- Email: [email protected]
Move to intelligence-driven security
FEATURE
Fear the hacker, not the auditor A data breach can be more damaging in the long term than a failed audit. Security is a process that goes beyond compliance, CIOs need to move beyond the mentality of buying technology for technology’s sake and begin buying more relevant systems and tools for their organisation holistically. There is a plethora of different security products available for enterprises that secure an organisation from different threats and at different levels. They range from DDoS attack mitigation to network and data security. Identifying which are best for your organisation is fundamental to ensuring the best measures are put in place.
Collaborate with service providers and peers Some controls are better suited for delivery by service providers, such as network-based controls, various managed security services, and risk and vulnerability assessments. It is important to take note of which security measures have been identified as the best fit for your business and utilise the right people to implement them.
To an extent, working with peers can also ensure that best practices are in place across the industry sector in which you operate. Of course, there are limits to the kind of data that can be shared, but providing metadata can ensure mutual benefits within the sector.
Conclusion There are no silver bullets here, but with the right processes in place, many of the data breaches we read about over the past year could have been avoided. The cyber-criminals are working together to discover, refine and share the most effective methods and strategies to attack your organisation and you need to do the same to fight back.
About the author As Level 3’s senior vice president of managed security services, Chris Richter is responsible for the company’s global managed and professional security services line of business. With 30 years of experience in IT, he has held a number of leadership positions in managed security, IT consulting and sales with several technology product and services organisations. He served most recently as vice president, managed security services at CenturyLink. For more
than a decade, he has assisted numerous IT organisations in adapting their premisesbased infrastructure risk management programmes and security controls to outsourced, virtualised and shared-infrastructure services. He has acted as both a board member and technical advisor for technology firms, and writes and speaks regularly about cyber-security, risk management and IT outsourcing.
References 1. ‘Gartner Says Worldwide Information Security Spending Will Grow Almost 8% in 2014 as Organisations Become More Threat-Aware’. Gartner, 22 Aug 2014. Accessed Jul 2015. www.gartner.com/newsroom/ id/2828722. 2. ‘Managing cyber risks in an interconnected world’. PwC, 30 Sep 2014. Accessed Jul 2015. www.pwc.com/ gx/en/consulting-services/information-security-survey/assets/the-global-state-of-information-security-survey-2015.pdf. 3. ‘Big Data’. IDG, 6 Jan 2014. Accessed Jul 2015. www.idgenterprise.com/ report/big-data-2. 4. ‘Cloud Computing’. Gartner. Accessed Jul 2015. www.gartner.com/technology/topics/cloud-computing.jsp.
Move to intelligencedriven security Ricky Knights, Cyberoam and Emma Morris, VCW Security Today’s disruptive enterprises are primed for unprecedented security challenges. The evidence is already compelling: cyber-attacks and network breach incidents are increasing in frequency, volume and complexity, reaching an alarmingly high level, drilling holes in the networks of the world’s top business corporations (Fortune 500 firms included) and government establishments. For CSOs and CISOs, the question to ask is, what has happened to next-generation firewalls and endpoint protection? The bevy of attacks, evolving threat landscape and growing malware mayhem only hint that more security breaches are inevitable. There is no easy fix available,
August 2015
nor can we pray to Zeus to help us with a ‘magical sandbox’ or cure-all panacea, and it would be unrealistic to expect that this situation will improve in the short-
Ricky Knights
Emma Morris
term. Existing security infrastructure at many organisations is undeniably porous and decades of poor design can’t be overhauled merely by applying a few patches.
Impeded visibility There are flaws in our security posture – many security gaps exist and most businesses do not understand their baseline
Network Security
15
FEATURE 500 firms. The report elaborates that nearly 44% of Fortune 500 companies have had their employees’ stolen email addresses and passwords exposed in Internet forums used by cyber-criminals, giving these hackers easy access to sensitive business and customer data. Findings from the report also reveal that security breaches on many sites are seldom reported to authorities, meaning that employees and corporate IT managers are often uninformed and unmindful that the information has been exposed. This hints at two possible outcomes – either many of these sites lack sophisticated security, thereby remaining susceptible to hackers, or they suffer from unregulated Internet access and are devoid of actionable security intelligence on user activities and health of endpoints in the network.
