Skip to content

A situational problem requires a situational solution!

March 3, 2012

A quote posted to Twitter about one of the presentations at the Security BSides conference earlier in the week in San Francisco struck a chord and I wanted to comment on it.  It went something like this, ‘Information Security is situational – and as a result it is very difficult to generalize about the best way to protect an organization against it. ”

This quote encapsulates the challenge faced by security professionals every day – and provides an insight into the best way for large organizations to address it.  There is no one – or event fifty – cookie-cutter cyber or insider attacks – each one is deliberately designed by the perpetrator to use an infrastructure against its owner and to enable the attacker to get as quickly as possible to the intended target and get out again undetected.  The days of signature-based attacks are over.

So, if the problem is situational then if figures that the solution needs to be situational also.  Rather than looking in all of the ‘usual’ places for the signs of an attack the key is to collect data from all parts of the network, correlate it in real-time and identify any anomalous activity.  This approach is called Situational Awareness.

Situational Awareness is already being used in a range of industries, from EMS to air traffic control and on the battlefield.  Its time has come for information security professionals.

Advertisements

Making Sense of Big Security Data

February 29, 2012

Big data is an important theme in San Francisco this week – as networks become increasing large and complex they create increasing volumes of data.  An average Fortune 100 company is likely to generate around 100 TB of data every year.

This data is valuable  – it can be used to improve the performance of just about every area of IT operations… but only if the organization has the technology to collect, collate, correlate and report it.  For security analysts analysis of the millions of pieces of security data within their environment could help them to repel, or mitigate the impact of a breach by enabling them to obtain actionable intelligence – information that allows them to take the right actions quickly.

While traditional SIEM and SIEM Plus tools may be able to collect security data, they do no allow it to be collected in its native format.  They are also unable to correlate the millions of records in a timescale that enables it to be used effectively.  Existing point SIEM tools leave the majority of the data analysis to security analysts.

To find out how eIQnetworks SecureVue can help you make the most of Big Security Data email us at info@eiQnetworks dot com or via Twitter on at @eIQnetworks.

Security ≠ Compliance

February 28, 2012

There has been a lot of talk in San Francisco this week about Security and Compliance… and whether if you have one you also have the other.

The fact is that security does not equal compliance; nor does compliance ensure that your network is protected against attack.  We believe that it’s not a question of ‘either or’, but understanding that relying solely on traditional SIEM tools makes it incredibly difficult to effectively deliver both.  The problem is that SIEM tools are focused on log and event data – and even so-called ‘SIEM Plus’ tools that do collect other security data points still process and present this distinctly different type of data as “just another event”.

The future – which clearly is a world of increasingly virulent cyber and insider attacks – will require security analysts to report against both corporate security policies and relevant industry compliance mandates, as well demonstrating that they have the necessary systems and processes necessary to report both quickly and accurately.

We believe that the only way to do this through true, unified Situational Awareness.  If you want to see how situational awareness can help your organization demonstrate both security and compliance, you can contact us via email at info@eiQnetworks.com, or via send us a DM on Twitter via @eIQnetworks.

Hot topics in San Francisco.

February 27, 2012

This week we’re blogging from San Francisco for what is one of the most eagerly awaited weeks of in a security professional’s calendar.  While we’re not exhibiting at the RSA or Security BSides shows we’re are in town meeting clients and prospects, so we wanted to take a moment to talk, briefly, about some of the topics we expect to be top of the agenda in the coming days.

  • APTs, or Advanced Persistent Threats, have been around for a while.  There’s been a lot of discussion over what does and what doesn’t constitute an advanced persistent cyber threat but with cyber attackers able to strike almost at will we expect there to be many discussions about how large organizations can protect themselves from APTs.
  • Situational Awareness is something that eIQ has been talking about for years.  It’s the next evolutionary approach to information security that uses tried and tested principles to collect, correlate and make sense of all security data, regardless of where it’s contained: in logs, system state data, network traffic, performance metrics, file integrity or other data – but most importantly, both in event-based and non-event data, which differentiates it from event-focused solutions like SIEM.  This enables security analysts to quickly identify a breach and take steps to repel or mitigate it and minimize the damage it does.
  • Big Data is a challenge that all IT professionals must address in the coming years, but it is perhaps most relevant for security analysts.  As the complexity of information technology systems increases so the potential for understanding what is going on within a network increases.  The challenge of how security professionals can take advantage of big data to protect their networks will, I believe, be a hot topic of discussion in San Francisco this week.

If you want to see how situational awareness can help your organization demonstrate security and compliance contact us via email at info@eIQnetworks.com or via Twitter on @eIQnetworks while you’re in town to set up a demonstration of our SecureVue platform.

It’s not about adding another data source…

February 24, 2012

…it’s what you do with it that counts!

The New York Times Bits blog devoted 700 words to IBM’s announcement earlier this week that it has now managed to connect its newly acquired QRadar SIEM platform to its X-Force database. While this is news for IBM and QRadar customers it is, perhaps, less relevant for organizations that aren’t exclusively ‘Big Blue’.

The same piece states, “Businesses spend billions of dollars each year on firewalls, applications and antivirus software in a desperate attempt to ward off hackers and yet, even the companies, like Symantec and RSA, that sell “security solutions” can’t keep themselves hacker-free“.  This is, I believe, far more newsworthy – and an issue that I hope the industry will explore as it convenes in San Francisco next week for the annual RSA conference.

The article’s author claims that, ‘the crux of the problem is that businesses have taken a piecemeal approach to security’.  I disagree. There is no denying that you need these purpose built products as part of overall security strategy. The crux is that organizations do not have the capability to collect, monitor, analyze and correlate ALL relevant security data from each of the different devices/products, to make sense of what is actually happening in their network.  The majority products, including SIEM tools like IBM’s QRadar, collect just log and event data.  This may enables security analysts to understand that something has happened, but not answer the most important question: How, Where and What, exactly, has happened?  Because they can’t answer this question they can’t figure out what needs to be done to repel an attack, identify the likely target, and take timely action to stop it. .  You need to collect, analyze and correlate not only log data with Threat Intelligence data like X-Force, but need other critical data like asset configuration state, vulnerability state, asset criticality, connectivity state, etc. for effective threat detection and mitigation.

For the majority of organizations information security is more post mortem than critical care… and regardless of how many billions of dollars you spend on security tools until you fix this inherent problem in traditional SIEM tools large organizations will continue to be breached at will.

Situational Awareness in one sentence

February 22, 2012

In the technology industry we’re often guilty of using 100 words, where three would suffice… or over complicating things to the point that only a handful of people are able to figure out what we’re saying.  So, when I heard a summary of the value of situational awareness that even your grandmother would understand, I wanted to share it.

The explanation, provided by a pilot, explains the role situational awareness plays in doing what they do safely, and why it enables them to deal with unforeseen events quickly and effectively.

”  …We [pilots] need situational awareness… you have to realize how you got into a situation to figure your way out of it…”

It occurred to me that this one sentence explains why situational awareness is set to play such a huge role in the future of information security.  Unless you have data, from which you can deduce how an attack took place [and in many cases will still be taking place] you will have no way of figuring out how to repel it, mitigate it, and protect the intended target of the attack.  Without situational awareness you’re faced with the proverbial needle in a haystack!

Quis custodiet ipsos custodes? [Answers on a postcard, please!]

February 5, 2012

Reading the news that Verisign, the company responsible for delivering people safely to more than half the world’s websites, suffered a series of breaches back in 2010 comes as no surprise.  Why?  Because I think that we have entered a new era of cybersecurity; one where Read more…