Splunk and it’s suitability as a security SIEM (Security Information and Event Management) tool in addition to general data collection and correlation tool.  During the day I made various notes that I thought I would share, I’ll warn you up front that these are relatively unformatted as they were just taken during the talks on the day.

Before I cover off the day, I should highlight that I use the term SIEM to relate to the process of Security Information and Event Management, NOT SIEM ‘tools’.  Most traditional tools labelled as SIEM as inflexible, do not scale in this world of ‘big data’ and are only usable by the security team.  This for me is a huge issue and waste of resources.  SIEM as a process is performed by security teams every day and will continue to be performed even when using whatever big data tool of choice.

The background to my investigating Splunk is that I believe a business should have a single log and data collection and correlation system that gets literally everything from applications to servers to networking equipement to security tools logs / events etc.  This then means that everyone from Ops to application support, to the business to security can use the same tool and be ensured a view encompassing the entire environment.  Each set of users would have different access rights and custom dashboards in order for them to perform their roles.

From a security perspective this is the only way to ensure the complete view that is required to look for anomalies and detect intelligent APT (Advanced Persistent Threat) type attacks.

Having a single tool also has obvious efficiency, management and economies of scale benefits over trying to run multiple largely overlapping tools.

Onto the notes from the day;

Volume – Velocity – Variety – Variability = Big Data

Machine generated data is one of the fastest growing, most complex and most valuable segments of big data..

 

Real time business insights

Operational visibility

Proactive monitoring

Search and investigation

Enables move from ‘break fix’ to real time operations insight (including security operations). 

GUI to create dashboards – write quires and select how to have them displayed (list, graph, pie chart etc.) can move things around on dashboard with drag and drop.

Dev tools – REST API, SDKs in multiple languages.

More data in = more value.

My key goal for the organisation – One log management / correlation solution – ALL data.  Ops (apps, inf, networks etc.) and Security (inc PCI) all use same tool with different dashboards / screens and where required different underlying permissions.

Many screens and dashboards available free (some like PCI and Security cost)  dashboards look and feel helps users feel at home and get started quickly – e.g. VM dashboards look and feel similar to VMware interface.

another example – windows dashboard – created by windows admins, not splunk – all the details they think you need.

Exchange dashboard – includes many exchange details around message rates and volumes etc, also includes things like outbound email reputation

VMware – can go down to specific guests and resource use, as well as host details. (file use, CPU use, men use etc.)

Can pivot between data from VMware and email etc. to troubleshoot the cause of issues.

These are free – download from spunkbase

Can all be edited if not exactly what you need, but are at least a great start..

Developers – from tool to platform – can both support development environments and be used to help teach developers how to create more useful log file data.

Security and Compliance – threat levels growing exponentially – cloud, big data, mobile etc. – the unknown is what is dangerous – move from known threats to unknown threats..

Wired – the internet of things has arrived, and so have massive security threats

Security operations centre, Security analytics, security managers and execs

  • Enterprise Security App – security posture, incident review, access, endpoint, network, identity, audit, resources..

Look for anomalies -things someone / something has not done before

  • can do things like create tasks, take ownership of tasks, report progress etc.
  • When drilling down on issues has contextual pivot points – e.g right click on a host name and asset search, google search, drill down into more details etc.
  • Even though costs, like all dashboards is completely configurable.

Splunk App for PCI compliance – Continuous real time monitoring of PCI compliance posture, Support for all PCI requirements (12 areas), State of PCI compliance over time, Instant visibility on compliance status – traffic lights for each area – click to drill down to details.

  • Security prioritisation of in scoop assets
  • Removes much of the manual work from PCI audits / reporting

Application management dashboard

  • spunk can do math – what is average stock price / how many users on web site in last 15 minutes etc.
  • Real time reporting on impact of marketing emails / product launches and changes etc.
  • for WP – reporting on transaction times, points of latency etc – enable focus on slow or resource intensive processes!
  • hours / days / weeks to create whole new dashboards, not months.

Links with Google earth – can show all customer locations on a map – are we getting connections from locations we don’t support, where / what are our busiest connections / regions.

Industrial data and the internet of things; airlines, medical informatics (electronic health records – mobile, wireless, digital, available anywhere to the right people – were used to putting pads down, so didn’t get charged – spunk identified this).

Small data, big data problem (e.g. not all big data is a actually a massive data volume, but may be complex, rapidly changing, difficult to understand and correlate between multiple disparate systems).

Scale examples;

Barclays – 10TB security data year.

HPC – 10TB day

Trading 10TB day

VM – >10TB year

All via splunk..

DataShift – Social networking ‘ETL’ with spunk. ~10TB new data today

Afternoon sessions – Advanced(isn) spunk..

– Can create lookup / conversion tables so log data can be turned into readable data (e.g. HTTP error codes read as page not found etc. rather than a number)  This can either be automatic, or as a reference table you pipe logs through when searching.

– As well as GUI for editing dashboards, you can also directly edit the underlying XML

– Can have lots of saved searches, should organise them into headings or dashboards by use / application or similar for ease of use.

– Simple and advanced XML – simple has menus, drop downs, drag and drop etc.  Advanced required you to write XML, but is more powerful.  Advice is to start in simple XML, get layout, pictures etc sorted, then convert to advanced XML if any more advanced features are require.

– Doughnut chart – like a pie chart with inside and outside layers – good if you have a high level grouping, and a lower level grouping – can have both on one chart.

– Can do a rolling, constantly updating dashboard – built in real time option to refresh / show figures for every xx minutes.

