continuous security monitoring in a continuous world · some of these trends have already become...

12
ePaper Continuous Security Monitoring in a Continuous World Threats are moving quickly, so cybersecurity efforts need to keep up.

Upload: others

Post on 07-Jun-2020

1 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Continuous Security Monitoring in a Continuous World · Some of these trends have already become news. In March,Palo Alto Networks researchers have revealed KeRanger ransomware targeted

ePaper

Continuous Security Monitoring in a Continuous WorldThreats are moving quickly, so cybersecurity efforts need to keep up.

Page 2: Continuous Security Monitoring in a Continuous World · Some of these trends have already become news. In March,Palo Alto Networks researchers have revealed KeRanger ransomware targeted

[2]

ePaper

ContentsThe Twin Forces of Change in IT .....................................................................................................................................3

FAIL ............................................................................................................................................................................................4

The Three Primary Phases of Continuous Diagnostics and Mitigation ...........................................................5

Asset Management ............................................................................................................................................................. 7

Configuration Management ............................................................................................................................................. 7

Vulnerability Management ............................................................................................................................................... 7

Access Control .......................................................................................................................................................................8

Incident Response ...............................................................................................................................................................8

Pulling the technology together: Continuous Security Monitoring Platform ................................................9

Automate everything you can, and then automate more .....................................................................................9

Conclusion .............................................................................................................................................................................11

About Bitdefender...............................................................................................................................................................11

Page 3: Continuous Security Monitoring in a Continuous World · Some of these trends have already become news. In March,Palo Alto Networks researchers have revealed KeRanger ransomware targeted

[3]

ePaper

The Twin Forces of Change in ITThe massive moving forces of innovation and security threats today are crushing the average enterprise IT department.

In the enterprise environment, Bitdefender predicted for 2016 an increase of targeted attacks and strongly obfuscated bots, with a short

On one side, the evolution of network systems continues to accelerate at lightning speed. Cloud, virtualization, containerization, big data analytics, mobility, and the Internet of Things are now constantly rewriting the rules of connectivity and data governance.

On their own, each of these dynamic forces would be painful to contend with.

On the other, attackers seek to keep enterprises on their back feet by changing their techniques just as rapidly, if not more so.

Together, these parallel trends threaten the entire enterprise’s bottom line.

lifespan and frequent updates. Most of these attacks will specialise in information theft. Attackers will be in and out of an organisation in a few days, maybe even hours. APT, which currentlvy stands for Advanced Persistent Threats, should change to Advanced Penetration Threats, or even BA for Blitzkrieg Attacks. Lateral movement in the infrastructure of cloud service providers will increase with the advent of tools that allow hackers to compromise the hypervisor from a virtual instance and jump to a different virtual machine.

Some of these trends have already become news. In March,Palo Alto Networks researchers have revealed KeRanger ransomware targeted Mac users for the first time, realizing Bitdefender’s predictions about ransomware’s expansion to new operating systems in 2016. The following month, the biggest data leak in history occurred – Panama Papers. The breach involved millions of files that reveal a complex tax evasion system including some of the richest and most powerful people in the world.

The only way for IT to adapt their networks to the twin forces of change in technology is to ensure that security evolves just as quickly asthe infrastructure and the threats. The only way for this kind of dynamic security to take hold is through continuous security monitoring.

Page 4: Continuous Security Monitoring in a Continuous World · Some of these trends have already become news. In March,Palo Alto Networks researchers have revealed KeRanger ransomware targeted

[4]

ePaper

FAILThe lessons of recent cybersecurity history are also unambiguous: Compliance-driven and reactive information security efforts will not succeed at mitigating system vulnerabilities and threats to a tolerable state.

Networked business-technology assets need to be inventoried, configured, and maintained; their vulnerabilities must be identified and mitigated; and they need to be vetted constantly for signs of malware and compromise. If these processes can’t be automated, they can’t be managed successfully.