Unifying network and endpoint security
Figure 1: The cyber kill chain.
security needs. As a result, most organisations do not really know the amount of data/information assets they have. If the truth be told, the hardened perimeter is fading fast and de-perimeterisation is a reality. Cloud, virtualisation, BYOx and the IT-led ‘perfect storm’ of increased collaboration is turning the traditional view of enterprise network security on its head, robbing IT and security managers of essential security controls and impeding visibility into user and network events. The big data enterprise is here, yet security remains on the backburner. The high volumes of data stored and the many users that have access to this data in large, distributed and increasingly collaborative organisations make effective control a daunting challenge. Let’s take a look at some real-world data that validates this perspective. According to a report notified by CNBC news service towards the end of 2014, it was identified that unwitting employees handed over the ‘keys to the castle’ to hackers at several leading Fortune 16
Network Security
Fortunately, that perfect storm of threats and IT-driven transformation is not all stress and doom – if security leaders are prepared. By making network and endpoint protection work together, not only can enterprises combat threats more effectively but they also get to narrow down security gaps, prevent unauthorised access and strengthen defences with simplicity. Organisations troubled by network security in an increasingly mobile environment know that the growing volume of endpoints are their weak-spots where information assets and infrastructure are particularly prone to new cyberthreats. Hackers and cyber adversaries target endpoints via the back door to penetrate enterprise networks. The primary concern must be with the ever-evolving attack methods, which are capable of bypassing traditional perimeter-focused security. They can successfully compromise endpoints and enterprise networks using different methods such as water-hole attacks, spear-phishing, social engineering and encouraging targeted users to interact with malicious files, websites or links. Moreover, a large number of endpoints are mobile devices that can be used both within and outside the traditional perimeter. Unfortunately,
legacy security systems are unable to secure the mobile workforce or monitor, regulate and report Internet and data usage activities on mobile endpoints once they move outside the perimeter. Lastly, managing a growing volume and variety of endpoints in itself becomes a significant administrative challenge for IT security teams, causing massive logistical overhead to enforce deployment of security policies and controls for multiple agents on each endpoint device.
“Security breaches on many sites are seldom reported to authorities, meaning that employees and corporate IT managers are often uninformed and unmindful that the information has been exposed” To respond to these challenges, a new and holistic dimension is being explored to unify and integrate a broad set of technologies in network and endpoint security plans and further strengthen it with cloud-based threat intelligence and security management. The approach aims to foster communication and security coalition between network, server and endpoint protection. Most existing security paradigms suffer from a reactive and fragmented approach with multiple infrastructures, overlapping functionalities and several management systems that lack proper sync.
Beyond the kill chain The key aspect with the above approach is that it allows security executives or managers to look beyond clichéd practices, including the reactive approach followed in perceiving the cyber kill chain. Figure 1 depicts a widely adopted model of the cyber kill chain, which was first conceived by Lockheed Martin. The model was developed to provide security managers with a framework to understand threat actors, the likely sources and the different phases of attacks, to help organisations better their network defences. It helps to proactively address threats and develop the desired
August 2015
FEATURE level of readiness for imminent attacks. However, much has changed since the framework was introduced and it has not been adopted as originally intended. Quite often, we hear from security analysts that there is a growing need to embed security in core business processes, including how IT is consumed. Yet many enterprises still fail to take a proactive approach to protect their networks, IT assets, data, users and organisational reputation safe from evolved threat actors because their approach is flawed and continues to be reactive. This leaves their networks ‘open for business’ for hackers, although inadvertently. But why is this happening? It is not because many businesses take network security lightly with network breach and data loss incidents making the headlines on an almost daily basis. Businesses rely too heavily on myopic or reactive security methods that are in need of overhaul and this blinds the thinking of security managers. There is a need to take a departure from this approach, which is more focused on preventing known threats or external threats and fails to take into
Information
Intelligence
Raw, unfiltered data.
Processed, sorted, and distilled information.
Unevaluated when delivered.
Evaluated and interpreted by trained expert analysts.
Aggregated from virtually every source.
Aggregated from reliable sources and cross correlated for accuracy.
May be true, false, misleading, incomplete, relevant, or irrelevant.
