Recently in Security Information Management Category

Information Security Governance - Hybrid Security Cloud Provider Services and Security Team Management Collaboration and Trust.

One of the most important elements of Information Security Management is the ability for Information Security, Physical Security, and IT teams to collaborate.

A key issue any organization is effective team leadership, socialization, and collaboration. If the security team does not have the ability to collaborate or share information readily amongst themselves, there can be wasted efforts and the duplication of real-time analytics work. Information Security Management should be an enabler of team collaboration and trust.

Security Information and Event Management can provide a wealth of information but if you can not truly resolve incidents and or mitigate them, what you have is really nice log and event management with no ability to resolve them. This is why using organizations have turned to Hybrid Cloud Security Solutions for 24x7 monitoring and incident resolution.

Although this may not help in solving team collaboration issues it will be a way for your Security and IT teams to utilize expert knowledge in event identification and resolution or more importantly, the pre 0 day resolution of what is NOT currently happening, but what is about to hit... and how to mitigate that issue. If your security and IT teams have working trust relationships with their teams or other teams including Hybrid Service providers then your organization will work.

This is what NIST/MITRE SCAP is really all about; the ability for everyone to collaborate, whether it is configuration management, vulnerability assessment, situational awareness, incident response, or mitigation

Procrastinators never cease to amaze them. They seem to have a ready excuse (no matter how lame) for every inaction and delay. Having taught in universities for many years, I found that procrastination ran high among students. I in particular remember days on which term assignments were due and how so many bedraggled-looking students would come to turn them in and then take a seat and fall asleep. Procrastination does indeed have some serious downsides.

Procrastinators can be found everywhere, not just in university settings. In the information security arena they are professionals who delay planning and starting sorely needed initiatives and projects. They may also have an excellent security architecture, but may for various reasons have been slow in implementing critical elements within this architecture. Funny thing--so often one of the missing elements is Security Information and Event Management (SIEM) technology.

In previous blogs I have described what I believe to be the major advantages of using SIEM technology. Despite all these advantages and also considering the sorry current state of intrusion detection and intrusion prevention (with a few notable exceptions, of course), one would think that information security professionals would be lined up to purchase SIEM tools. Instead, somehow they have reasoned that SIEM technology will have to wait another year, and then when that year goes by, that it will have to wait still another year.

SIEM technology is just too critical to be pushed aside year-after-year. As I have said before, the subtle nature of so many of today's attacks has pushed event correlation technology to the forefront of detective controls. Intrusion detection and prevention tools, firewalls, personal firewalls and logging daemons may be capable of detecting pieces of attacks, but each one in and of itself is generally not capable of "seeing" a whole train of events. The result is that major attacks continue to go unnoticed for surprisingly long periods of time, with TJX's delay of 18 months in noticing the massive wave of credit card data theft that it experienced being what is probably an all-time record. (Should records of this nature also be included in the Guiness Book of Records?)

Frankly, if I had a choice between buying an intrusion detection tool and a SIEM tool, I would not have to think very hard. The same would be true if I had to decide between buying an intrusion prevention tool or a SIEM tool.

Unfortunately, not every SIEM tool is capable of performing thorough and accurate event correlation, either. Were I still a CISO, I would consider buying and using only a select few of these tools for operational purposes. A few vendors seem to have caught on to what it takes to design and implement strong event correlation capability, but, lamentably, most have not.

