The New York Times Bits blog devoted 700 words to IBM’s announcement earlier this week that it has now managed to connect its newly acquired QRadar SIEM platform to its X-Force database. While this is news for IBM and QRadar customers it is, perhaps, less relevant for organizations that aren’t exclusively ‘Big Blue’.

The same piece states, “Businesses spend billions of dollars each year on firewalls, applications and antivirus software in a desperate attempt to ward off hackers and yet, even the companies, like Symantec and RSA, that sell “security solutions” can’t keep themselves hacker-free“.  This is, I believe, far more newsworthy – and an issue that I hope the industry will explore as it convenes in San Francisco next week for the annual RSA conference.

The article’s author claims that, ‘the crux of the problem is that businesses have taken a piecemeal approach to security’.  I disagree. There is no denying that you need these purpose built products as part of overall security strategy. The crux is that organizations do not have the capability to collect, monitor, analyze and correlate ALL relevant security data from each of the different devices/products, to make sense of what is actually happening in their network.  The majority products, including SIEM tools like IBM’s QRadar, collect just log and event data.  This may enables security analysts to understand that something has happened, but not answer the most important question: How, Where and What, exactly, has happened?  Because they can’t answer this question they can’t figure out what needs to be done to repel an attack, identify the likely target, and take timely action to stop it. .  You need to collect, analyze and correlate not only log data with Threat Intelligence data like X-Force, but need other critical data like asset configuration state, vulnerability state, asset criticality, connectivity state, etc. for effective threat detection and mitigation.

For the majority of organizations information security is more post mortem than critical care… and regardless of how many billions of dollars you spend on security tools until you fix this inherent problem in traditional SIEM tools large organizations will continue to be breached at will.

The explanation, provided by a pilot, explains the role situational awareness plays in doing what they do safely, and why it enables them to deal with unforeseen events quickly and effectively.

“  …We [pilots] need situational awareness… you have to realize how you got into a situation to figure your way out of it…”

It occurred to me that this one sentence explains why situational awareness is set to play such a huge role in the future of information security.  Unless you have data, from which you can deduce how an attack took place [and in many cases will still be taking place] you will have no way of figuring out how to repel it, mitigate it, and protect the intended target of the attack.  Without situational awareness you’re faced with the proverbial needle in a haystack!

The fact that the breaches have only been made public because a Reuters journalist, Joseph Menn, found the company’s disclosure in a quarterly US Securities and Exchange Commission [SEC] filing should worry anybody that has a .com, .net or .gov domain.  It proves that the new guidance from the SEC works – but the fact that the breach was not immediately disclosed means that critical data MAY have been compromised, without its owners realizing that the risk had increased significantly.  To their credit, it appears Verisign acted quickly once it became aware – but reports indicate that staff waited a year before alerting senior management.

Perhaps the most worrying aspect of the story is that senior executives still don’t know exactly what happened, and what data was stolen.  While it is likely that Verisign has all of the right tools in place – end-point security tools, a traditional SIEM, a netflow analyzer, etc. – it appears unable to make sense of the data.  As a CISO, I once had to face my board to explain why my organization had been hit by the SQL slammer worm back in 2003 (long before situational awareness tools were available); I can only presume that attempts to do get answers were the reason for the 12 month delay.

Verisign aside, the story raises a much more important question.  It is one that I wrote about more than three years ago in a piece authored for Risk magazine entitled, ‘Quis custodiet ipsos custodes?’ [Who will watch the watchers?].  If we can’t trust the guardians of the data at the heart of our new network-dependent economy, who can we trust?

Answers on a postcard please… [alternatively, you can add yours in the comments section below]

You can read John’s post in full at http://ow.ly/8H5uB

“Proactive Threat Discovery and Risk Mitigation Demands Situational Awareness,” is an eIQnetworks webinar, featuring Gartner analyst John Pescatore, which aims to answer many of the questions we’ve been asked by security professionals in recent months.  The webinar also explains how situational awareness delivers key competencies that cannot be achieved using existing SIEM and SIEM Plus tools and how it provides security analysts with the ability to effectively protect large distributed networks effectively and efficiently in a way they cannot do with traditional point tools.