Accurate, timely, complete (as possible), assessed for relevancy
Table 1: The difference between information and intelligence. Source: Dark Reading.
account threats from insiders or through evasive methods. Most enterprises are cutting themselves off from critical and actionable threat intelligence that would otherwise help them identify unknown threats, anomalies in network events or suspicious user activities. These are largely threats that have slipped past traditional defences and have succeeded in either actively siphoning off mission-critical data, or are lying low, undetected, and are awaiting further instructions from a command and control server. Even traditional signature-based protection is unable to detect malware that’s cleverly crafted using an evasive or polymorphic code, as it would not leave a trail and keeps on changing its attributes.
Threat intelligence sharing ‘Threat intelligence’ perhaps sounds like a watered down phrase, however there is much more that needs to be done by the ‘guardians of the enterprise network security galaxy’. Security vendors, as well as independent and in-house teams of threat researchers at various enterprises, continuously hunt for new threats, zero-day vulnerabilities and run deep investigations. Although a massive volume of critical threat research intelligence exists, most of it remains raw or unprocessed information. Compounding the problem is inadequate concern for supporting or embracing emerging threat intelligence sharing
Type of use case
Strategic security intelligence
Tactical security intelligence
Planning
Security architecture and monitoring planning based on long-term threats and relevant actor capabilities.
Study historical trends across TI feeds and environment match history.
Prevention
Better align security spending and attention based on attacker targeting; prevent attacks predicted by TI sources.
Block bad IPs, URLs, domains, emails, files, etc; the staple usage of blacklists and highfidelity TI feeds.
Detection
Look harder for intrusion evidence in places of ‘known interest’ to attackers; review reports on threat actor tools to find ways to better detect them.
Use TI feeds to create NIDS sigs, NFT, SIEM and ETDR alerting rules; detect internal systems communicating with ‘known bads’.
Triage
‘APT or commodity threat?’ decision; a key decision that defines how subsequent IR process will go.
Use TI feeds as context for enriching alerts and other monitoring data; link alerts together into incidents; automated triage by escalating alerts linked to ‘known bads’.
Incident response
Better understand the business impact by relating incident artefacts to threat actor profiles; practical incident attribution.
Finding a full scope of an incident by linking local observables to TI; ‘pulling the thread’ to find all compromised assets and all attacker traces.
Threat assessment
Assess overall threat level for your organisation; report to management, board, etc.
Assess the risk of customers connecting to your IT resources based on TI feeds; fraud risk assessment.
TI fusion – making better TI out of TI
Increase value of TI feeds by validating, correlating, enriching context, tying to local observations and attribution; enrich tactical TI by linking to strategic TI.
Increase value of TI feeds by validating, correlating, enriching context, tying to local observations and attribution; enrich strategic TI by linking to indicators and internal TI.
Table 2: Forms of security intelligence. Source: Gartner.
August 2015
Network Security
17
FEATURE standards such as CVE, Snort and more contemporary frameworks like STIX and TAXII. While threat intelligence and actionable security information sharing can help focus and prioritise the use of massive volumes of complex network security information, organisations have an elementary need for standardised and structured representation of such information, to transform it into manageable and sharable intelligence with other security vendors, partners, industry peers and other trustworthy sources. Standards such as STIX and TAXII are aimed at making security threat intelligence more expressive, flexible, extensible, automatable and as humanly-readable as possible. Table 1 illustrates the difference between information and intelligence. It is critical to value this distinction in today’s era of big data, where almost every connected enterprise is a big data organisation. A wide array of networking devices, security devices and a proliferation of endpoints and users is generating terabytes of data and logs. Although plenty of clues and hints are being logged, critical and actionable security intelligence is lost, missed or poorly interpreted amid haystacks of big data. Moreover, another misconception involved with threat intelligence is that
it is often confused with threat signatures. To help alleviate such preconceived notions on security/threat intelligence, analysts and security researchers have made notable contributions. Gartner, for example, defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” Table 2 offers useful education in this context. Looking at the table, it is not only unwise but also unrealistic to equate large amounts of raw information as intelligence. True actionable threat intelligence requires rich contextual inputs and begins with efforts that help deepen the understanding of the past, present and future methodologies of a wide variety of cyber adversaries.
Nipping it in the bud To effectively address the current situation in network security, there’s a need to replace existing security practices with a more meaningful, context-aware and multi-dimensional paradigm. This can be achieved by unifying network and end-
point security, for it would allow treating policy enforcement, threat prevention, compromise detection and incident response as a part of one cohesive and unified action to secure data and users. With this, ‘single-pane-of-glass’ approach, information security is poised to make remarkable progress from being a myth to a manageable and achievable practice, which also ensures greater simplicity for today’s big data networks in connected businesses.
About the authors Ricky Knights is the channel manager for UK and Ireland at Cyberoam, specialising in network security. Working in a fastpaced industry and liaising with multiple distributors, vendors, VARs, SIs, MSPs and end users, he helps create long-lasting relationships within the channel community. He is responsible for the market development of Cyberoam’s unified threat management and next-generation firewall product lines. Emma Morris is an account manager at VCW Security. Specialising in network security products, she has over 15 years’ experience in the IT security business and has built a great knowledge of dealing with leading resellers selling IT security products.
Preparing for tomorrow’s threat landscape Darren Anstee, Arbor Networks Darren Anstee
The media has been busy over the past few months reporting data thefts and DDoS attacks that have targeted high-profile organisations around the world. This coverage has highlighted that even organisations with large, well-resourced security teams are falling victim to today’s threats – but why? One of the fundamental problems we have is that attackers are people not machines, and they innovate constantly. They have, in some cases, an excellent knowledge of how our security solutions and processes work, and they are evolving their tactics, techniques and procedures (TTPs) to evade them. There is also a lot of exchange of information and 18
Network Security
toolkits – thus they leverage their collective capabilities, to some degree, when they target an individual organisation. Technology, and the tools it enables, although useful, can’t protect us from the more sophisticated, campaignoriented attacks that are increasingly targeting business intellectual property and customer data – it is the people
that use the tools that can do that. We need to make the best use of our human security resources. To do that we need to ensure that the tools and processes they utilise allow them to focus on protecting the availability, integrity and confidentiality of our business infrastructure. And, we also need to get better at sharing information about what is going on out there, and what works – and doesn’t work – to counter the threats we face.
August 2015
Fear the hacker, not the auditor A data breach can be more damaging in the long term than a failed audit. Security is a process that goes beyond compliance, CIOs need to move beyond the mentality of buying technology for technology’s sake and begin buying more relevant systems and tools for their organisation holistically. There is a plethora of different security products available for enterprises that secure an organisation from different threats and at different levels. They range from DDoS attack mitigation to network and data security. Identifying which are best for your organisation is fundamental to ensuring the best measures are put in place.
Collaborate with service providers and peers Some controls are better suited for delivery by service providers, such as network-based controls, various managed security services, and risk and vulnerability assessments. It is important to take note of which security measures have been identified as the best fit for your business and utilise the right people to implement them.
To an extent, working with peers can also ensure that best practices are in place across the industry sector in which you operate. Of course, there are limits to the kind of data that can be shared, but providing metadata can ensure mutual benefits within the sector.
Conclusion There are no silver bullets here, but with the right processes in place, many of the data breaches we read about over the past year could have been avoided. The cyber-criminals are working together to discover, refine and share the most effective methods and strategies to attack your organisation and you need to do the same to fight back.
About the author As Level 3’s senior vice president of managed security services, Chris Richter is responsible for the company’s global managed and professional security services line of business. With 30 years of experience in IT, he has held a number of leadership positions in managed security, IT consulting and sales with several technology product and services organisations. He served most recently as vice president, managed security services at CenturyLink. For more
than a decade, he has assisted numerous IT organisations in adapting their premisesbased infrastructure risk management programmes and security controls to outsourced, virtualised and shared-infrastructure services. He has acted as both a board member and technical advisor for technology firms, and writes and speaks regularly about cyber-security, risk management and IT outsourcing.
