SIEM in the days of recession

In October 2007 Gartner published a paper titled “Clients Should Prepare a ‘Recession Budget’ for 2008″. It suggested that IT organizations should be prepared to respond if a recession forces budget constraints in 2008. Its still early in 2008 but the FED appears to agree and has acted strongly by dropping key interest rates fast and hard.

Will this crimp your ability to secure funding for security initiatives? Vendor FUD tactics have been a bellwether but fear factor funding is waning for various reasons.These include

* crying wolf
* the perceived small impact of breaches (as opposed to the dire predictions)
* the absence of a widespread, debilitating (9/11 style) malware attack
* the realization that most regulations (eg HIPAA) have weak enforcement

As an InfoSec professional, how should you react?

For one thing, understand what drives your business and align with it as opposed to retreating into techno-speak. Accept that the company you work for is not in the business of being compliant or secure. Learn to have a business conversation about Infosec with business people. These are people that care about terms such as ROI, profit, shareholdervalue, labor, assets, expenses and so on. Recognize that their vision of regulatory compliance is driven mainly by the bottom line. In a recession year, these are more important than ever before.

For another thing, expect a cut in IT costs (it is after all most often viewed as a “cost-center”). This means staff, budgets and projects may be lost.

So how does a SIEM vendor respond? In a business-like way of course. By pointing out that one major reason for deploying such solutions is to “do more with less”, to automate the mundane thereby increasing productivity, by retaining company critical knowledge in policy so that you are less vulnerable to a RIF, by avoiding downtime which hurts the bottom line.

And as Gabriel Garcia Marquez observed , maybe it is possible to have Love in the Time of Cholera.

– Ananth

The role of host-based security

In the beginning, there was the Internet.
And it was good (especially for businesses).
It allowed processes to become web enabled.
It enabled efficiencies in both customer facing and supplier facing chains.

Then came the security attacks.
(Toto, I’ve got a feeling we’re not in Kansas any more).
And they were bad (especially for businesses).

So we firewalled.
And we patched.
And we implemented AV and NIDS.

Are we done then?
Not really.

According to a leading analyst firm, an estimated 70% of security breaches are committed from inside a networks perimeter. This in turn is responsible for more than 95% of intrusions that result in significant financial losses. As a reaction, nearly every industry is now subject to compliance regulations that can only be fully addressed by applying host based security methods.

Security Information and Event Management systems (SIEM) can be of immense value here.

An effective SIEM solution centralizes event log information from various hosts and applies correlation rules to highlight (and ideally thwart) intrusions. In the instance of the “insider” threat, exception reports and review of privileged user activity is a critical activity.

If your IT Security efforts are totally focused on the perimeter and the internal network, you are likely to be missing a large and increasingly critical “brick in the wall”.

-Posted by Ananth

Are you worth your weight in gold?

Interesting article by Russell Olsen on Windows Change Management on a Budget

He says: “An effective Windows change management process can be the difference between life and death in any organization. Windows managers who understand that are worth their weight in gold…knowing what changed and when it changed makes a big difference especially when something goes wrong. If this is so clear, why do so many of us struggle to implement or maintain an adequate change control process?”

Olsen correctly diagnoses the problem as one of discipline and   commitment. Like exercising regularly, its hard….but there is overwhelming evidence of the benefits.

The EventTracker SIM Edition makes it a little easier by automatically taking system (file and registry) snapshots of Windows machines at periodic intervals for comparison either over time or against a golden baseline.

Given the gap between outbreak and vaccine for malware and attacks, as well as the potential for innocuous human error when dealing with complex machinery, the audit function makes it all worthwhile. The CSI 2007 survey shows the annual loss from such incidents to be $350,000.

Avoiding such losses (and regular exercise) will make you worth your weight in gold.

– Ananth

Threatscape 2008 Computer security survey results

Understanding where SIM ends and log management begins

In my travels, I tend to run into two types of security practitioners. The first I’ll call the “sailor.” These folks are basically adrift in the lake in a boat with many holes. They’ve got a little cup and they work hard every day trying to make sure the water doesn’t overcome the little ship and sink their craft.

The others I’ll call the “builders,” and these folks have gotten past the sailor phase, gotten their ship to port and are trying to build a life in their new surroundings. Thus, they are trying to lay the foundation for a strong home that can withstand whatever the elements have to offer.

