It’s not about adding another data source…
…it’s what you do with it that counts!
The New York Times Bits blog devoted 700 words to IBM’s announcement earlier this week that it has now managed to connect its newly acquired QRadar SIEM platform to its X-Force database. While this is news for IBM and QRadar customers it is, perhaps, less relevant for organizations that aren’t exclusively ‘Big Blue’.
The same piece states, “Businesses spend billions of dollars each year on firewalls, applications and antivirus software in a desperate attempt to ward off hackers and yet, even the companies, like Symantec and RSA, that sell “security solutions” can’t keep themselves hacker-free“. This is, I believe, far more newsworthy – and an issue that I hope the industry will explore as it convenes in San Francisco next week for the annual RSA conference.
The article’s author claims that, ‘the crux of the problem is that businesses have taken a piecemeal approach to security’. I disagree. There is no denying that you need these purpose built products as part of overall security strategy. The crux is that organizations do not have the capability to collect, monitor, analyze and correlate ALL relevant security data from each of the different devices/products, to make sense of what is actually happening in their network. The majority products, including SIEM tools like IBM’s QRadar, collect just log and event data. This may enables security analysts to understand that something has happened, but not answer the most important question: How, Where and What, exactly, has happened? Because they can’t answer this question they can’t figure out what needs to be done to repel an attack, identify the likely target, and take timely action to stop it. . You need to collect, analyze and correlate not only log data with Threat Intelligence data like X-Force, but need other critical data like asset configuration state, vulnerability state, asset criticality, connectivity state, etc. for effective threat detection and mitigation.
For the majority of organizations information security is more post mortem than critical care… and regardless of how many billions of dollars you spend on security tools until you fix this inherent problem in traditional SIEM tools large organizations will continue to be breached at will.
Situational Awareness in one sentence
In the technology industry we’re often guilty of using 100 words, where three would suffice… or over complicating things to the point that only a handful of people are able to figure out what we’re saying. So, when I heard a summary of the value of situational awareness that even your grandmother would understand, I wanted to share it.
The explanation, provided by a pilot, explains the role situational awareness plays in doing what they do safely, and why it enables them to deal with unforeseen events quickly and effectively.
“ …We [pilots] need situational awareness… you have to realize how you got into a situation to figure your way out of it…”
It occurred to me that this one sentence explains why situational awareness is set to play such a huge role in the future of information security. Unless you have data, from which you can deduce how an attack took place [and in many cases will still be taking place] you will have no way of figuring out how to repel it, mitigate it, and protect the intended target of the attack. Without situational awareness you’re faced with the proverbial needle in a haystack!
Quis custodiet ipsos custodes? [Answers on a postcard, please!]
Reading the news that Verisign, the company responsible for delivering people safely to more than half the world’s websites, suffered a series of breaches back in 2010 comes as no surprise. Why? Because I think that we have entered a new era of cybersecurity; one where Read more…
The first casualties of cyber war.
In his latest post for AOL Government eIQnetworks’s John Linkous explores how, in our increasingly networked society, it is only a matter of time before we see the first casualties from advanced persistent cyber attacks. He also asks what can be done to mitigate the risk of virtual attacks affecting the physical world.
You can read John’s post in full at http://ow.ly/8H5uB
Everything you ever wanted to know about Situational Awareness… [but were afraid to ask!]
Most security professionals will, by now, be aware of the term Situational Awareness – but how many understand what it actually is? How many understand how to deliver it within their organization? Situational Awareness has become one of the big buzzwords of the security industry in the last 12 months and, as the company that coined the term within our industry AND the first to offer a working platform, we thought it was time to clarify much of the confusion that exists around the term.
“Proactive Threat Discovery and Risk Mitigation Demands Situational Awareness,” is an eIQnetworks webinar, featuring Gartner analyst John Pescatore, which aims to answer many of the questions we’ve been asked by security professionals in recent months. The webinar also explains how situational awareness delivers key competencies that cannot be achieved using existing SIEM and SIEM Plus tools and how it provides security analysts with the ability to effectively protect large distributed networks effectively and efficiently in a way they cannot do with traditional point tools.
You can view the video here
If you have a question that is not included in our webinar then please let us know and we’ll be happy to answer it for you.
Cybersecurity: what’s the point?
Last week the FBI claimed that cybersecurity posed an “existential” threat to American corporations, “meaning it could eliminate whole companies”. Despite this, it said, many consumers and commercial organizations are “still not taking the threat serious, claiming, “either they don’t recognize it, they don’t understand it or they don’t care”. I wonder what Sartre or Camus would have to say on the matter?
I’m have no doubt they would have Read more…
Less Turtle, More Awareness
Catching up on some reading this week, I came across this piece in Security Week, written by Chris Poulin, Chief Security Officer at Q1 Labs, talking about how a childhood experience can help the modern information security professional. Chris makes some good points, such as the need for continuous monitoring, and using all available tools to capture multiple data points in order to enable you to pinpoint the vector of advanced persistent threats (and slow moving box turtles).
