You can read John’s post in full at http://ow.ly/8H5uB

“Proactive Threat Discovery and Risk Mitigation Demands Situational Awareness,” is an eIQnetworks webinar, featuring Gartner analyst John Pescatore, which aims to answer many of the questions we’ve been asked by security professionals in recent months.  The webinar also explains how situational awareness delivers key competencies that cannot be achieved using existing SIEM and SIEM Plus tools and how it provides security analysts with the ability to effectively protect large distributed networks effectively and efficiently in a way they cannot do with traditional point tools.

You can view the video here

If you have a question that is not included in our webinar then please let us know and we’ll be happy to answer it for you.

I’m have no doubt they would have thought long and hard on the philosophical questions facing CISOs in many commercial organizations and Government departments. Questions like: Do advanced persistent threats really exist? How can we minimize our risk of attack? And, ‘If we are attacked, how do we detect and deal with it?’.  Hopefully you won’t conclude that that the struggle is futile or absurd!

The battle against cyberattacks can often feel a little like Sisyphus, pushing a rock up a mountain only to have it roll to the bottom again. We can only hope that the majority of security professionals, regardless of how absurd or futile the struggle can appear, take steps to protect themselves and their organizations from the threats that undoubtedly threaten their existence.

This is certainly all good advice – although we contend that the average cyber or insider attack moves slightly quicker than the average box turtle.  There are, however, some major problems with Chris’ piece.

• First, the assumption is made that SIEM tools – of which Q1 Labs makes a very good one – can capture all of the information required to find our good friend, the turtle.  Unfortunately, that simply isn’t the case.  SIEM tools are highly focused on events.  Even in cases where a SIEM can look outside of the world of events at one or two other pieces of data (say, at network traffic, which is something that Q1 Labs’ SIEM does), that’s still woefully inadequate: if we’re going to find an errant turtle, we certainly need events and network traffic data, but we also need system asset and configuration state (from both hosts and devices, not just one or the other), system performance metrics, visibility into file integrity, and much, much more.  A SIEM is great if our Turtle friend has left behind a trail of breadcrumbs (or whatever it is that turtles leave behind them when they travel), but otherwise, the SIEM is going to likely lead us to a cold trail due to lack of data.
• Second, even if your SIEM can collect different types of data in search of our elusive turtle friend, it probably uses multiple, separate products to do so.  Q1 Labs has a great SIEM product – Qradar – but requires separate appliances to collect flow data and Q1’s proprietary pseudo-DPI information, as well as another, completely separate appliance to collect system asset data and configuration state (and even then, this data is limited to a small subset of network devices, and completely excludes hosts… which means we’re stuck in the world of limited data again).  Of course, Q1 Labs is not the only SIEM vendor who runs into this issue: Tripwire, Nitro Security, NetIQ, Arcsight, and others all rely on multiple tools to try and collect more than just event-based data.  Unfortunately, all this approach does is result in taking a bunch of smaller silos (from individual systems and point security tools), and turn them into a smaller number of bigger silos – certainly not useful as the clock ticks on finding our buddy, the turtle!
• Finally, even if you can collect a multitude of data points from various point security tools, and your security analysts have fed them into a traditional SIEM, you still have a problem: the SIEM views everything as an event: a piece of system state data becomes an “event” (which it isn’t), performance metrics become “events” (which they aren’t), and so on.  Much of the richness of the data is lost, and the only thing that most organizations are left with is a general idea that “’something’ has certainly happened…”, but they lose the critical context of exactly what that ‘something’ is.  A manual hunt for the turtle then begins in earnest.

So yes, what Chris describes is absolutely valid — we call it Unified Situational Awareness – but the fact is, traditional SIEM and “SIEM-plus” tools simply can’t deliver it.

What’s most interesting is how Mr. Barani talks about situational awareness not as a product, but as a capability.  While much of his interest is in physical security — as opposed to information security, which is where eIQnetworks and SecureVue reside — he identifies all the different types of security-related information that are required to achieve situational awareness: physical access control and logs; CCTV feeds and data; HVAC systems; elevator controls; and many, many more.  His team will be using a platform designed to bring together the physical security data from all these different sources into a single platform that facilitates situational awareness.

So what’s the point?  First, that situational awareness isn’t just a tool or a technology — it’s a way of life that requires continuous, real-time evaluation of the environment (whether the goal is system operations, physical security, information security, or otherwise), correlation of different types of events and other data together, and the ability to act on abnormalities right away.  Second, to make all of these things happen, you need the right tools to facilitate — not automate – situational awareness. In the information security world, that means collecting all security-related data, whether that data is encapsulated in events, asset state, network traffic, system performance, or any other piece of information.  Once you have the data, the other critical capability is correlation: are unusual network traffic, an abnormal performance metric, and an unauthorized change on a server related?  If so, how?

Just like in physical security systems, in the world of information security there are plenty of assets generating security data: events from host OS’s, devices, applications and databases; point security tools like IDS/IPS and anti-malware; performance data; network traffic; the current operating state of systems; and so much more.