You can view the video here

If you have a question that is not included in our webinar then please let us know and we’ll be happy to answer it for you.

I’m have no doubt they would have thought long and hard on the philosophical questions facing CISOs in many commercial organizations and Government departments. Questions like: Do advanced persistent threats really exist? How can we minimize our risk of attack? And, ‘If we are attacked, how do we detect and deal with it?’.  Hopefully you won’t conclude that that the struggle is futile or absurd!

The battle against cyberattacks can often feel a little like Sisyphus, pushing a rock up a mountain only to have it roll to the bottom again. We can only hope that the majority of security professionals, regardless of how absurd or futile the struggle can appear, take steps to protect themselves and their organizations from the threats that undoubtedly threaten their existence.

This is certainly all good advice – although we contend that the average cyber or insider attack moves slightly quicker than the average box turtle.  There are, however, some major problems with Chris’ piece.

• First, the assumption is made that SIEM tools – of which Q1 Labs makes a very good one – can capture all of the information required to find our good friend, the turtle.  Unfortunately, that simply isn’t the case.  SIEM tools are highly focused on events.  Even in cases where a SIEM can look outside of the world of events at one or two other pieces of data (say, at network traffic, which is something that Q1 Labs’ SIEM does), that’s still woefully inadequate: if we’re going to find an errant turtle, we certainly need events and network traffic data, but we also need system asset and configuration state (from both hosts and devices, not just one or the other), system performance metrics, visibility into file integrity, and much, much more.  A SIEM is great if our Turtle friend has left behind a trail of breadcrumbs (or whatever it is that turtles leave behind them when they travel), but otherwise, the SIEM is going to likely lead us to a cold trail due to lack of data.
• Second, even if your SIEM can collect different types of data in search of our elusive turtle friend, it probably uses multiple, separate products to do so.  Q1 Labs has a great SIEM product – Qradar – but requires separate appliances to collect flow data and Q1’s proprietary pseudo-DPI information, as well as another, completely separate appliance to collect system asset data and configuration state (and even then, this data is limited to a small subset of network devices, and completely excludes hosts… which means we’re stuck in the world of limited data again).  Of course, Q1 Labs is not the only SIEM vendor who runs into this issue: Tripwire, Nitro Security, NetIQ, Arcsight, and others all rely on multiple tools to try and collect more than just event-based data.  Unfortunately, all this approach does is result in taking a bunch of smaller silos (from individual systems and point security tools), and turn them into a smaller number of bigger silos – certainly not useful as the clock ticks on finding our buddy, the turtle!
• Finally, even if you can collect a multitude of data points from various point security tools, and your security analysts have fed them into a traditional SIEM, you still have a problem: the SIEM views everything as an event: a piece of system state data becomes an “event” (which it isn’t), performance metrics become “events” (which they aren’t), and so on.  Much of the richness of the data is lost, and the only thing that most organizations are left with is a general idea that “’something’ has certainly happened…”, but they lose the critical context of exactly what that ‘something’ is.  A manual hunt for the turtle then begins in earnest.

So yes, what Chris describes is absolutely valid — we call it Unified Situational Awareness – but the fact is, traditional SIEM and “SIEM-plus” tools simply can’t deliver it.

What’s most interesting is how Mr. Barani talks about situational awareness not as a product, but as a capability.  While much of his interest is in physical security — as opposed to information security, which is where eIQnetworks and SecureVue reside — he identifies all the different types of security-related information that are required to achieve situational awareness: physical access control and logs; CCTV feeds and data; HVAC systems; elevator controls; and many, many more.  His team will be using a platform designed to bring together the physical security data from all these different sources into a single platform that facilitates situational awareness.

