Risk-based security buyer s guide:

 

   

Risk-based security

buyer

’s guide:

Addressing Enterprise-class threats

on an sme-class budget

 

Executive Summary

Every day we read about new breaches. They are so frequent, and the volume of records breached so astronomical, that people are starting to get desensitized. This is good and bad for information security professionals. On the positive side, there is no longer any issue convincing management that malware, hacking and breaches are serious issues. On the negative side, desensitization can lead IT security budget holders to wonder if continually adding more technology – and the people and resources to run them - is a failed strategy.

Organizations are in a cyber arms race they cannot win: bolting on increasingly sophisticated products to defend against increasingly sophisticated threats. There are diminishing returns with this approach and this is particularly true for Small- to Medium-sized Enterprise (SME) organizations. SMEs are increasingly facing the same threats as large enterprises, without the resources necessary to defend against these threats. The question every organization, particularly SME, must ask is what is the right option and how to get the maximum ROI from it.

To succeed, we must change the rules of the game. This requires fundamental shifts in the way cyber defense is developed, deployed and operated. The shift begins by refocusing from a stopping-intruders-at-the-border strategy to an incident response strategy. It requires combining multiple functions into advanced platforms to reduce CapEx and reducing OpEx by shifting from a threat-based model to a risk-based model. This is the only way to get out of the cyber arms race and the only way SMEs have a fighting chance of reducing costs to affordable and sustainable levels.

All organizations are under attack

Unlike large enterprises, SMEs typically follow a check box security approach, driven by compliance with industry, regulatory and legislative mandates. Vendors, too, approach SMEs differently, delivering lower-powered, stripped-down versions of their enterprise-class solutions. Essentially, offering basic security matching SME budgets and

“needs”. This logic had some validity a few years back, but today it is totally wrong: 61% of targeted attacks in 2013 were against companies with 2,500 or fewer

employees. i

To underscore this point, the 2013 breach of a major retailer did not start with a direct assault on their IT infrastructure. It started at an HVAC contractor that was working for the retailer.ii _{As described by numerous}

sources, hackers took advantage of weak security

controls at the HVAC contractor combined with direct access to the retailer’s network. Technology plays a critical role in detection and incident

response

Today, standard operating procedure for security organizations dealing with increasing threats is bolting on increasingly sophisticated technologies: anti-virus, router ACL lists, firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), web reputation services, web application firewalls, Security Information Event Management (SIEM), anti-malware gateways, endpoint virtualization, etc. Table 1 summarizes the current state of these technologies.

Unfortunately, despite the billions of dollars spent buying these technologies (CapEx) and the 100s of billions of dollars spent implementing and operating them (OpEx), cyber defense is getting worse, not better. In 2013, the average time between infection and breach was days or less. Less than 1/4 of affected organizations discovered these breaches in the same timeframe: most organizations took weeks,

61%  OF  TARGETED   ATTACKS  IN  2013  WERE  

AGAINST  COMPANIES   WITH  2,500  OR  FEWER  

EMPLOYEES    

months or longer. And the trend lines are going in the opposite directions: time-to-breach is decreasing, while time-to-discover is increasing.iii

Organizations of all sizes must find ways to reverse these trends without spending the entire IT budget on information security. Though this sounds crazy, in 2013, a United States Department of Commerce sub-Agency actually spent more than half its annual IT budget on unnecessarily responding to a breach infection, including destroying $170,000 worth of IT equipment.iv _{According to a recent study, 77% of IT staff}

incorrectly reported the cause of security incidents to their executives.v

Network Location Intended Purpose Key Characteristics Key Concerns Firewall (FW) Internet ingress/egress and network segmentation points (Physical and virtual) Block network access by unauthorized users, systems and applications In line, high performance stateful filtering and inspection Proxy Increasingly porous Onerous rule management Significant overlap between FW, WAF and NextGen FW Intrusion Detection System (IDS) Network segment level (NIDS) in physical and virtual infrastructure Host resident (HIDS) Detect suspicious network activity that may be malicious Anomaly detection Signature-based Detection Heuristics

High false positive rates lead to defense erosion Only detection Intrusion Prevention Systems (IPS) Inline network segment level (NIPS) in physical and virtual infrastructure Host resident (HIPS) Detect and block malicious activity Protocol aware and can offer virtual patching Signature, anomaly and heuristic-based detection High availability and throughput Expensive to implement at speed. Similar false positive issues as IDS. Significant overlap between IDS and IPS

Web Reputation Services At Internet ingress/egress and/or cloud Detect and block malicious web traffic Signature, black lists and anomaly detection

Often overlap with FW services

Network

Location   Intended Purpose   Characteristics  Key Concerns  Key Security  Information  

Event  Management   (SIEM)  

Centralized  location  

(SOC  or  NOC)   Collect  and  correlate  events  and  alerts   from  security,   application  and   network  functions.  