Procrastinators will continue to sit on the proverbial fence, but procrastinating when it comes to buying and implementing SIEM technology is just plain old every day unwise. I honestly do not understand how a CISO could possibly claim that that person's information security practice is a best practice, or even a good practice, unless SIEM technology were a big part of the security technology. It is time for us to wake up to the fact that situational awareness is now more critical to information security practices than ever before, and thus that the need for SIEM technology is today, not a sometime in the future.

netForensics today announced that nFX Cinxi One, its powerful SIEM and log management appliance, has earned five out of five stars in SC Magazine's August 2010 product review. In its group test of security information and event management (SIEM) solutions, SC Magazine assigned nFX Cinxi One a five star rating in each of the following categories: Features, Performance, Documentation, Support and Value for the Money. Read more>

I don't like to admit this, but I am not always as tolerant as I would really like to be. Certain things that people do and say sometimes catch my attention and cause me to think less of them. An example is people who do not use very good grammar and spelling when they write. Anyone who uses "it's" in the possessive sense, e.g., "It's (sic) effects were great," loses a point or two with me, and I just cannot help it. The same is true of people who say things such as "Me and him are going to go to the concert tonight." I don't attempt to correct anyone's grammar and spelling unless I am proofreading something that someone has written--silence is, after all, golden. Still, poor grammar and spelling invariably help lower my impression of others to some extent.

Regrettably, my faults regarding tolerance (or lack thereof) are not limited to grammar and spelling. Having once been a player in the SIEM arena for almost three and a half years, I cannot help thinking less of people who make what I think are bad decisions concerning purchasing and using SIEM products. SIEM stands for Security Information and Event Management. It consists of what used to be two fairly independent functions, Security Information Management (SIM) and Security Event Management (SEM). SIM functionality mainly includes log aggregation, log management and reporting. SEM functionality mainly includes event analysis through event correlation and possibly other methods, alerting, incident response facilitation (including trouble ticket and case creation, updating and tracking), and helping analysts in achieving situational awareness by providing network topology and other displays that pinpoint where in a network and what specific hosts and devices have been affected by incidents.

Although "we hold these truths to be self-evident, that all men are created equal" may apply to humans, it definitely does not apply to SIEM products. Many of these products, some of which sell surprisingly well, include little more than SIM capabilities. People buy these products, install and stick them in some server room while these products aggregate data that people seldom or never inspect. These people also configure reporting to obtain reports that they seldom use until they get word that auditors will be visiting them in the future, and go merrily on their way, often with the assumption that they are obtaining a very favorable total cost of ownership (TCO) because they feel they are meeting some compliance requirements by having these mostly unused and not-all-that-functional products.

Are you kidding me? What SIM products lack can sink the proverbial ship of an organization nowadays. We are getting hammered with Advanced Persistent Threats (APTs), with all kinds of attacks coming from China, Russia, Belarus, the Ukraine, Brazil, and oh by the way, also the US. The number of zero-day exploits per week has never been higher. Additionally, hundreds of new types and variants of malware are released into the wild every day. And what do SIM tools do about all this? They just sit there blissfully ignorant, unable to detect and report attacks because they have little or no event correlation functionality. Or they may have event correlation capability in name only. Frankly speaking, the proficiency of detection rules in SIEM tools designed primarily to do log aggregation, log management, and reporting is downright abysmal.

For about the same price as a SIEM tool that delivers only SIM functionality, someone can buy a SIEM product that will not only deliver log aggregation, log management, and reporting, but also all the SEM functions that are so critical, given the plethora of security threats that we currently face. How shortsighted can those who buy products with SIM but not SEM capabilities be? I don't know, but I suspect they are also the kind of people who also use "it's" in the possessive sense...

It's a dangerous place out there--the cyberworld, that is. We have witnessed unparalleled changes and growth over the last decade, yet with these changes and growth have come an increasing number of attacks that are using a growing and more diverse variety of methods, many of which are unknown to the white hat community until after they are used. There is so much malicious code out there that we really have lost count of how many unique viruses, worms and Trojan horses exist. Many of the attacks are launched by government-financed technical gurus and well-organized gangs of cybercriminals intent on exploiting vulnerabilities to make money--not just some money, but a lot of it. As opposed to just a decade ago, the attacks are often unbelievably persistent to the point that the term "Advanced Persistent Threats" is becoming trite--like talking about "damaging automobile accidents." If an attack against a target fails, the perpetrators keep launching new attacks until one succeeds. And in general only one successful attack is all that the perpetrators need to reach whatever goal they have. It should then come as no surprise that more and more information security professionals are labeling today's attacks as "unstoppable."