References 1. ‘Gartner Says Worldwide Information Security Spending Will Grow Almost 8% in 2014 as Organisations Become More Threat-Aware’. Gartner, 22 Aug 2014. Accessed Jul 2015. www.gartner.com/newsroom/ id/2828722. 2. ‘Managing cyber risks in an interconnected world’. PwC, 30 Sep 2014. Accessed Jul 2015. www.pwc.com/ gx/en/consulting-services/information-security-survey/assets/the-global-state-of-information-security-survey-2015.pdf. 3. ‘Big Data’. IDG, 6 Jan 2014. Accessed Jul 2015. www.idgenterprise.com/ report/big-data-2. 4. ‘Cloud Computing’. Gartner. Accessed Jul 2015. www.gartner.com/technology/topics/cloud-computing.jsp.
Move to intelligencedriven security Ricky Knights, Cyberoam and Emma Morris, VCW Security Today’s disruptive enterprises are primed for unprecedented security challenges. The evidence is already compelling: cyber-attacks and network breach incidents are increasing in frequency, volume and complexity, reaching an alarmingly high level, drilling holes in the networks of the world’s top business corporations (Fortune 500 firms included) and government establishments. For CSOs and CISOs, the question to ask is, what has happened to next-generation firewalls and endpoint protection? The bevy of attacks, evolving threat landscape and growing malware mayhem only hint that more security breaches are inevitable. There is no easy fix available,
August 2015
nor can we pray to Zeus to help us with a ‘magical sandbox’ or cure-all panacea, and it would be unrealistic to expect that this situation will improve in the short-
Ricky Knights
Emma Morris
term. Existing security infrastructure at many organisations is undeniably porous and decades of poor design can’t be overhauled merely by applying a few patches.
Impeded visibility There are flaws in our security posture – many security gaps exist and most businesses do not understand their baseline
Network Security
15
FEATURE 500 firms. The report elaborates that nearly 44% of Fortune 500 companies have had their employees’ stolen email addresses and passwords exposed in Internet forums used by cyber-criminals, giving these hackers easy access to sensitive business and customer data. Findings from the report also reveal that security breaches on many sites are seldom reported to authorities, meaning that employees and corporate IT managers are often uninformed and unmindful that the information has been exposed. This hints at two possible outcomes – either many of these sites lack sophisticated security, thereby remaining susceptible to hackers, or they suffer from unregulated Internet access and are devoid of actionable security intelligence on user activities and health of endpoints in the network.
Unifying network and endpoint security
Figure 1: The cyber kill chain.
security needs. As a result, most organisations do not really know the amount of data/information assets they have. If the truth be told, the hardened perimeter is fading fast and de-perimeterisation is a reality. Cloud, virtualisation, BYOx and the IT-led ‘perfect storm’ of increased collaboration is turning the traditional view of enterprise network security on its head, robbing IT and security managers of essential security controls and impeding visibility into user and network events. The big data enterprise is here, yet security remains on the backburner. The high volumes of data stored and the many users that have access to this data in large, distributed and increasingly collaborative organisations make effective control a daunting challenge. Let’s take a look at some real-world data that validates this perspective. According to a report notified by CNBC news service towards the end of 2014, it was identified that unwitting employees handed over the ‘keys to the castle’ to hackers at several leading Fortune 16
Network Security
Fortunately, that perfect storm of threats and IT-driven transformation is not all stress and doom – if security leaders are prepared. By making network and endpoint protection work together, not only can enterprises combat threats more effectively but they also get to narrow down security gaps, prevent unauthorised access and strengthen defences with simplicity. Organisations troubled by network security in an increasingly mobile environment know that the growing volume of endpoints are their weak-spots where information assets and infrastructure are particularly prone to new cyberthreats. Hackers and cyber adversaries target endpoints via the back door to penetrate enterprise networks. The primary concern must be with the ever-evolving attack methods, which are capable of bypassing traditional perimeter-focused security. They can successfully compromise endpoints and enterprise networks using different methods such as water-hole attacks, spear-phishing, social engineering and encouraging targeted users to interact with malicious files, websites or links. Moreover, a large number of endpoints are mobile devices that can be used both within and outside the traditional perimeter. Unfortunately,
legacy security systems are unable to secure the mobile workforce or monitor, regulate and report Internet and data usage activities on mobile endpoints once they move outside the perimeter. Lastly, managing a growing volume and variety of endpoints in itself becomes a significant administrative challenge for IT security teams, causing massive logistical overhead to enforce deployment of security policies and controls for multiple agents on each endpoint device.