Data  analytics  to   isolate  security   events.  More  often   used  for  audit  and   compliance   purposes  only  due   to  the  difficulty  of   root-­‐cause  analysis.  

Can  be  expensive   (proprietary)  or   open  source.     Requires  significant   human  capital   investment  to  build   and  tune  custom   rules  on  an  ongoing   basis.  

Antivirus  (AV)   Endpoint,  host  and   network  

deployments.     Supports  virtual  and   physical  

infrastructure  

Detect  malware  on   endpoints  and  hosts  

Signature,  anomaly   and  heuristic-­‐based   detection  and   analysis  

Can  be  resource   intensive  and   expensive  to   implement  and   manage  correctly   Increasingly   ineffective  in   malware  detection   Anti-­‐Malware  

Gateway  (AMG)     Typically  network  based  virtual   execution   sandboxes.   Sometimes  

integrated  with  FW,   AV  and  IPS.      

Provides  a  safe   environment  to   watch  malicious   code  as  it  executes.  

 

Anomaly,  signature   and  heuristics-­‐based   analysis  

Can  detect  complex   malware.  

To  determine  a  file’s   malware  likelihood   requires  evaluation   of  entire  file.     Susceptible  to   underlying  kernel   exploits  and  code   obfuscation.   Table 1- Cyber Defense Technologies

Back to basics: incidents and incident response

Industry research is clear that networks are, or will be compromised; it is only a matter of time. The days of stopping the intruders at the gate are over. A successful cyber defense must identify incidents and respond in time to prevent breach or unsustainable damage. The first step to accomplishing this is proper instrumentation, historically requiring three core technologies from Table 1: Firewall, Intrusion Detection System (IDS) and Security Information and Event Management (SIEM). For this discussion, we assume all organizations have already deployed a firewall.

The challenge for all-sized organizations - and SMEs in particular - is the cost to procure, operate and leverage these technologies may easily exceed information security budgets.

As an example, IDS and SIEM CapEx ranges from “free” to $100,000+. The loaded costs of operating these products and successfully interpreting and leveraging their outputs can easily range from $100,000 to $1,000,000 per year! Clearly, OpEx is the greater challenge.

Maximizing CapEx while minimizing OpEx requires two key steps: 1) Separating form from function

2) Shifting from threat-based security to risk-based security Separating form from function

As discussed above, implementing an incident response system requires IDS and SIEM functionality. Each one delivers a specific function: IDS detecting possible intrusions and SIEM correlating security events. The differences between one vendor’s products and another vendor’s products include ease of implementation, performance, accuracy and of course, cost.

To reduce product cost, vendors are starting to combine IDS and SIEM functionality. The good news is this reduces CapEx. The bad news is it does nothing to reduce OpEx. This is because current IDS and SIEM products (separate or combined) are built on a threat-based security model. As discussed below, this model is outdated,

increasingly ineffective and OpEx intensive.

Achieving affordable and sustainable IDS and SIEM costs (CapEx and OpEx) requires combining both functions into one product and shifting to a risk-based security model.

Threat-based security

The fundamental goal of threat-based security is finding the proverbial “needle in the haystack” in time to protect the organization from a likely attack. Unfortunately, the “haystack” is usually a daily onslaught of millions of events and alerts! As a real-world example, a Fortune 500 insurance company’s Intrusion Detection System (IDS) alone generates over 830 million alerts a month.

A threat-based approach consolidates and correlates all of these alerts to identify the threats (malware, exploits, etc.) and take action to mitigate and remediate the threat. This is an OpEx-intensive process, and is often conducted offline rather than in real time. Threat-based security – by definition – looks for threats by relying heavily on alerts triggering signature and anomaly-based detection; though sandbox approaches are also gaining momentum.

The advantage of this approach is threats are eventually

discovered, though often it is long after the exploit has run its course and the damage is done. The downside is this approach feeds the arms race:

• Threat-based systems generate a high percentage of false positives wasting significant staff time tracking down nonexistent threats

• This drives the need for ever-faster and more sophisticated technologies (shown in Table 1) with the hope of keeping up with the increasing volume of alerts and

Figure 3 - Contextual Risk-based Analysis

Taking a risk-based approach

In contrast, a risk-based approach builds contextual relevance over time to identify systems having the greatest evidence of compromise. It doesn’t start with technology,

but rather a risk management framework such as those developed by NIST, ISACA, OCTAVE and ISO. Discussing these frameworks is beyond the scope of this paper, but these frameworks typically describe the mechanics of evaluating and assigning risk to the organization’s IT assets. Reference links can be found at the end of the paper. Once the organization defines its risks, it must consider

potential exploits in the context of these risks. But more than context alone, organizations must also evaluate behavioral relevance over time. For example, on the 15th

and 30th _{of the month, a payroll application connecting}

to ADP is a normal event. Or, is it? What if an attempted escalation of privileges occurred on the payroll application server on the 14th_{? And, maybe on}

the 1st _{of the month, there were new registry entries on a}

user’s computer in the HR department? This is the point

where we bring in technology. A tremendous amount of intelligence and processing is needed to visualize – in real time – the potential targets against the IT asset’s value (from a risk perspective).