High Availability

  • replicate indexes
    • gives HA, gives fidelity, may speed up searches

Advanced admin course;

http://www.splunk.com/view/SPCAAAGNF

Report acceleration

  • can accelerate a qualifying report – more efficiently run large reports covering wide date ranges
  • must be in smart or fast mode

Lots of free and up to date training is available via the Splunk website.

Splunk for security

Investigation / forensics – Correlation, fast to root cause, look for APTs, investigate and understand false positives

Splunk can have all original data – use as your SIEM – rather than just sending a subset of data to your SIEM

Unknown threats – APT / malicious insider

  • “normal” user and machine data – includes “unknown” threats
  • “security” data or alerts from security products etc.  “known” security issues..   Misses many issues

Add context  – increases value and chance of detecting threats.  Business understanding and context are key to increasing value.

Get both host and network based data to have best chance of detecting attacks

Identify threat activity

  • what is the modus operandi
  • who / what are most critical people and data assets
  • what patterns and correlations of ‘weak’ signals in normal IT activities would represent abnormal activity?
  • what in my environment is different / new / changed
  • what deviations are there from the norm

Sample fingerprints of an Advanced Threat.

Remediate and Automate

  • Where else do I see the indicators of compromise
  • Remediate infected systems
  • Fix weaknesses, including employee education
  • Turn the Indicators of Compromise into real time search to detect future threats

– Splunk Enterprise Security (2.4 released next week – 20 something april)

– Predefined normalisation and correlation, extensible and customisable

– F5, Juniper, Cisco, Fireeye etc all partners and integrated well into Splunk.

Move away from talking about security events to all events – especially with advanced threats, any event can be a security event..

I have a further meeting with some of the Splunk security specialists tomorrow so will provide a further update later.

Overall Splunk seems to tick a lot of boxes and looks certainly taps into the explosion of data we must correlate and understand in order to maintain our environment and spot subtle, intelligent security threats.

K

 

Requirements of a good Security Operations Centre

I have recently been thinking about and reading up on how to improve Security Operations Centres (SOC) to meet the constantly evolving environment and threat landscape in which we operate.  There are obviously many tools that are required from Network Monitoring to IPS (Intrusion Prevention System) to Log Collection and Correlation systems to Auditing and File Integrity Monitoring.

This post will however briefly cover the ‘soft’ side of the SOC and three key skills / processes that there seems to be agreement are required for a SOC to be effective and forward looking.

The first of these is understanding the business and business systems in detail and being able to put any event in the context of the business.  Which systems are affected?  Which business processes does this impact?  What is the relative priority?  This means the team needs to understand more than just vulnerability x and y and their generic severity rating.  They must understand your business context and be able to effectively relate events to this.  Tools can also help here in terms of event correlation and scale of the issue, this is where the new breed of ‘big data’ real time analysis and correlation tools such as Splunk, Palantir, or Security Analytics.

The second key skill / process is that of effective incident handling. This must again focus on your specific business and the priorities in case of an event, such as evidence gathering, escalation, keeping services running, regulatory requirements.  The event must be related to these factors with an understanding of it’s impacts to your business.  The more effective and streamlined this process can be, the lower the impact will be when the inevitable issues from virus infections to ful scale breaches occur.

The third key area is around business processes.  Any process that involves users of the companies system will likely be key attack vectors.  Technology can’t ever stop all attacks – this is why social engineering is still the number 1 way any attackers gain a foothold in most environments.  The security team must work with the business to perform threat assessment and modelling sessions to understand the attack vectors and work with the users to minimise or mitigate them.  Solid user training, awareness and engagement will also help here.

Attackers who want to get into your system for whatever reason from financial gain to hacktivism are constantly changing and improving their game.  We need to work hard to keep up and keep them out or at least contained.  A well formed and smoothly functioning SOC that is closely aligned to the business is a key part of any organisations defence.

K

Using passwords for authentication

Recently when researching form my Masters project I came across some studies about users and password use.  I think we now know that passwords should be dead and replaced / augmented by something better such as two factor authentication using token or biometrics.  However many systems still rely on usernames and passwords.

In terms of business, in order to improve security many companies now add two-factor authentication when logging in remotely so the user enters their username, some sort of pin or password and a value from a hardware or software token.  This helps with the issues around passwords when remotely logging into systems such as when working from home, it does nothing to improve the security of logging in with just a username / password in the office.

The traditional assumption has been that it is OK to use just username / password when logging in from a more secure location such as the office when you are already connected to the trusted network.  Assuming your business uses modern operating systems that employ salted hashes for any password storage or transmission the issue it not with someone malicious managing to ‘sniff’ the password while it is in transit, or getting hold of the password store.  However what of the users who use the same password for multiple systems?  If your users log into insecure web sites using the same or very similar passwords to those they use to log into the secure business systems?

Studies have shown that nearly all users re-use passwords.

In addition users will tend to use the least complex, easiest to remember password possible – so while your businesses chosen level of complexity may have a password space of xxxxx passwords, the users passwords may actually tend to occupy a much smaller space, or be easy to guess despite meeting the password complexity requirements.

People will also tend to write down passwords that are too difficult to remember easily.

So I’d strongly recommend moving away from just relying on passwords and utilize some form of multi-factor authentication even within the office environment.  This is not as difficult as it may sound – most (all?) modern operating systems support multi-factor authentication out of the box.

If you cannot move away from just relying on passwords then a use education program is a must.  A good password is not just a complex one, it must combine complexity and being difficult to crack with also being easy to remember for the user.  If users can understand both the password policy and the rational for that, along with ways to come up with strong passwords that are easy for them to remember this will lead to a more secure environment.

Interestingly, we again come around to user education and training being a key component of a defense in depth security strategy.

K