This is certainly all good advice – although we contend that the average cyber or insider attack moves slightly quicker than the average box turtle. There are, however, some major problems with Chris’ piece. Read more…
Situational Awareness: It’s not a Technology; it’s a Way of Life
Recently, CSO Magazine published a story on the efforts to secure the new Freedom Tower and other buildings that are being built at the site of the new World Trade Center in New York. Throughout the article, Louis Barani – the former U.S. Naval Officer who is developing the security technologies for the new facility – frequently uses the term “situational awareness” to describe his team’s efforts to ensure the security of the Freedom Tower and other buildings.
What’s most interesting is how Mr. Barani talks about situational awareness not as a product, but as a capability. While much of his interest is in physical security — as opposed to information security, which is where eIQnetworks and SecureVue reside — he identifies all the different types of security-related information that are required to achieve situational awareness: physical access control and logs; CCTV feeds and data; HVAC systems; elevator controls; and many, many more. His team will be using a platform designed to bring together the physical security data from all these different sources into a single platform that facilitates situational awareness.
So what’s the point? First, that situational awareness isn’t just a tool or a technology — it’s a way of life that requires continuous, real-time evaluation of the environment (whether the goal is system operations, physical security, information security, or otherwise), correlation of different types of events and other data together, and the ability to act on abnormalities right away. Second, to make all of these things happen, you need the right tools to facilitate — not automate – situational awareness. In the information security world, that means collecting all security-related data, whether that data is encapsulated in events, asset state, network traffic, system performance, or any other piece of information. Once you have the data, the other critical capability is correlation: are unusual network traffic, an abnormal performance metric, and an unauthorized change on a server related? If so, how?
Just like in physical security systems, in the world of information security there are plenty of assets generating security data: events from host OS’s, devices, applications and databases; point security tools like IDS/IPS and anti-malware; performance data; network traffic; the current operating state of systems; and so much more.
Like the architects of physical security at Freedom Tower, delivering situational awareness for information security requires the ability to bring all of this data together into a single location, and correlate this data to find abnormalities — the hallmark of situational awareness. Unfortunately, there aren’t many solutions available today that really do this for information security: SIEMs have limited data collection capabilities, and treat everything like an event (which is decidedly not situational awareness); configuration management tools have no visibility into events or what’s happening at the network layer; and NBA and network monitoring tools lack visibility into system state. So, like a CCTV system, or an HVAC controller, or an elevator system, each of these information security tools provides visibility into a limited — but critical – wedge of data. You still need something to bring all the data together, and facilitate true situational awareness. Fortunately, we know exactly where you can find a product that does this.
Forget End-of-Year Predictions… We Have End-of-the-World Predictions!
As we officially kickoff “prediction week” – where virtually every security vendor, journalist and pundit gazes into their crystal ball and prognosticates about the next twelve months – we at eIQ have decided to up the proverbial ante. Our predictions aren’t just about the next year… they’re about the end of the world.
How’s that, you might ask? Well, it all starts – or rather, ends – with our favorite pre-Columbian civilization, the Mayans. Ah, the Maya… ask anyone on the street today about them, and the first thing you’re likely to hear about is the Mayan calendar. Like other Mesoamerican civilizations such as the Aztecs and Inca, the Maya very much believed that time operated in cycles. The Maya “long count” calendar – the longest individual cycle – is currently scheduled to complete on December 21, 2012.
The Mayans themselves would simply start a new cycle (called b’ak’tun) on December 22; but in our clever world, that’s not good enough for many. Unfortunately, the end of the “long count” cycle this year has been misinterpreted by some as “the end of the world” – often by people who are looking to make a quick buck. Rest assured that just as Y2K, the IRS tax deadline of April 15th, and other critical dates have been the focus of phishing and other scam activity in the past, so too will December 21, 2012.
It’s only a matter of time before we start seeing it: “Click here to download the PDF [which is infected] / program [which is trojaned] / website link [which is XSS’d to malware] that shows you why the Mayans were right about the end of the world!” Like any other scam, these emails and web ads will play to people’s worst fears, and doubtless some of them will succeed in facilitating identity theft, illegal transfer of funds, or even worse. People are fascinated by doom, and the idea that someone might have “secret knowledge” will cause many unsuspecting people to be drawn into these scams. We saw this happen endlessly during Y2K, over ten years ago when the term phishing hadn’t even been coined yet. With the advent of new methods to reach people – no longer just e-mail, but text messages, social media sites, embedded links in documents, and so many more – the amount of fraud that will be perpetrated from end-of-the-world scare tactics will be extreme.
So remember, you heard it here first… and if we’re all still around on December 22, 2012, we’ll see if we at eIQ were right. 
If Containment is the New Prevention…
A couple of weeks ago, Websense published its cybersecurity predictions for 2012. One in particular prediction caught our eye: that containment will become the new prevention. We’re assuming that Websense’ prediction is that the focus for many organizations will shift from preventing external and insider attacks, data breaches, and other incidents, to containment (rather than being something that many aspire to, but very few have yet to attain, by the way…)
We’ve been saying the same thing for a number of years. 2011 has demonstrated that, Read more…
