Skip to content

From Russia with Malice

November 28, 2011

Three weeks ago a pump at a water treatment facility in Illinois was damaged by a malicious attack launched by an attacker using a computer based in Russia.  Or maybe it wasn’t.  Perhaps the pump was destroyed, but the attacker wasn’t based in Russia.  Maybe nothing happened at all… in fact, the DHS is now denying that a hack even occurred; yet the FBI has, according to reports, launched an investigation.

If we’re honest, there is no consensus on what did, or did not, happen in Illinois – not whether the attack (if indeed an attack took place) was based in Russia, or any other country.  The purpose of this post is not to speculate one way or another.  The confusion is, however, something that we in the security industry should be very, VERY, concerned about.  It’s an all too familiar story; something doesn’t feel right, but confirming whether indeed something has happened, if it is something you should be concerned about, what the vector of the potential attack might be, and what you can do to mitigate the damage it could do is very difficult to pinpoint.  It’s not that, the majority of, organizations don’t have the tools they need to answer these questions, it’s simply that they don’t have the means to make sense of the multitude reports in order to differentiate the positives from the false positives and the double negatives – and do it quickly.

This problem is only going to get more complex as the role that information networks play in everyday business life.  Protecting sensitive corporate and customer data from those that wish to do harm, or use it for their own competitive advantage is increasingly going to be a key battle ground.  If it takes you three weeks to determine whether or not you’ve been breached you’ll have lost the battle without ever knowing you were under attack.

This is why we firmly believe that a new approach to information security is required.  We proclaimed the death of SIEM as an effective way to protect large corporate information networks a few months ago, and everything we see strengthens our position.  SIEM is still a valuable tool for collecting log and event based data, but situational awareness gives you the ability to collect ALL network data in it’s native format, correlate it in real time (20 seconds, rather than 20 days) and provides a clear picture of what has happened via a single pane of glass.

Situational Awareness means you can take immediate action to repel or take action to minimize the impact of an attack.

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: