Advanced cyber-security intelligence

(1)

[email protected]

Clive Longbottom Quocirca Ltd Tel: +44 771 1719 505 Email:

Advanced cyber-security intelligence

Real time defence of business data and IT users through the use of next

generation SIEM

July 2012

Traditional IT security defences have been built using point security

products. These are good for protecting against specific threats; for

example firewalls limit access to networks, anti-virus software detects

malware on given devices and encryption protects stored data. However,

cyber security threats have now emerged that can only be detected by

correlating information from a wide range of sources, including point

security products themselves.

Most organisations already have much of the required data to achieve this

but not the tools needed to process it. This has led to the emergence of

next generation SIEM (security information and event management) tools.

These enable the real time correlation of IT intelligence data and for many

advanced threats to be foiled or pre-empted that would have been

previously undetectable.

This paper presents a value proposition for investing in next generation

SIEM tools.

It should be of interest to any business, security or IT manager

that wants to get ahead in the security stakes and make their organisation

less likely to be a victim than the next one.

(2)

Advanced cyber-security intelligence

Real time defence of business data and IT users through the use of next generation SIEM

Cyber security threats are becoming increasingly complex and can often only be detected by looking at data from multiple sources. This includes the logs from point security products, information about IT systems and the data that is used to store knowledge of users and their rights and other contextual information. A correlated view of all this data enables unforeseen attacks to be thwarted as they happen, as well as providing IT security teams with the insight to do their jobs more effectively and improve base security.

Many security

threats cannot be

detected with point

products

Point IT security products, such as firewalls, anti-virus software and intrusion prevention systems, aim to stop individual threats as and where they occur but do not provide the advanced correlation needed to prevent many advanced cyber security threats. For example, a user request to attach to the network with a known device may look normal, but would not be valid if the device had been reported stolen the day before.

IT security has

become a ‘big data’

problem

Detecting complex threats in real time requires the cross correlation of large volumes of data in real time. Those charged with ensuring the security of their organisation’s assets face a ‘big data’ problem, similar to the broader business intelligence problem that comes with extracting value from the rapidly increasing volumes of electronically stored information.

Analysing large

volumes of IT

intelligence data

requires new tools

The use of log management andsecurity information and event management (SIEM) tools has become commonplace in larger businesses over the last decadefor reviewing events that have already occurred. Now the next generation of SIEM tools has emerged. By processing and correlating data in real time, enforcing pre-programmed rules and observing suspicious activity these tools enable the mitigation of cyber security threats that may otherwise go unnoticed.

Next generation

SIEM tools need to

make finely balanced

decisions

If the tools are too sensitive then a valid, but unusual, action by a bona fide user may be blocked, causing frustration and damaging productivity. Next generation SIEM tools not only detect advanced threats but also enable quick decisions to be made about when to block access, when to allow it and when to alert security staff. They also provide IT security teams with the insight needed to know when human intervention is required.

IT intelligence data

can also be used to

improve base

security

It is not just about stopping individual events; the data gathered by such tools can provide a continuous feed to enable any organisation to improve its security posture and to adjust policy to allow users to work more effectively and reliably. IT intelligence data can also provide an insight beyond IT security itself, enabling better management of IT systems and applications to improve the efficiency of business processes and user productivity.

To justify required

investments it is

necessary to look at

added value as well

as reduced risk

Advanced cyber security intelligence is obviously about reducing risk, but that alone may not be enough to win the backing for the required investment in next generation SIEM tools. There are also cost savings that come from avoiding the clean up after cyber security failures and avoiding potential fines if an event leads to a leak of regulated data. Value must also be added to the equation; greater overall confidence in IT systems means business processes can be pushed harder, increasing productivity and freeing IT staff to spend time focussed on innovation rather than fire fighting.

Conclusions:

So much criminal activity and political activism has now been displaced from the physical world to cyber space, or at least extended to cover both, that IT security employees are now in the frontline when it comes to ensuring that the businesses they serve have the ability to function and that their continued good reputation is ensured. To this end they must be enabled with the tools that give them a broad insight into IT infrastructure, applications and user activity to protect their business from attacks tomorrow that no one can envisage today.

(3)

Advanced cyber-security intelligence

Introduction; beyond point security products

Nation states have known for centuries that putting point security measures in place, such as border controls and passports, to protect their territory, citizens and other assets is not enough. The best levels of protection are only achieved through proactively monitoring potential enemies and foiling their actions in real-time or, better still, pre-empting them. There will still be security breaches, but the constant gathering and effective use of intelligence ensures the number is minimised and that those with responsibility for security are able to make better informed decisions.

Security failures have occurred in the past due to poor correlation of security intelligence. Some analysts consider that the failure of the FBI and CIA to share intelligence meant the planning for Sept 11th 2001 terrorist attacks in the USA went undetected1. Even if good intelligence exists, not correlating it well with other information can lead to poor decision making with the consequent serious results.

Businesses have always had to focus on security too. For example, banks have always worried about armed robbers walking through the doors of branches; to counter this threat point security products, such as bullet proof glass screens and video surveillance cameras were installed. However, the effect was to displace the crime elsewhere; when bank branches had become too hard to raid criminals started to target the vans that moved cash to and from them.

The past decade has seen a massive displacement of threats for both governments and businesses from the physical to the virtual world. The savvy bank robber no longer covers their face with a stocking but hides behind an anonymising internet proxy or passes themselves off as an insider on IT systems using a stolen identity. The opening up of the online world is a reality that businesses have not been able to ignore, not least because they need to exploit the opportunities that abound.

Businesses must also recognise that protection online requires going beyond the use of traditional point IT security tools. That is not to say they are no longer necessary, but that they do not offer the level of defence required. For example:

 Anti-virus software may not detect a zero day attack on a given server. Correlating server access logs to identify that the same server is being used to contact many other servers and user end-points on the same private network and is sending messages home to an unusual IP address would give an early warning that something is amiss (Figure 1). The recently identified Flame malware worked in a similar way to this.

 An intrusion prevention system (IPS) may prevent multiple failed attempts to access a server from a particular IP address, but may not see that data is already being copied from that server due to a single successful penetration from the same IP address (Figure 2). Correlating log and event files could identify that two such events are related and lead to the prevention of a data theft. A so-called advanced persistent threat (APT) could have this sort of profile.

(4)

Advanced cyber-security intelligence

Recent research conducted by OnePoll2 amongst IT decision makers at UK-basedorganisations suggests some already understand these deficiencies; around half the respondents believed that it is doubtful breaches can be prevented or are, indeed, inevitable regardless of the security measures in place (Figure 3). Proactive real time intelligence gathering and correlation is needed to foil and pre-empt the wide array of increasingly sophisticated threats. However, many businesses lack the necessary tools and visibility to achieve this; 47% admitted that data is only analysed after an event has occurred (Figure 4).

Good cyber security intelligence is fundamental to preventing advance security threats and enabling security staff to do their jobs effectively. The real time use of correlated security intelligence can identify activities that may otherwise go unnoticed and prevent them from happening in the first place. Such intelligence also enables good decision making; IT staff need to react to fast moving events and be confident to raise the alarm and know how loud it should be: however, they do not want to be accused of crying wolf.

This paper presents a value proposition for investing in next generation SIEM tools that enable a business to make use of a wide range of information sources to achieve these goals. It explains how proactive use of IT intelligence can counter threats as they happen rather than uncovering them after the event. It should be of interest to any business, security or IT manager that wants to get ahead in the security stakes and make their organisation less likely to be a victim than the next one.

(5)

Advanced cyber-security intelligence

Sources of IT intelligence data

Businesses have a problem with data; they are increasingly overwhelmed by it and are often unable to extract the expected value. This applies to both the business data that IT systems are there to gather, manage and provide access to in the first place, and also the data gathered about the use of business data itself and the IT systems that process and store it. This includes log data and audit trails; the gathering and analysing of all this IT intelligence data is essential to protecting against advanced security threats.

IT intelligence data is the key to providing the insight that enables proactive threat mitigation and protection of business data from theft and misuse. By understanding how IT systems are being used and the threats that surround these systems and their users, the core security and value of IT can be better ensured.

The struggle to get to grips with, and extract value from, overwhelming volumes of business data has been dubbed the ‘big data’ issue in recent years. A similar struggle exists with IT intelligence data, which is also generated in large volumes. For example, the latest high performance network routers and switches may have gigabytes of solid state storage to hold log information about the millions of packets of data they process per second. Security products are constantly generating log files too, whilst file servers and databases maintain logs of who has accessed what and when. All this can only be made sense of in the context of access rights extracted from identity and access management systems and other contextual information.

Another complication is introduced by the increasing use of on-demand (cloud-based) services. Information needs to be gathered from the providers of such services about the traffic flowing to and from them. Furthermore, to provide pervasive security coverage, security staff also need to be aware of the use of these services directly by lines of business and employees, something which is increasingly done without the upfront endorsement of the IT department.

The growing diversity and mobility of devices used to access IT applications and data add more complexity (this includes the growing use of employee-owned devices). User devices can be both a cause of data leaks and a source of security threats. Point security products, including data loss prevention (DLP), end-point security tools and encryption can help, but recognising that a known device is being used in an unusual way requires reviewing it in the context of broader network, geographic and temporal information.

Table 1 lists the range of sources for IT intelligence data. The need to gather, store and process so much IT intelligence data from so many sources is the reason IT security has become a big data issue. Addressing the problem requires new tools with the capability to process this data in real time. Some of the vendors of SIEM tools are now adapting their products to address the problem; so-called next generation SIEM.

(6)

Advanced cyber-security intelligence

Table 1: Sources of IT intelligence data

IT infrastructure

Network devices: logs from routers, switches,

information from network access control (NAC)

tools, NetFlow data

Security devices: logs from firewalls, IPS, other

security appliances

Servers: log files from servers in data centres,

branch offices; physical, virtual and public cloud

based

User end-points: device information, network

context, access history, records of ownership and

records losses

SCADA (supervisory control and data

acquisition) infrastructure: data about the

operation of and access to industrial control

systems, their network mapping and access history

Access data

Databases: access logs

Other data access information: monitoring the use

of content, data from data loss prevention systems

and content filtering systems

Business applications: access logs both for

on-premise and on-demand applications

Web access data: includes information about what

is being downloaded to and from web sites; feeds

from DLP tools and web filtering systems

Email records: who has been sending what to

whom?

Vulnerability information

3rd party feeds: from other IT vulnerability

assessment and mitigation systems, e.g. Rapid 7,

Qualys and FireEye

Software integrity information: patch state of

operating systems, firmware, database and

applications, list of known flaws

Known malware: List of known malware that may

be used as part of more complex attacks

User information

User records: data from directories that defines

who are authorised users and what groups they are

assigned to, this includes information about current

and past job roles

Access rights: current access rights for a given user

or group of users

Privileged access rights: records of the temporary

or permanent assignment of privileges to named

users

Guest access rights: information from network

access control systems about areas of networks

enabled for guest access

Third party access rights: records of outside

organisations and users that have been authorised to

access infrastructure and applications

‘Machine’ access rights: not all access is by

people; software applications and devices are also

regularly assigned access rights, for example to

carry out automated sys-admin tasks

Other data

Change control systems: list approved sys-admin

activities

Locational data: IP and cellular geolocation –

where access requests are coming from

Regulatory/standard information: for example

IS0 27001, which many organisations have adopted

as an IT security baseline

Industry bodies: provide advice to members on

known complex attack types and how to coordinate

defence against them

Social media feeds: may identify that a given

organisation is likely to be subject to attack,

pressure group campaigns etc.

Weather: unusual weather conditions in a certain

area may account for observed large scale changes

in user activity

Time: accurate coordination is not possible without

good timekeeping; an accurate source of time is

needed across different systems and often needs to

be added to records to make them useful

(7)

Advanced cyber-security intelligence

Next generation SIEM defined

The capability to collect and analyse IT intelligence data has been available for a number of years, enabled by tools for log file management, security event management (SEM), security information management (SIM) and file integrity monitoring. One of the reasons that log management tools, in particular, emerged was that, due to the growing volumes of log data being generated, log files were being overwritten, especially on old devices with limited storage; maintaining a central database is the only way to ensure log data is available in the long term for compliance purposes.

In 2005, Gartner coined the term SIEM (security information and event management) to characterise products that brought many of these capabilities together into an integrated product set. SIEM tools were mainly about taking a retrospective view of what had happened for compliance and governance purposes. Pulling together information from disparate sources could show auditors who had been accessing what and when. However, this was all after the event; more timely use of IT intelligence data could prevent unwanted events happening in the first place. This required an upgrade of existing SIEM tools to enable the real time processing of ‘big data’.

This has led to the emergence of next generation SIEM tools that can do just this; analyse and correlate IT intelligence in real time. This includes data currently being generated and the huge volumes of existing log and event data. By doing this it is possible to recognise and stop advanced threats as they happen. Of course, more than fast processing is required; the tools must have the intelligence to evaluate irregularities and decide whether they represent true threats or not; this is important as over sensitivity will lead to annoying disruptions in the day-to-day use of IT and damage productivity.

Table 2 lists the capabilities to be expected in next generation SIEM tools.

Table 2: features of next generation SIEM tools



The ability to process and analyse large volumes of IT intelligence data in real time



Advanced correlation engine to process information from disparate sources



The ability to enforce advanced rules that link disparate events and prescribe what should happen if

there is an anomaly



The intelligence and insight to act and prevent security breaches as they happen



The ability to adapt and improve future responses



The use of data from external sources to provide information on the new types of threat that have

been observed elsewhere



The capacity for the long term storage of IT intelligence data in a central repository



Intuitive interface to enable IT security staff with the insight into historic data and what is happening

now

(8)

Advanced cyber-security intelligence

Applying next generation SIEM through advanced correlation

The key to understanding the value proposition for investing in next generation SIEM is to understand the insight provided by correlating IT intelligence data. This includes finding links between seemingly disparate events and the ability to apply policy in real time by linking existing logs, records of past events and other data with current activities. The ability to do this provides a new level of security that no individual security device or measure can offer stand-alone. This is best illustrated through a series of examples of advanced cyber security threats and how they can be countered through such correlations using

next generation SIEM.

Impossible access requests: it may be normal for a

known user to access a given application remotely and out of office hours, but not if the request is coming from a location where they cannot physically be (Figure 5). Correlating each access request against the previous successful access request and checking the geographic location of the devices used can identify a physically impossible event such as a user having moved from London to Paris in the space a few minutes or hours, even if the bona fide user’s job role could see them legitimately in both locations. Mobile network service providers use similar techniques for detecting fraud in their networks.

Non-compliant movement of data: it might be usual for

an employee to access customer information; it may also be usual for them to download it to a file for reporting reasons. However, for them to copy the data to a non-compliant location, for example a cloud storage resource in a certain country, should raise an alarm (Figure 6). There may be no malicious intent here; perhaps this is an example of a line-of-business commissioning its own cloud resources (an increasingly common practice). This requires rules that understand user access rights and compliance rules and the ability to correlate these in real time with attempts to copy data and the location of the target storage service.

Absence of an event: SCADA systems are often

controlled using human machine interfaces (HMI); this requires someone to be present, which, with a physical security measure in place, should be preceded by a record of the employee involved having used an ID badge to enter the premises in question. So, if an action is logged on an HMI system at a remote location that is not preceded by a valid record of physical entry, then either someone has gained unauthorised access or the HMI has been hacked remotely. An advanced correlation rule that looks for the presence of the badge reader log within a specified time prior to and HMI access request enables such a breach to be detected (Figure 7).

(9)

Advanced cyber-security intelligence

Anomalous sys-admin activity: if a system

administrator account has been compromised there may be an attempt to create a new account for future use. Correlating this activity with a change control system will identify that the creation of such accounts has not been authorised (Figure 8).

Unexpected access routes: some databases are only

normally accessed via certain applications, for example credit card data is written by an e-commerce application and only read by the accounts application; access attempts via other routes should raise an alarm if the tools are in place to correlate such events and observe that a rule about the normal access route is being broken (Figure 9).

Sys-admin failures: next generation SIEM is not just

about preventing security breaches, it can also help ensure sys-admin tasks are complete; for example a backup process is started, but no log for backup completed is generated (Figure 10). Searching logs and correlating them to check the various events in the backup process have all happened ensures that the task has been successfully completed.

(10)

Advanced cyber-security intelligence

Taking action

Detecting a threat in real time or in advance is all well and good, but what action should be taken? In some cases an immediate and drastic action to block access to an individual or stop an application or process may be justified, but this is not always the case. If security settings are over sensitive then this can lead to annoying disruptions to the valid use of IT. Poor intelligence may lead security staff to hit the panic button too soon or too late. There may also be good reasons for taking another course on certain occasions; for example, letting a criminal action continue long enough to gather forensic evidence for a prosecution.

Furthermore, it may not be possible to stop complex attacks, such as those that form part of an APT, by taking any one single action; this may require putting the whole organisation on alert including taking proactive PR measures to limit reputational damage. If an attack is part of a broader campaign against an organisation then countermeasures may be required at all sorts of levels beyond IT systems, including in the news rooms and law courts, and there must be a team armed with necessary intelligence to coordinate this. Sony’s slow and awkward response to an attack by the hacking organisation Anonymous in 2011 is an example of an organisation failing to achieve these goals.

What should be done in all cases is that an alarm is raised to security staff, so that even if automated actions are not taken they are in a position to intervene and make executive decisions as quickly as possible. They can also be better informed when making those decisions. Over time, next generation SIEM tools can provide even greater insight as they can adapt; recognising if anything similar has been seen before, what happened on the last occasion, the action that was taken and what was the outcome.

Businesses know they cannot fend off every attack; 28% of respondents were so gloomy in the OnePoll research that they said it is doubtful that breaches can be prevented (see Figure 3). Thankfully, many more are less pessimistic, but even they must plan for falling foul of an advance cyber security attack at some point. Planning for this means ensuring there is immediate access to the information required to provide forensic support for the clean-up. However one of the main aims of having advanced cyber security tools in place should be to stop attacks in real time or pre-empt them by improving an organisation’s overall security posture. To this end many IT security managers will need to make the case for investment new or upgraded technology.

(11)

Advanced cyber-security intelligence

Conclusion: a total value proposition for next generation SIEM

Quocirca’s total value proposition (TVP) analysis looks at the expected return from any given investment in terms of risk reduction, cost saving and value creation. There are a number of factors in all three areas that can be put into a proposition for the investment in next generation SIEM.

The case certainly needs to be made. 52% of respondents to the OnePoll research stated that the proportion of IT budget spent on security had not gone up in the last five years (Figure 11). However, respondents felt that the emergence of new regulations is one of the best ways of engaging with senior level management involved in the IT security decision making process (Figure 12).

Financial risk is also a good way to get the ear of those who control the purse strings; 77% stated that the growing threat of data breach penalties could help motivate and increase spending (Figure 13). But once the discussion is underway, a more positive case can and should be made for the investment in proactive cyber security intelligence.

This discussion should focus on reduction of business risk, the control of business cost and the creation of business value.