But it can be daunting to figure out where or how to start a Continuous Security Monitoring (CSM) effort.

Best Practices“To understand how an organization’s security program performs on a day-to-day basis, organizations must develop strategies to continuously monitor and document the implementation, effectiveness, adequacy, and status of all of their security controls,” writes the Security Standards Council in its information supplement Best Practices for Maintaining PCI DSS Compliance, which also offers useful starter information.

Page 5: Continuous Security Monitoring in a Continuous World · Some of these trends have already become news. In March,Palo Alto Networks researchers have revealed KeRanger ransomware targeted

[5]

ePaper

The Three Primary Phases of Continuous Diagnostics and Mitigation

Phase 1: Identify and Manage Assets

Phase 3: Boundary Protection and Event Management

for Managing the Security Lifecycle

Phase 2: Least Privilege and Infrastructure Integrity

HWAM Hardware Asset Management

PLAN Plan for Events

TRUST Access Control Management (Trust in People Granted Access)

SWAM Software Asset Management

RESPOND Respond to Events

BEHV Security-Related Behavior Management

CSM Configuration Settings Management

AUDIT/MONITOR

Generic Audit/Monitoring

CRED Credentials and Authentication Management

VUL Vulnerability Management

DOCUMENT

Document Requirements, Policy, etc.

QM

Quality Management

Risk Management

Boundary Protection

(Network, Physical, Virtual)

PRIV Privileges

Page 6: Continuous Security Monitoring in a Continuous World · Some of these trends have already become news. In March,Palo Alto Networks researchers have revealed KeRanger ransomware targeted

[6]

ePaper

Regardless of the framework you choose, there are typically five key components to an effective continuous monitoring program. As you build out your toolset to move toward continuous monitoring, keep in mind that this doesn’t have to be a complete transformation. In many cases you’re probably already using many of these tools in your information security program.

5 Key Components of Continuous Security Monitoring

Asset Management

Vulnerability Management

Access Control

Incident Response

Configuration Management

Page 7: Continuous Security Monitoring in a Continuous World · Some of these trends have already become news. In March,Palo Alto Networks researchers have revealed KeRanger ransomware targeted

[7]

ePaper

Asset Management

Asset management software comprises all of the tools used to manage and inventory corporate owned and used devices and applications.

These include simple inventory management and asset-auditing software that is used to identify all authorized hardware and is able to quickly identify unauthorized hardware.

It’s imperative that unauthorized devices are identified and either brought to policy standard or removed from the network.

Configuration Management

Certainly, misconfigurations of IT assets need to be kept down to a minimum. Your attackers will scan your systems looking for such misconfigured assets and take advantage of them to gain a foothold on the network. Even if those vulnerable systems are not their primary target, they will infiltrate and use it as a foothold to dig deeper.

Vulnerability ManagementHopefully, if you run an enterprise of any size, you have a vulnerability management program in place.

Here, you assess for software vulnerabilities within your networked devices, remedy those that are identified (especially the critical level vulnerabilities) and then test that patches and updates have been successfully applied.

Software weaknesses are a common way through which adversaries seek to try to gain entry onto networked devices.

Page 8: Continuous Security Monitoring in a Continuous World · Some of these trends have already become news. In March,Palo Alto Networks researchers have revealed KeRanger ransomware targeted

[8]

ePaper

Access Control

Good access control is critical to success. The size and scope of these efforts are largely determined by the size of the enterprise, number of employees, and services they need access to. This typically includes everything from physical building and data center access to providing enterprise resources such as phones, desks, email, etc. and everything in-between.

This also includes the automated management and monitoring of identity access privileges (no greater authority for access than is necessary) and super user access, such as that being required for administrative rights.

Incident Response

For this, enterprises need to automate the detection of breaches as much as possible, and have the response in place to respond to the degree necessary. Some breaches may require little manual response, perhaps pushing a new machine image out to an endpoint. Other breaches may require extensive forensics analysis and remediation and cleansing effort.