“Security breaches on many sites are seldom reported to authorities, meaning that employees and corporate IT managers are often uninformed and unmindful that the information has been exposed” To respond to these challenges, a new and holistic dimension is being explored to unify and integrate a broad set of technologies in network and endpoint security plans and further strengthen it with cloud-based threat intelligence and security management. The approach aims to foster communication and security coalition between network, server and endpoint protection. Most existing security paradigms suffer from a reactive and fragmented approach with multiple infrastructures, overlapping functionalities and several management systems that lack proper sync.
Beyond the kill chain The key aspect with the above approach is that it allows security executives or managers to look beyond clichéd practices, including the reactive approach followed in perceiving the cyber kill chain. Figure 1 depicts a widely adopted model of the cyber kill chain, which was first conceived by Lockheed Martin. The model was developed to provide security managers with a framework to understand threat actors, the likely sources and the different phases of attacks, to help organisations better their network defences. It helps to proactively address threats and develop the desired
August 2015
FEATURE level of readiness for imminent attacks. However, much has changed since the framework was introduced and it has not been adopted as originally intended. Quite often, we hear from security analysts that there is a growing need to embed security in core business processes, including how IT is consumed. Yet many enterprises still fail to take a proactive approach to protect their networks, IT assets, data, users and organisational reputation safe from evolved threat actors because their approach is flawed and continues to be reactive. This leaves their networks ‘open for business’ for hackers, although inadvertently. But why is this happening? It is not because many businesses take network security lightly with network breach and data loss incidents making the headlines on an almost daily basis. Businesses rely too heavily on myopic or reactive security methods that are in need of overhaul and this blinds the thinking of security managers. There is a need to take a departure from this approach, which is more focused on preventing known threats or external threats and fails to take into
Information
Intelligence
Raw, unfiltered data.
Processed, sorted, and distilled information.
Unevaluated when delivered.
Evaluated and interpreted by trained expert analysts.
Aggregated from virtually every source.
Aggregated from reliable sources and cross correlated for accuracy.
May be true, false, misleading, incomplete, relevant, or irrelevant.
Accurate, timely, complete (as possible), assessed for relevancy
Table 1: The difference between information and intelligence. Source: Dark Reading.
account threats from insiders or through evasive methods. Most enterprises are cutting themselves off from critical and actionable threat intelligence that would otherwise help them identify unknown threats, anomalies in network events or suspicious user activities. These are largely threats that have slipped past traditional defences and have succeeded in either actively siphoning off mission-critical data, or are lying low, undetected, and are awaiting further instructions from a command and control server. Even traditional signature-based protection is unable to detect malware that’s cleverly crafted using an evasive or polymorphic code, as it would not leave a trail and keeps on changing its attributes.
Threat intelligence sharing ‘Threat intelligence’ perhaps sounds like a watered down phrase, however there is much more that needs to be done by the ‘guardians of the enterprise network security galaxy’. Security vendors, as well as independent and in-house teams of threat researchers at various enterprises, continuously hunt for new threats, zero-day vulnerabilities and run deep investigations. Although a massive volume of critical threat research intelligence exists, most of it remains raw or unprocessed information. Compounding the problem is inadequate concern for supporting or embracing emerging threat intelligence sharing
Type of use case
Strategic security intelligence
Tactical security intelligence
Planning
Security architecture and monitoring planning based on long-term threats and relevant actor capabilities.
Study historical trends across TI feeds and environment match history.
Prevention
Better align security spending and attention based on attacker targeting; prevent attacks predicted by TI sources.
Block bad IPs, URLs, domains, emails, files, etc; the staple usage of blacklists and highfidelity TI feeds.
Detection
Look harder for intrusion evidence in places of ‘known interest’ to attackers; review reports on threat actor tools to find ways to better detect them.
Use TI feeds to create NIDS sigs, NFT, SIEM and ETDR alerting rules; detect internal systems communicating with ‘known bads’.
Triage
‘APT or commodity threat?’ decision; a key decision that defines how subsequent IR process will go.
Use TI feeds as context for enriching alerts and other monitoring data; link alerts together into incidents; automated triage by escalating alerts linked to ‘known bads’.
Incident response
Better understand the business impact by relating incident artefacts to threat actor profiles; practical incident attribution.