Yes, there is a point to these crazy analogies. When you are talking about security management, the sailors don’t have a lot of time to worry about anything. They do the least amount necessary to keep whatever limited security defenses they have up and running. The idea of security information management, log management, configuration management or pretty much [anything] followed by the word management, just isn’t in their vernacular.

In this piece I’m going to focus on the builders. These folks are looking for something a bit more strategic now and they are asking questions like, “do I need SIM?” and “what about log management?” If you are in that camp, consider yourself lucky because many practitioners don’t get there.

To be clear, the title is a little bit disingenuous. I don’t really think that SIM ends and log management begins anywhere. All of these disciplines are coming together into a next generation security management PLATFORM, and based on these platforms I see a lot of security professionals finally starting to make some inroads. You know, more effectively managing their environments.

I don’t have the space to tell the full history of security management, so in a nutshell the discipline has evolved from stand-alone consoles that were built specifically to manage a class of device (firewall, VPN, IPS, etc.) to a central console mentality. This has mapped cleanly to the evolution of most network security vendor’s product lines. They started as a specialist focusing on one discipline (firewall, IPS, etc.) and now they have broadened their offerings into integrated devices that offer multiple functions. Their management consoles reflect that.

But that doesn’t really solve most customer’s problem, which is that they’ve got a heterogeneous set of security devices and it’s neither time nor resource efficient to manage those devices separately. So an overlay management console dubbed SIM (security information management) was built, to integrate the data coming from these specific devices, correlate it, and then tell the administrator what they need to focus on.

This was a bit better (although first generation SIMs cost too much and took too long to get value) – it still didn’t address an emerging problem. That was the need for forensically clean information that could be used for compliance and incident investigations. Thus a few years ago, the log management business was born.

Now many practitioners want the best of both worlds. The nerve of you folks! Basically, you want to be able correlate operational data so you can react faster to imminent attacks, but make sure the data is gathered and stored in a way to ensure it’s useful for investigations and compliance reporting.

The good news is that isn’t too much to ask for, and a number of vendors are now bring these next generation security management platforms to market. What are some of the characteristics of these new offerings? Basically, I believe the PLATFORM must be built on a log management foundation.

Why? Because data integrity is paramount to ensuring the information will stand up in a court of law. So that means the log records (or any other gathered info like Netflow data or transactions) must be cryptographically signed and sequenced. This ensures the data hasn’t been tampered with and creates evidence that cannot be questioned, even by the savviest of vultures – I mean, defense attorneys.

You also want to make sure the data isn’t reduced. With first generation SIMs, the vendors didn’t have a choice but to use data reduction techniques in order to get on top of the sheer volume of information. That’s not really a problem due to the constant march of Moore’s Law on the technology industry. Now ALL of the data can be stored, and it should – at least for a certain amount of time.

Finally you want to make sure the security management platform’s management environment will fit into your own personal workflow. That’s absolutely critical because you’ll have to live in this tool a large portion of every working day. Does it provide you with the ability to customize the environment and provide the information YOU need, not what the vendor thinks you need?

Sounds like a cool vision, no? It is, but it’s usually a pretty big project to get there. So I advocate a phased approach allows you to focus on what problem you need to solve TODAY and build towards the future. It’s kind of like building a house. You may not need a pool today, but if that’s something you think you’d like – you better make sure there is space in the back yard to accommodate those plans.

That’s why I take a platform approach to building your security management environment. Take an application-centric approach, built on top of a common foundation (that’s the platform). SIM is an application. So is network behavior analysis and configuration management. These applications can be driven by the data stored in the platform and the platform can be extended to meet all of your requirements over time.

Industry News

2007 CSI computer security survey shows average loss shot up to over $350,000 due to security incidents

Other key findings:

– Financial fraud overtook virus attacks as the source of the greatest financial losses.
– Another significant cause of loss was system penetration by outsiders.
– Insider abuse of network access or e-mail edged out virus incidents as the most prevalent security problem, with 59 and 52 percent of respondents reporting each respectively.

Societe Generale: A cautionary tale of insider threats

The $7.2 billion in fraud against French banking giant Societe Generale wasn’t your garden variety cyber attack, but it illustrates an insider threat that gives IT pros nightmares.

FERC approves cyber security standard for power grid

Developed by the North American Electric Reliability Corp in 2006, the standard emphasizes log retention and review in sections R5.1.2, 6.4 and 6.5. Access a copy of the Cyber Security Standard for Systems Security Management here.