Page 9: Continuous Security Monitoring in a Continuous World · Some of these trends have already become news. In March,Palo Alto Networks researchers have revealed KeRanger ransomware targeted

[9]

ePaper

Pulling the technology together: Continuous Security Monitoring Platform

Enterprises that embark on the path to continuous security monitoring are going to be collecting and managing a lot of data. A lot of data. These will be coming from network monitoring tools, intrusion detection systems, management consulters, compliance and configuration management toolsets, and so forth.

You will need a way to collect this data, analyze it, visualize it, and actually respond to it.

This will likely be a combination of existing toolsets, some snappy API and integration work, and maybe even building new custom tools.

Automate everything you can, and then automate more

Where do you start automating your CSM program? There are many approaches, such as automating what you currently have the tools to automate: regular vulnerability assessments, patch and antimalware updates, reporting and alerting, and so on.

These controls stand on four pillars

Focus on continuous monitoring to test and evaluate remediation

Automate processes

Provide common metrics that all stakeholders can understand

Use knowledge of actual attacks to build defenses

Page 10: Continuous Security Monitoring in a Continuous World · Some of these trends have already become news. In March,Palo Alto Networks researchers have revealed KeRanger ransomware targeted

[10]

ePaper

The key is to focus on monitoring and protecting the most important assets and applications. You’ll need to work closely with audit and compliance teams, operations teams, business application owners, and security teams to identify these assets.

Essentially, aim to identify the most critical and valuable systems and data, as well as those that fall under the purview of regulatory compliance, and start your continuous monitoring efforts there.

When implementing continuous security and regulatory compliance monitoring of your high-value assets, include their configurations, the status of security technologies such as anti-malware, network and application firewalls, data leak prevision technologies, etc.

From here, you are going to need to automate as many of your security controls as you can, while also monitoring their configurations to ensure that they are managed consistently across all environments.

Page 11: Continuous Security Monitoring in a Continuous World · Some of these trends have already become news. In March,Palo Alto Networks researchers have revealed KeRanger ransomware targeted

[11]

ePaper

Conclusion

Building an effective CSM program isn’t something that will happen overnight. But, as you automate certain processes, you just need to make certain those processes remain automated and in good shape. Use the time saved to automate the next set of security processes and feed the status into a dashboard or, initially, a set of dashboards. In time, you will eventually automate your entire program.

When continuously deploying new applications, you will be introducing new mistakes into the environment and by continuously monitoring your environment, you’ll be finding new security errors as they are introduced. So, while you will be moving as quickly as you can, you will be bringing your security efforts with your CSM program.

About BitdefenderBitdefender is a global security technology company that delivers solutions in more than 100 countries through a network of value-added alliances, distributors and reseller partners. Since 2001, Bitdefender has consistently produced award-winning business and consumer security technology, and is a leading security provider in virtualization and cloud technologies. Through R&D, alliances and partnership teams, Bitdefender has elevated the highest standards of security excellence in both its number-one-ranked technology and its strategic alliances with the world’s leading virtualization and cloud technology providers.

Page 12: Continuous Security Monitoring in a Continuous World · Some of these trends have already become news. In March,Palo Alto Networks researchers have revealed KeRanger ransomware targeted

BD-B

usin

ess-

May

.25.

2016

-Tk#

:70

583

All Rights Reserved. © 2016 Bitdefender. All trademarks, trade names, and products referenced herein are property of their respective owners. FOR MORE INFORMATION VISIT: http://www.bitdefender.com/business

Bitdefender delivers security technology in more than 100 countries through a cutting-edge network of value-added alliances, distributors and reseller partners.

Since 2001, Bitdefender has consistently produced market-leading technologies for businesses and consumers and is one of the top security providers in

virtualization and cloud technologies. Bitdefender has matched its award-winning technologies with sales alliances and partnerships and has strengthened its global

market position through strategic alliances with some of the world’s leading virtualization and cloud technology providers.