If it walks like a Duck and talks like a Duck….

There is a fundamental difference between a threat-based approach and risk-based

behaviors that may lead to threats, even without knowing what the threat is. Though

this sounds counter intuitive, it is possible to minimize risk without knowing the exact threat underway. For example, malware almost always follows a set of behaviors. By closely tracking these key steps (see our advanced infection lifecycle model) mapped against the relative system risk over time, it is possible to discern a potential attack without ever seeing the actual attack itself. Essentially, it is possible to categorize suspicious behavior into a profile independent of a confirmed exploit or malware sample.

Rather than spending days sifting through individual alerts and events, a risk-based approach allows IT personnel to focus on what’s most important: the assets they protect. Going back to the Fortune 500 Insurance company example, the company was using an integrated appliance with IDS and SIEM functions built upon a risk-based security model. The 830 million alerts were automatically distilled down to 67,000 behavior profiles. Each profile was automatically monitored and mapped against the risk determination of each system. The end-result was 16 systems (out of 37,000 in total) were identified as potentially at risk. Perhaps most importantly, there were zero false positives and staff did not waste time on forensic evidence collection and

investigation. The company did not need to identify specific malware binaries to identify high-risk behaviors or to generate the evidence needed for early intervention. In the process, the company significantly reduced its OpEx associated with incident response.

Changing the rules of the game

To increase effectiveness, reduce OpEx and reverse the breach detection and response trends, companies must move quickly

from a cyber-alert- and threat-based security model to an evidence- and risk-based model. Though a risk-based approach still processes the same number of events, it provides

contextual, real-time risk and exploit visualization: visualizing risk over the entire duration; analyzing events and alerts in context of the malware advanced infection life cycle; and, prioritizing risk – according to an organization’s risk appetite – based on both historical and current network state.

A new approach for SMEs

As discussed above, SMEs are already under attack and often do not have the

resources (staff and technology) to launch a successful threat-based cyber defense. A risk-based cyber defense provides the following benefits:

1. Breaks the habitual act of throwing new technology at the problem. SMEs have the opportunity to significantly improve cyber defense without dedicating half of its IT budget to information security

2. Presents defense in behavioral context of risk. It gives IT security professionals the tools to prioritize its defense and response to exploit in relation to real-time risk

3. Separates form from function and takes the argument of anomaly-based detection versus signature versus sandboxing off the table because it is not necessary to know the exact exploit while still protecting the corporate assets 4. Presents a means to visualize corporate assets’ risk and prioritize incident

response

Shifting to a risk-based cyber defense strategy is the only way SMEs will successfully address enterprise-class threats on an SME-class budget.

This paper began with the assertion that SMEs are in a no-win situation facing ever-increasing attack sophistication along with the associated ever-increasing cost of defense (primarily OpEx). Technology plays a key role in cyber defense, though a risk-based approach with the right exploit and asset visualization limits the necessary OpEx associated with these technologies.

Risk management framework links: NIST - http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf ISACA - http://www.isaca.org/Knowledge-Center/Risk-IT-IT-Risk-Management/Pages/default.aspx OCTAVE - http://www.cert.org/resilience/products-services/octave/ ISO - http://www.iso.org/iso/home/standards/management-standards/iso27001.htm                                                                                                                

i  _{Symantec  Internet  Security  Threat  Report  2014.  2013  Trends  Volume  19.    April  2014.}   ii  _{http://krebsonsecurity.com/2014/02/email-­‐attack-­‐on-­‐vendor-­‐set-­‐up-­‐breach-­‐at-­‐target/}   iii  _{Verizon  2014  Data  Breach  Investigations  Report}

    iv

Agencies  Need  to  Improve  Cyber  Response  Practices,  GAO-­‐14-­‐354,  April  2014   v  _{Emulex  2014  Visibility  Survey.    July  15,  2014}  

Top 5 Questions to ask your vendors

To figure out how to minimize OpEx while instrumenting for incident response and a risk-based security model, ask any current and potential technology vendor the following questions:

1) By how much can you demonstrably reduce the response time, i.e. the time between exploit, detection and the associated response? 2) How do you quantify the incremental benefit of adding your security

technology to my information security architecture?

3) How does your solution augment or replace any of my current security technology?

4) How does your solution map into a threat-based or risk-based approach?

5) What are the projected CapEx and OpEx for your technology? In Year 1, Year 2, Year 3?