June EventSource Newsletter
By Mike Rothman
Creating lasting change from security management
Over the past year, I’ve dealt with how to implement a Pragmatic approach to security management and then dug deeper into the specifics of how to successfully implement a security management environment successfully. Think of those previous tips as your high school level education in security management.
Now it’s time to kiss the parents, hug the dog, and head off to the great unknown that represents college, university or some other secondary education. The tools are in place and you have a quick win to celebrate, but the reality is these are still just band-aids. The next level of your education is about creating lasting change that results constant improvement of your security posture. Creating this kind of change means that your security management platform needs to:
- Make you better – If there isn’t a noticeable difference in your ability to do your job, then the security management platform wasn’t worth the time or the effort to set it up. Everybody loses in that situation. You should be able to pinpoint issues faster and figure out what to investigate more accurately. These may sound like no-brainers, but many organizations spend big money to implement technology that doesn’t show any operational value.
- Save you time – The reality is, as interesting as reports are for compliance, if using your platform doesn’t help you do your job faster, then you won’t use it. No one has discretionary time to waste doing things less efficiently. Thus, you need to be able to utilize your dashboard daily to investigate issues quickly and ensure you can isolate problems without having to gather data from a variety of places. Those penalties in time can make the difference between nipping a problem in the bud or cleaning up a major data breach.
I know those two objectives may seem a long way off when you are just starting the process, but let’s take a structured approach to refining our environment and before you know it, your security management environment will be a well-oiled machine, and dare I say it, you will be the closest thing to a hero on the security team.
Step 1: Revisit the metrics
Keep in mind that in the initial implementation (and while searching for the quick win), you gathered some data and started pulling reports on it to identify the low-hanging fruit that needed to be fixed right now.This is a good time to make sure you are gathering enough data to draw broader conclusions. Remember that we are looking mostly for anomalies. Since we defined normal for your environment during the initial implementation, now we need to focus on what is “not normal.” Here are a couple of areas to focus on:
- Networks – This is the easiest of the data to gather because you are probably already monitoring much of it. Yes, that data coming out of your firewalls, IPS devices, and content gateways (web filtering and anti-spam), should already be pumped into the system.Data center – Many of the attacks now are targeted towards databases and servers because that’s where the “money” is. Thus pulling log feed from databases and server operating systems is another set of data sources that should be leveraged. Again, once you gather the baseline – you are in good shape to start to focus on behavior that is not “normal.”Endpoints – Depending on the size of your organization, this may not be feasible, but another area of frequent compromise are end user devices. Maybe they are copying data to a USB thumb drive or installing unauthorized applications. Periodically gathering system log information and analyzing it can also yield a treasure of information.
- Applications – Finally, you can also gather data directly from the application logs. Who is accessing the application and what transactions are the performing. You can look for patterns, which in many cases could indicate a situation that needs to be investigated.
Step 2: Refine the Thresholds
Remember the REACT FASTER doctrine? That’s all about making sure you learn about an issue as quickly as possible and act decisively to head off any real damage. Since you are gathering a very comprehensive set of data now (from Step 1), the key to being able to wade through all that data and make sense of it are thresholds.To be clear, initially your thresholds will be wrong and the system will tend to be a bit noisy. You’ll get notified about too much stuff because you are better off setting loose thresholds initially, then missing the iceberg (yes, it’s a Titanic reference). But over time (and time can be measured in weeks, not months), you can and should be tightening those thresholds to really narrow in on the “right” time to be alerted to an issue.The point is all about automation. You’d rather not have your nose buried in log data all day or watching the packets fly by, so you need to learn to trust your thresholds. Once you have them in a comfortable place (like the Three Bears) not too many false positives, but not too few either. Then you can start to spot check some of the devices, just to make sure.Constant improvement is all about finding the right mix of data sources and monitoring thresholds to make an impact. And don’t think you are done tuning the system – EVER. What’s right today is probably wrong tomorrow, given the dynamic nature of IT infrastructure and the attack space.
Step 3: Document thyself
Finally, once your system is operating well, it’s time to revisit all of those reports you generate. Look from a number of different perspectives:
- Operational reporting – You probably want to be getting daily (weekly at a minimum) reports, which pinpoint things like attacks dropped at the perimeter, login failures, and other operational data. Make sure by looking at the ops reports you get a great feel for what is going on within your networks, data centers and applications. Remember that security professionals hate surprises. These reports help to eliminate surprises.
- Compliance reporting – The reports that help you run your security operation are not necessarily what an auditor is going to want to see. Many of the security platforms have pre-built reports for regulations like PCI and HIPAA. Use these templates as a starting point and work with your auditor or assessor and make sure your reports are tuned to what they both expect and need. The less time you spend generating compliance reports, the more time you are spending fixing issues and building a security strategy.
Congratulations, you are ready for your diploma. If you generally follow some of the tips and utilize many of the resources built into your security management platform, you can make a huge impact in how you run your security environment. I won’t be so bold as to say you can “get ahead of the threat,” because you can’t. But you can certainly REACT FASTER and more effectively.
Good luck on your journey, and you can always find me at http://blog.securityincite.com.
The widely used Adobe Flash Player has a zero day flaw that is being targeted by a number of attackers who set up more than 200,000 Web pages to exploit the flaw.
Software patches, which are sent over the Internet to protect computers from newly discovered security holes, could help the bad guys as well as the good guys, according to research recently presented at the IEEE Symposium on Security and Privacy. The research shows that attackers could use patches to automatically generate software to attack vulnerable computers, employing a process that can take as little as 30 seconds.
There is always a lag between the time a new virus hits the web and the time a patch is created and antivirus definitions updated, which often gives the virus several hours to proliferate across thousands of machines (The Adobe flaw is a perfect case in point). In addition, virus signatures are changing constantly and often the same virus can come back with a slight variation that is enough to elude antivirus systems.
Prism Microsystems positioned in Magic Quadrant by leading analyst firm.
Prism Microsystems, a leading provider of SIEM solutions to the midsize enterprise market, today announced that it has been positioned by Gartner in the recently published ‘Magic Quadrant for Security Information and Event Management, 1Q08’ report.
We put version 6.0 of EventTracker to the test and found it on par with rivals in ease of use, and ahead in scalability.
It’s pretty astonishing what shows up knocking on your firewall trying to get in. Even so, data in the second half of 2007 showed that the internal threat, while less frequent, is more expensive. With insiders now added to a list of threats that includes mutating viruses and target-specific attacks…
Featured Case Study
Autoscribe uses integrated Log and Change Management for broadest coverage of PCI requirements and to detect emerging attack vectors such as zero-day and mutating malware. Read case study at .