Finding a full scope of an incident by linking local observables to TI; ‘pulling the thread’ to find all compromised assets and all attacker traces.
Threat assessment
Assess overall threat level for your organisation; report to management, board, etc.
Assess the risk of customers connecting to your IT resources based on TI feeds; fraud risk assessment.
TI fusion – making better TI out of TI
Increase value of TI feeds by validating, correlating, enriching context, tying to local observations and attribution; enrich tactical TI by linking to strategic TI.
Increase value of TI feeds by validating, correlating, enriching context, tying to local observations and attribution; enrich strategic TI by linking to indicators and internal TI.
Table 2: Forms of security intelligence. Source: Gartner.
August 2015
Network Security
17
FEATURE standards such as CVE, Snort and more contemporary frameworks like STIX and TAXII. While threat intelligence and actionable security information sharing can help focus and prioritise the use of massive volumes of complex network security information, organisations have an elementary need for standardised and structured representation of such information, to transform it into manageable and sharable intelligence with other security vendors, partners, industry peers and other trustworthy sources. Standards such as STIX and TAXII are aimed at making security threat intelligence more expressive, flexible, extensible, automatable and as humanly-readable as possible. Table 1 illustrates the difference between information and intelligence. It is critical to value this distinction in today’s era of big data, where almost every connected enterprise is a big data organisation. A wide array of networking devices, security devices and a proliferation of endpoints and users is generating terabytes of data and logs. Although plenty of clues and hints are being logged, critical and actionable security intelligence is lost, missed or poorly interpreted amid haystacks of big data. Moreover, another misconception involved with threat intelligence is that
it is often confused with threat signatures. To help alleviate such preconceived notions on security/threat intelligence, analysts and security researchers have made notable contributions. Gartner, for example, defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” Table 2 offers useful education in this context. Looking at the table, it is not only unwise but also unrealistic to equate large amounts of raw information as intelligence. True actionable threat intelligence requires rich contextual inputs and begins with efforts that help deepen the understanding of the past, present and future methodologies of a wide variety of cyber adversaries.
Nipping it in the bud To effectively address the current situation in network security, there’s a need to replace existing security practices with a more meaningful, context-aware and multi-dimensional paradigm. This can be achieved by unifying network and end-
point security, for it would allow treating policy enforcement, threat prevention, compromise detection and incident response as a part of one cohesive and unified action to secure data and users. With this, ‘single-pane-of-glass’ approach, information security is poised to make remarkable progress from being a myth to a manageable and achievable practice, which also ensures greater simplicity for today’s big data networks in connected businesses.
About the authors Ricky Knights is the channel manager for UK and Ireland at Cyberoam, specialising in network security. Working in a fastpaced industry and liaising with multiple distributors, vendors, VARs, SIs, MSPs and end users, he helps create long-lasting relationships within the channel community. He is responsible for the market development of Cyberoam’s unified threat management and next-generation firewall product lines. Emma Morris is an account manager at VCW Security. Specialising in network security products, she has over 15 years’ experience in the IT security business and has built a great knowledge of dealing with leading resellers selling IT security products.
Preparing for tomorrow’s threat landscape Darren Anstee, Arbor Networks Darren Anstee
The media has been busy over the past few months reporting data thefts and DDoS attacks that have targeted high-profile organisations around the world. This coverage has highlighted that even organisations with large, well-resourced security teams are falling victim to today’s threats – but why? One of the fundamental problems we have is that attackers are people not machines, and they innovate constantly. They have, in some cases, an excellent knowledge of how our security solutions and processes work, and they are evolving their tactics, techniques and procedures (TTPs) to evade them. There is also a lot of exchange of information and 18
Network Security
toolkits – thus they leverage their collective capabilities, to some degree, when they target an individual organisation. Technology, and the tools it enables, although useful, can’t protect us from the more sophisticated, campaignoriented attacks that are increasingly targeting business intellectual property and customer data – it is the people
that use the tools that can do that. We need to make the best use of our human security resources. To do that we need to ensure that the tools and processes they utilise allow them to focus on protecting the availability, integrity and confidentiality of our business infrastructure. And, we also need to get better at sharing information about what is going on out there, and what works – and doesn’t work – to counter the threats we face.
August 2015