five practical steps - it weekly · information security program is directly proportional to their...
TRANSCRIPT
WHITEPAPER
Q1Labs.com
FIVE PRACTICAL STEPS To Protecting Your Organization Against Breach
How Security Intelligence & Reducing Information Risk Play
Strategic Roles in Driving Your Business
2Q1Labs.com
Executive SummaryMost security professionals agree that the maturity of an organization’s
information security program is directly proportional to their ability to
protect information. This white paper will provide fi ve practical steps
to protecting an organization from breach, as well as guidance for
implementing a comprehensive, well-designed information security
program. These steps are based on collective knowledge and best
practices learned from many of Q1 Labs’ global customers.
Top Causes of BreachWhile there are many statistics and anecdotal reports from respected
industry research organizations on the primary causes of information
breach, the data in this paper is taken from actual use cases in real
situations and implementations of Q1 Labs customers using QRadar for
total security intelligence.
Top reasons organizations’ networks are successfully breached include:
Organizations have not invested in core information
security infrastructure technology, including, but not
limited to, switches, fi rewalls, IPS, VPNs, vulnerability
scanners, and identity/access management.
Organizations have not gained suffi cient security
intelligence on the network.
Organizations haven’t properly leveraged the information
security technology they already own, this includes having poorly
confi gured network and security devices.
Organizations have not addressed key vulnerabilities
in their infrastructure.
Organizations cannot eff ectively minimize risk because
of organizational and/or technology silos.
The reality is that addressing these issues does not happen overnight.
Some organizations take years to get all of these areas under control.
The good news is that even minor incremental improvement in an
organization’s security practices will result in a greatly impoved ability to
protect information.
Five Practical Security Intelligence Steps to Protecting Your Organization Against BreachKnowing that achieving operational security maturity takes time and is
constantly evolving, what follows are fi ve incremental security eff orts
that can be made to signifi cantly improve an organization’s ability to
protect itself against breaches.
STEP 1: Deploying the Right Technology
Enumerating all of the information security technologies that an
organization should consider is beyond the scope of this paper;
however, the basics are fundamental. Organizations should look to
deploy technology that meets their need to:
Control the fl ow of information across the network.
This could be as basic as implementing fi rewalls, or might
require the use of more advanced gates like Intrusion Protection
Systems (IPS) or application layer switches. In many cases there
will be multiple layers to how this technology is deployed in
the network.
Control access to information. This could typically be achieved
with a central authentication system. In some organizations this
may require more advanced key management.
Implement common sense security technologies that protect
end systems, including anti-virus, DLP, host intrusion
prevention, and fi le integrity monitoring. Many organizations
have had this for years. Reevaluate it regularly to ensure it continues
to meet your needs.
Obtain visibility into the security posture. The fundamental
CEOs, CIOs, CTOs, AND CISOs HAVE A FORMIDABLE TASK — instituting programs that span
people, technology, and processes, to minimize “risk”. The term “risk” will have a different meaning
depending on an individual’s area of responsibility and industry in which they work. From an
information security perspective, one of the top concerns for C-Level Executives, IT Executives
and Security Professionals is reducing the risk of potential breach of information. Protecting your
assets from industrial cyber espionage demands a top-down strategy.
FIVE PRACTICAL STEPS TO PROTECTING YOUR ORGANIZATION AGAINST BREACH
1
4
5
2
3
3Q1Labs.com
technology required here is the implementation of a centralized
log management and/or security information and event manage-
ment (SIEM) solution that integrates native anomaly detection and
content capture.
Encrypt information wherever necessary or required.
Organizations might include VPN technology to help
with this area.
Look for holes in the security infrastructure. This typically
will include one or more Vulnerability Assessment (VA)
scanners and possibly other tools.
Meet more advanced security requirements, including,
but not limited to, data loss prevention. Deploy advanced
technology that enables full security intelligence lifecycle:
before, during and post exploit.
In the end, the requirements of the business will drive the technologies
deployed and the depth to which the technologies are leveraged.
A major lesson that has been learned by Q1 Labs’ customers is that,
more times than not, leveraging compliance creates budget to enable
the investment in a security technology that will pay dividends in the
end, provided enough thought is invested all through the process of
technology selection and implementation.