Risk reduction

From the evidence presented in this report it should be clear where next generation SIEM tools could help reduce risk. These include:

 Insight into risks that cannot be seen using point security tools

 IT security teams empowered with the information to act (or take no action) with confidence

 Improved base security

 Rapid response to limit reputational damage

Cost saving

Security failures can be an expensive business, investing upfront to avoid them is far better than unbudgeted spending to clear up the mess after the event:

 Avoidance of penalties for data breaches  Automation of time-consuming data analysis

(12)

Advanced cyber-security intelligence

Value creation

The more confidence a business has in the use of IT the better positioned it is to exploit the huge business value that it provides:

 Better protection of IT assets means higher availability  More IT staff time is freed up to focus on core value

 There is more confidence to innovate with IT in the knowledge that its use is more secure  Confidence to fully exploit business processes

 An open communications environment for employees, partners and customers where the business is protected from the potentially harmful actions of users, be they intentional or accidental

So much criminal activity and political activism has now been displaced from the physical world to cyber space, or at least extended to cover both, that IT security staff are now in the front line when it comes to ensuring that their businesses can continue to function and ensuring its continued good reputation. To this end they must be enabled with the tools that give them a broad insight into IT infrastructure, applications and user activity to protect their business from attacks tomorrow that no one can envisage today.

References

1_{Wedge: From Pearl Harbor to 9/11, The Secret War Between the FBI and CIA, Mark Riebling, 1994 (updated 2002)} 2

OnePoll research commissioned by LogRhythm, into 200 UK-based at businesses with more than 1,000 employees (Spring 2012)

(13)

About LogRhythm

LogRhythm is the leader in cyber threat defence, detection and response. The company’s SIEM 2.0 security

intelligence platform delivers the visibility, insight and remediation required to detect the previously undetectable and address the mutating cyber threat landscape. LogRhythm also provides unparalleled compliance automation and assurance as well as operational intelligence to Global 2000 organisations, government agencies and mid-sized businesses worldwide.

For more information on LogRhythm please visit http://www.logrhythm.com, follow on Twitter: @LogRhythm

or read the LogRhythm blog.

LogRhythm Inc. 4780 Pearl East Circle,

Boulder CO., 80301 Get Directions [email protected] LogRhythm Ltd. Siena Court The Broadway Maidenhead Berkshire SL6 1NJ United Kingdom [email protected]

LogRhythm Asia Pacific Ltd 8/F Exchange Square II 8 Connaught Place, Central

Hong Kong [email protected] Phone: (303) 413 - 8745 Fax: (303) 413-8791 Phone: +44 (0)1628 509 070 Fax: +44 (0)1628 509 100 Phone: +852 2297 2812 Fax: +852 2297 2289 LogRhythm France SARL

171 bis, Boulevard Charles de Gaulle 92200 Neuilly sur Seine

[email protected] LogRhythm Germany GmbH Landsberger Strasse 302, D - 80687 München [email protected] Phone +33 1 40 88 11 80 _{Phone +49 89 90405 245}

(14)

Advanced cyber-security intelligence

About Quocirca

Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-world practitioners with first-hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets.

Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to provide advice on the realities of technology adoption, not the promises.

Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time.

Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community.

Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, O2, T-Mobile, HP, Xerox, EMC, Symantec and Cisco, along with other large and medium-sized vendors, service providers and more specialist firms.

Details of Quocirca’s work and the services it offers can be found at http://www.quocirca.com Disclaimer:

This report has been written independently by Quocirca Ltd. During the preparation of this report, Quocirca has used a number of sources for the information and views provided. Although Quocirca has attempted wherever possible to validate the information received from each vendor, Quocirca cannot be held responsible for any errors in information received in this manner.

Although Quocirca has taken what steps it can to ensure that the information provided in this report is true and reflects real market conditions, Quocirca cannot take any responsibility for the ultimate reliability of the details presented. Therefore, Quocirca expressly disclaims all warranties and claims as to the validity of the data presented here, including any and all consequential losses incurred by any organisation or individual taking any action based on such data and advice.

All brand and product names are recognised and acknowledged as trademarks or service marks of their respective holders.

REPORT NOTE:

This report has been written independently by Quocirca Ltd to provide an overview of the issues facing organisations seeking to maximise the effectiveness of today’s dynamic workforce.

The report draws on Quocirca’s extensive knowledge of the technology and business arenas, and provides advice on the approach that organisations should take to create a more effective and efficient environment for future growth.