We have controls--plenty of them. Some of them (policies and standards, firewalls, intrusion prevention systems (IPSs), network access control systems, mantraps, fences and much more) help prevent attacks from succeeding. Some organizations, financial institutions in particular, are likely to deploy a wide range of preventative controls in an attempt to achieve "defense-in-depth," implementing layers of security so that if one layer fails, there will still be others to counter an attack. Some organizations do far better than others in using preventative controls, yet according to a multitude of sources, the number and cost of cyberincidents, in particular data security breaches, have sharply increased over time. A myriad of reasons why preventative controls have neither lived up to expectations and have not produced favorable a total cost of ownership (TCO) exists. In all likelihood the most critical one is that the black hat community is always one (and often more) move ahead of the white hat community when it comes to the proverbial game of cyberchess.

We also have plenty of detective controls--intrusion detection systems (IDSs), system and network event logging, network traffic sniffing, motion detectors, security guards in buildings, trip lights, content filters, security information and event management (SIEM) systems that collect, integrate and potentially even correlate information from all over a network, and more. The major idea behind detective controls is that as potentially good as protective controls are, they are far from perfect; there is not one of them that cannot be defeated or bypassed by a clever perpetrator. So, the idea goes, organizations need the ability to detect potentially adverse events that occur to determine whether or not they constitute an attack or other source of an outage or disruption. If so, intervention that reduces the amount of loss and damage can be initiated.

Reactive controls are the third and final type of control. Here we have automated incident response tools, incident response teams, business continuity and disaster recovery teams, chemical suppressant systems, self-adapting networks, anti-malware software that cleans malware infections, and much more. Without reactive controls, detective controls would be of little value, because detecting a malicious event without intervening accomplishes functionally nothing. At the same time, without detective controls, reactive controls would also be of little value.

So I'll get back to my original question. Which type of control, preventative, detective or reactive, works best? In theory the first should be the best, because top-notch preventative controls should be able to thwart all (or at least most) incidents. But something far different from theory is occurring with preventative controls today. They are working, but, well, just sort-of, and certainly not nearly as well as many of us have been led to expect. Consider, for example, the currently popularity of IPSs. A recent independent study show that several top selling IPS products did not even stop half of all attacks launched against the network they were supposed to defend in a test laboratory. One stopped only 17 percent of all attacks! Another similar study on anti-virus software showed that the majority of commercial anti-virus products did not even detect half of the Trojans that were installed in test systems in which the software was running. Defense-in-depth would help, true, but it is clear that the current generation of perpetrators is completely outwitting preventative control vendors.

So we turn next to detection. Unfortunately, IDSs have not fared a whole lot better than IPSs and anti-virus software when it comes to independent testing concerning detection proficiency. But when IDSs are at work providing one of numerous sources of detection information, the proficiency in identifying nefarious events can increase substantially if they are merely one of a number of sources of intrusion detection information. The same is true of firewalls, IPSs, anti-virus software, systems that send system logs to a central server, the output of network monitoring tools, and more. Collecting this all this information in a central location makes inspecting all this information possible, but chances are the amount of such information in a typical network is overwhelming for a team of technically proficient staff to inspect. So why not automate the analysis of the centrally collected information? Better yet, why not correlate the information, comparing each piece of input to models of the log and alert output that information systems and devices produce when cyberattacks occur and issue alerts when the information fits a model? By now, you should be getting my drift. SIEM technology makes proficient detection of potentially harmful events possible--it provides a way to make sense of volumes of information. Not all SIEM technology is equally proficient, however, but that is a topic for another blog entry.