Like the architects of physical security at Freedom Tower, delivering situational awareness for information security requires the ability to bring all of this data together into a single location, and correlate this data to find abnormalities — the hallmark of situational awareness.  Unfortunately, there aren’t many solutions available today that really do this for information security: SIEMs have limited data collection capabilities, and treat everything like an event (which is decidedly not situational awareness); configuration management tools have no visibility into events or what’s happening at the network layer; and NBA and network monitoring tools lack visibility into system state.  So, like a CCTV system, or an HVAC controller, or an elevator system, each of these information security tools provides visibility into a limited — but critical – wedge of data.  You still need something to bring all the data together, and facilitate true situational awareness.  Fortunately, we know exactly where you can find a product that does this.

How’s that, you might ask?  Well, it all starts – or rather, ends – with our favorite pre-Columbian civilization, the Mayans.  Ah, the Maya… ask anyone on the street today about them, and the first thing you’re likely to hear about is the Mayan calendar.  Like other Mesoamerican civilizations such as the Aztecs and Inca, the Maya very much believed that time operated in cycles.  The Maya “long count” calendar – the longest individual cycle – is currently scheduled to complete on December 21, 2012.

The Mayans themselves would simply start a new cycle (called b’ak’tun) on December 22; but in our clever world, that’s not good enough for many.  Unfortunately, the end of the “long count” cycle this year has been misinterpreted by some as “the end of the world” – often by people who are looking to make a quick buck.  Rest assured that just as Y2K, the IRS tax deadline of April 15th, and other critical dates have been the focus of phishing and other scam activity in the past, so too will December 21, 2012.

It’s only a matter of time before we start seeing it: “Click here to download the PDF [which is infected] / program [which is trojaned] / website link [which is XSS’d to malware] that shows you why the Mayans were right about the end of the world!”  Like any other scam, these emails and web ads will play to people’s worst fears, and doubtless some of them will succeed in facilitating identity theft, illegal transfer of funds, or even worse.  People are fascinated by doom, and the idea that someone might have “secret knowledge” will cause many unsuspecting people to be drawn into these scams.  We saw this happen endlessly during Y2K, over ten years ago when the term phishing hadn’t even been coined yet.  With the advent of new methods to reach people – no longer just e-mail, but text messages, social media sites, embedded links in documents, and so many more – the amount of fraud that will be perpetrated from end-of-the-world scare tactics will be extreme.

So remember, you heard it here first… and if we’re all still around on December 22, 2012, we’ll see if we at eIQ were right.  

We’ve been saying the same thing for a number of years.  2011 has demonstrated that, even when an organization knows that an attack is imminent, many remain unable to do anything to prevent it.  On this basis, it’s inconceivable that using the point SIEM tools that exist in many large organizations most will be able to contain it.  This is supported by Ponemon Institute research that suggests that the current average response time to a security incident is 18 days.

If Websense’ prediction is going to become reality then there needs to be a fundamental shift towards tools that can correlate large amounts of security data, in all of its native formats to provide analysts with a real-time, contextual view of their security posture.  And, in order for this to happen, SIEM must be dead.

We’ll let you judge for your selves… here’s video from an event organized by the National Cable & Telecommunications Association [NCTA] last week, entitled Protecting American Innovation in Cyberspace, at which Rep Ruppersberger states that he, and many of the countries most senior officials, believe there will be a catastrophic attack on a US target.

You can watch the video here; it gets interesting at about 30 minutes in…

Protecting American Innovation in Cyberspace

*Copyright NCTA 2011

Currently in Beta, SecureVue Express offers a glimpse of the future for security analysts, and has a brand-new user interface that simplifies enterprise security management.

To download your copy of SecureVue Express, click here.  We’d also welcome feedback via email, via Twitter or by commenting below.

If we’re honest, there is no consensus on what did, or did not, happen in Illinois – not whether the attack (if indeed an attack took place) was based in Russia, or any other country.  The purpose of this post is not to speculate one way or another.  The confusion is, however, something that we in the security industry should be very, VERY, concerned about.  It’s an all too familiar story; something doesn’t feel right, but confirming whether indeed something has happened, if it is something you should be concerned about, what the vector of the potential attack might be, and what you can do to mitigate the damage it could do is very difficult to pinpoint.  It’s not that, the majority of, organizations don’t have the tools they need to answer these questions, it’s simply that they don’t have the means to make sense of the multitude reports in order to differentiate the positives from the false positives and the double negatives – and do it quickly.

This problem is only going to get more complex as the role that information networks play in everyday business life.  Protecting sensitive corporate and customer data from those that wish to do harm, or use it for their own competitive advantage is increasingly going to be a key battle ground.  If it takes you three weeks to determine whether or not you’ve been breached you’ll have lost the battle without ever knowing you were under attack.

This is why we firmly believe that a new approach to information security is required.  We proclaimed the death of SIEM as an effective way to protect large corporate information networks a few months ago, and everything we see strengthens our position.  SIEM is still a valuable tool for collecting log and event based data, but situational awareness gives you the ability to collect ALL network data in it’s native format, correlate it in real time (20 seconds, rather than 20 days) and provides a clear picture of what has happened via a single pane of glass.

Situational Awareness means you can take immediate action to repel or take action to minimize the impact of an attack.