The Emergence of Security Business Intelligence: Risk

(1)

Industry Whitepaper:

2011

The Emergence of Security

Business Intelligence:

Risk

Management through Deep Analytics &

Automation

Mike Curtis

(2)

Industry Whitepaper:

2011

Introduction

As an industry we are rich in data, but poor in information and even further away from true intelligence. We continue to chase the advanced persistent threat that inevitably evolves as we adopt new technology. Protection technologies advance to address new threats and slowly but surely, more mature solutions will begin to reach their end of productivity. As they ride the point solution conveyor belt, most enterprises today have amassed a vast, disparate and complex cadre of solutions deployed throughout their security architecture. These solutions sit at various points of the information stack to perform their specific functions inside of the layered security model. The problem is, each solution is specialized for its job and it presents risk, state, event, compliance – fill in the blank – data that is specific to its purpose. The result is that we are quite proficient at generating data and a lot of it, but that data is siloed,

fragmented even owned and used by different constituents in the organization. This leads to inefficient and incomplete security processes. Security practitioners are forced to act in the absence of good information. So the question is…

How do we synthesize our understanding of risks across all the layers of the stack and then enable a unified, coordinated response?

How often are we able to transform that data into real insight that enables action? How do we create true intelligence that helps us better understand the threat

environment as well as leverage our security architecture in new and powerful ways to protect ourselves?

(3)

Industry Whitepaper:

2011

chase new threats. SIEM and ITGC solutions have come along in recent years to begin to help enterprises make sense of it all. But we must still push forward beyond correlating and

providing visibility and coordination with key controls. We must achieve a better understanding of security risk and provide new ways to articulate security and compliance requirements inside of the critical business services that are fundamental to an organization. Fuse these elements with big data analytics and automation and you can deliver Security Business Intelligence.

Current State of the Industry

While the security and compliance world is fast maturing, the promise of completely solving security through technology remains very far out on the horizon. This means the fundamental process of assessing risk and compliance against policies will not go away anytime soon. Even today, with the creation of standards like Open Vulnerability and Assessment Language (OVAL) and Security Content Automation Protocol (SCAP), the vulnerability management process is a challenging one, often involving manual efforts with less than perfect information on which to prioritize effort.

 Vulnerability assessment still largely revolves around a scan-and-patch paradigm, but there are numerous operational and business obstacles that make it difficult to simply patch or otherwise directly mitigate every discovered issue.

 It’s very difficult to drive a consistent, complete risk assessment process spanning network, application and web layers from pre-production software development

through to standard operating systems, off-the-shelf software and network devices. This is because these tools operate in different worlds and involve differing mitigation

strategies.

(4)

Industry Whitepaper:

2011

 Interoperability among solutions is mostly centered on standard ways to express vulnerabilities, software and weakness, events and configuration state. Interoperability to drive smarter more automated remediation is just beginning.

 Although some converged security solutions are emerging, most enterprises have numerous security products deployed that address varying types of risks and threats operating at a specific layer throughout their defense in depth model. As a result, we have layer specific data resulting in siloed processes and information.

 Security and operations functions are still in the process of converging. Those

responsible for performing a remediation task and those in the security organization have information needs that differ. This causes challenges when trying to facilitate a security process across functional areas.

It’s very difficult to compare an already complex and challenging risk assessment process with both the existing security countermeasures that are in place as well as new applicable

countermeasures, so that the optimal mitigation strategy is deployed. Of course, all of this must also be carried out under the umbrella of corporate security & compliance policy. This gap creates exposure, duplication of effort, non-compliance and overall inefficiency and higher costs to secure the environment and comply with regulations.

The Next Chapter: Security Business Intelligence

(5)

Industry Whitepaper:

2011

begin to view security as something that can be visualized, optimized and fine-tuned, instead of always playing from behind. Big data analytics combined with the evolution of standards and next level automation are the tools to deliver on security business intelligence.

 Big data analytics will be applied to security to enable a smarter, more agile approach to risk management.

 More and more security processes will become automated using policy based workflows

 First generation solutions such as stateful firewall and signature based antivirus already becoming increasingly ineffective in the face of new threat vectors will become

obsolete.

 Risk data will be assimilated and unified throughout the different risk inputs including vulnerabilities, software weaknesses, configuration state data and malware data.

 Next generation remediation decision frameworks will identify how discovered risks are already being mitigated by presently installed countermeasures.

 Interoperability will become more prevalent with more evolved, useful applications.

 A common platform to facilitate seamless processes across security, compliance and operations must emerge

 New ways to express risk and compliance requirements inside of a business service context will emerge.

 Next generation intelligence platforms will show risks and threats with added situational context (identity, time of day, business application) to enable better security processes.

What chief information security officers really need is a solution that unifies the elements of risks, articulates the attributes of those risks and intelligently maps them to the most effective countermeasures based on those attributes to enable action.

The Role of Standards Going Forward

(6)

Industry Whitepaper:

2011

validation of configuration compliance. By creating standard ways to define software

flaws/vulnerabilities, misconfigurations, software weaknesses and system names, a foundation for interoperability is put in place.

 OVAL acts as the chassis to enable a standardized approach to performing vulnerability or system characteristic assessment

 Extensible Configuration Checklist Description Format (XCCDF) acts as a meta policy language to formalize security policy guidance into sets of OVAL checks

 SCAP is the fundamental protocol or set of specifications that connects all these components

Newer efforts are building on the pieces described above to apply the same approach to create standard ways to articulate emerging attack patterns and facilitate interoperability among risk sources and threat protection solutions.

(7)

Industry Whitepaper:

2011

ACI Platform™ (Active Countermeasure Intelligence)

Critical Watch™ has built the first and only Active Countermeasure Intelligence technology to respond to these challenges. It enfuses security solutions with the deep analytics and intelligent automation needed to address the modern risk management challenge. It is a flexible software framework designed for rapid deployment and integration across a wide range of disparate devices and risk input sources with a central intelligence engine built on Big Data technology.

Risk Collection Agents collect risk data and normalize it through appropriate risk input API’s

into to the ACI Recommendation Engine™ which holds a set of core taxonomies of

Recommendation Analytics that link risks to the most effective countermeasures.

Countermeasure Control Agents gather state and configuration data from countermeasures as

well as perform remediation tasks orchestrated through Countermeasure Policy Workflows.

- Taxonomy - Collection & Control

- Policy