Reaction is also potentially hugely critical, but it does not in my estimation reach the level of importance that detection does. The reason is that for the most part in the information security arena automated reaction mechanisms are not doing what they are needed to do as well as they should. For example, an automated reaction mechanism can send a command to a firewall to "shun" all incoming traffic from a particular source IP address, but there is a good chance that that IP address has been spoofed, something that may disrupt an ongoing set of e-commerce or business-to-business transactions. And I am sure you have heard how automated reaction mechanisms have malfunctioned, causing major lock-ups and disruption within IT environments. So for the most part, today's reaction mechanisms are manual, carried out by incident response personnel. It would thus be difficult to give reaction the nod as the type of control that works best.

In closing, as imperfect as some of them are, all three, preventative, detective, and reactive controls, are necessary in the struggle to stave off today's cyberattacks. But if we are going to rely on one technology, it would be a good bet to rely on detective technology, especially if strong SIEM technology is used.

netForensics today announced that it has joined the Cisco Developer Network as a Registered Developer within the network security technology category. In addition, netForensics nFX Cinxi One v4.1 has successfully completed interoperability testing with the following Secure Borderless Networks system: Security Management. This interoperability testing helps ensure that netForensics nFX Cinxi One software easily interoperates with the following Cisco security products: ASA, IPS, IOS, ESA, WSA and CS-MARS. nFX Cinxi One also works with Cisco ASR, Access Control Server, CSA, CSA , Management Center, CatOS, Firewall Service Module, IDS, IOS, PIX and VPN products, and helps customers meet key security business requirements, particularly around compliance and log management. Read more>

netForensics today announced a new study, entitled "Security in a Down Economy: Limited Budgets, Less Staff, More Threats," shows a perceived increase in network threats throughout 2010 and into 2011. The study was conducted by netForensics during the week of June 7, 2010 to learn about the impact the economic downturn has had on organizations' security posture and budgets, and the potential consequences organizations will face over the next 12-24 months as a result. Read more>

netForensics today announced their 2010 Federal Customer User Group marks the company's 10th anniversary of providing security solutions to the federal market. The nFX Federal User Group is taking place today and tomorrow at the Westin Alexandria in Alexandria, VA. Read more>

Image via Wikipedia

In the below article Microsoft reviews the Waledac Botnet take down, as well as, mentions a number of botnet shutdowns that have recently taken place. The article also mentions sudosecure.net a Waledac tracking site

The article goes on to talk about Operation 49, a Botnet Take Down taskforce, an "innovative application of a tried and true legal strategy"

"On February 22, in response to a complaint filed by Microsoft ("Microsoft Corporation v. John Does 1-27, et. al.", Civil action number 1:10CV156) in the U.S. District Court of Eastern Virginia, a federal judge granted a temporary restraining order cutting off 277 Internet domains believed to be run by criminals as the Waledac bot."

"This legal and industry operation against Waledac is the first of its kind, but it won't be the last"

Microsoft Technet on Waledec-takedown

Image by Cold Cut via Flickr

How Information Technology and Information Security Management must understand the Business Model. What are the key assets, what are their exposures and vulnerabilities,
and from the peril of a threat what would be the outcome. It is not only the identification or the recognition of a incident but what was the root cause and contributing factors, how does this information get included or relayed back to Business Intelligence information. What are the distribution of events not only in near real-time
but historically their severity, impacts, risk response, what policy and procedures were used in containment, mitigation, follow up step and what was the contributing factors,
who owns the Risk Relationships.

In his example on why Frameworks such as BASEL, COSO, COBIT, are so important was the highest thing that affected corporate reputation to it's business partners, customers, and suppliers was accounting irregularities. By far accounting irregularities had the highest corporate reputation risk of affecting your business with suppliers, business partners, and customers, he sited some recent banking incidents as an example of customer and partner distrust.

The need to study and understand what disruptive technologies will have an impact on business processes how many industries are using chaos theory for risk assessment, black swan events the unexpected, unexpected and how we must understand the Language of Risk, not only in the physical world but in the virtual world and that eventually he believed there will be Risk Management Accounting.

If you get a chance to read his presentation or see him speak on the values of risk management in the enterprise it is well worth the time.