So what’s the point?  First, that situational awareness isn’t just a tool or a technology — it’s a way of life that requires continuous, real-time evaluation of the environment (whether the goal is system operations, physical security, information security, or otherwise), correlation of different types of events and other data together, and the ability to act on abnormalities right away.  Second, to make all of these things happen, you need the right tools to facilitate — not automate – situational awareness. In the information security world, that means collecting all security-related data, whether that data is encapsulated in events, asset state, network traffic, system performance, or any other piece of information.  Once you have the data, the other critical capability is correlation: are unusual network traffic, an abnormal performance metric, and an unauthorized change on a server related?  If so, how?

Just like in physical security systems, in the world of information security there are plenty of assets generating security data: events from host OS’s, devices, applications and databases; point security tools like IDS/IPS and anti-malware; performance data; network traffic; the current operating state of systems; and so much more.

Like the architects of physical security at Freedom Tower, delivering situational awareness for information security requires the ability to bring all of this data together into a single location, and correlate this data to find abnormalities — the hallmark of situational awareness.  Unfortunately, there aren’t many solutions available today that really do this for information security: SIEMs have limited data collection capabilities, and treat everything like an event (which is decidedly not situational awareness); configuration management tools have no visibility into events or what’s happening at the network layer; and NBA and network monitoring tools lack visibility into system state.  So, like a CCTV system, or an HVAC controller, or an elevator system, each of these information security tools provides visibility into a limited — but critical – wedge of data.  You still need something to bring all the data together, and facilitate true situational awareness.  Fortunately, we know exactly where you can find a product that does this.

How’s that, you might ask?  Well, it all starts – or rather, ends – with our favorite pre-Columbian civilization, the Mayans.  Ah, the Maya… ask anyone on the street today about them, and the first thing you’re likely to hear about is the Mayan calendar.  Like other Mesoamerican civilizations such as the Aztecs and Inca, the Maya very much believed that time operated in cycles.  The Maya “long count” calendar – the longest individual cycle – is currently scheduled to complete on December 21, 2012.

The Mayans themselves would simply start a new cycle (called b’ak’tun) on December 22; but in our clever world, that’s not good enough for many.  Unfortunately, the end of the “long count” cycle this year has been misinterpreted by some as “the end of the world” – often by people who are looking to make a quick buck.  Rest assured that just as Y2K, the IRS tax deadline of April 15th, and other critical dates have been the focus of phishing and other scam activity in the past, so too will December 21, 2012.

It’s only a matter of time before we start seeing it: “Click here to download the PDF [which is infected] / program [which is trojaned] / website link [which is XSS’d to malware] that shows you why the Mayans were right about the end of the world!”  Like any other scam, these emails and web ads will play to people’s worst fears, and doubtless some of them will succeed in facilitating identity theft, illegal transfer of funds, or even worse.  People are fascinated by doom, and the idea that someone might have “secret knowledge” will cause many unsuspecting people to be drawn into these scams.  We saw this happen endlessly during Y2K, over ten years ago when the term phishing hadn’t even been coined yet.  With the advent of new methods to reach people – no longer just e-mail, but text messages, social media sites, embedded links in documents, and so many more – the amount of fraud that will be perpetrated from end-of-the-world scare tactics will be extreme.

So remember, you heard it here first… and if we’re all still around on December 22, 2012, we’ll see if we at eIQ were right.  

We’ve been saying the same thing for a number of years.  2011 has demonstrated that, even when an organization knows that an attack is imminent, many remain unable to do anything to prevent it.  On this basis, it’s inconceivable that using the point SIEM tools that exist in many large organizations most will be able to contain it.  This is supported by Ponemon Institute research that suggests that the current average response time to a security incident is 18 days.

If Websense’ prediction is going to become reality then there needs to be a fundamental shift towards tools that can correlate large amounts of security data, in all of its native formats to provide analysts with a real-time, contextual view of their security posture.  And, in order for this to happen, SIEM must be dead.