STEP 2: Use Information to Your Benefit
By working with more than 1600 customers, Q1 Labs has learned that the
more information an organization analyzes from the network, the better
off they will be in their ability to minimize and quantify information risk.
Fundamental to this premise is that a solution has been deployed that
can eff ectively make sense of all the data collected. There are varying
degrees to which an organization might need to collect and analyze
information.
At one end of the spectrum there might be the need for basic log
management to manage information risk for a single application
as required by some compliance regulation. At the other end of the
spectrum is a comprehensive end to end security intelligence solution
that looks at events from every imaginable networked system.
When selecting a log management, SIEM and/or total security
intelligence solution there are a few important considerations, including:
How straight-forward is the technology to acquire, deploy,
and maintain? This seems like a no-brainer, but it is amazing
how many organizations pick solutions that require an army of
staff and professional services. Do you want to maintain a
science project?
How well does the solution normalize and categorize
the information? This is often overlooked during a SIEM
evaluation, but may be the single most important consideration.
The reality is that event data is complex, and why would you
want a solution that can’t deliver a common taxonomy across
all data collected?
How well does the solution deliver secure log collection,
storage, and archival? These features should be considered
mandatory requirements in any security intelligence solution.
How good is the solution at turning potentially billions
of events into a useful and actionable assessment of
security incidents? This one can be tricky because every
solution claims to provide a detailed assessment of the
security posture. The reality is that many correlation engines
fail because they only look at data within a single silo – they
don’t correlate across data silos (applications, user identity,
assets, content, etc.) or they can’t see the depth or breadth of
information required to properly detect incidents.
How easy is it to customize the solution to meet unique
business requirements of the organization, including
analyzing data from unique or custom event sources?
Organizations that are looking at security intelligence
solutions should ensure they meets both short and long term
data collection needs.
How well does the solution scale? Scale requirements come
in many forms – ranging from high event rates in a data center
to meeting distributed scale considerations. It is important
that the solution scales without introducing unnecessary
complexity.
There are countless log management and SIEM success stories.
Organizations that use data, or intelligence, to their advantage via
an eff ective security management solution will be in a much better
position to minimize risk of breach on their network.
STEP 3: Ensure Ongoing Proper Device Configuration to Stay Ahead of the Threat
Ensuring ongoing proper device confi guration sounds great, but in
reality it can be quite challenging. The fundamentals here are pretty
basic – ensure all the doors on the network are locked except when
FIVE PRACTICAL STEPS TO PROTECTING YOUR ORGANIZATION AGAINST BREACH
4Q1Labs.com
necessary to meet specifi c business requirements. This requires being
able to continually assess the eff ectiveness of the confi gurations that
are deployed on the network. There are automated confi guration
audit solutions that can assist in meeting this objective. Important
considerations when assessing tools to help in this area include:
How well does the solution automate the collection
of confi gurations?
How well does the solution ensure consistency of
confi guration across diff erent types of devices, potentially
from diff erent vendors?
How well does the solution interpret how traffi c is allowed to
traverse the network based on confi gurations and how easy is it
to analyze and understand?
Can the solution accurately portray network confi guration when
devices are mis-confi gured or there are gaps in data collection?
Can the solution automate the monitoring and notifi cation
of risky changes to confi guration in a timely fashion?
The essential thing to consider in this step is having tools that help lower
the barrier to entry to eff ective analysis of complex device confi guration
and provide exceptional automation that can quickly determine, and
notify, when risky confi gurations are deployed on the network.
STEP 4: Ensure Top Vulnerabilities Are Addressed
Vulnerability scanners have become an important tool in the security
administrator’s tool chest to ensure that devices on the network are not
susceptible to well-known vulnerabilities. Historically there have been
challenges with vulnerability scanners because they typically report
vulnerabilities without context of the world around the device. This can
result in numerous false positives and information overload. There is
little doubt that systems that are exposed to well-known vulnerabilities
are the fi rst line of attack from those that wish to do harm.
Organizations that wish to ensure top vulnerabilities are addressed
should look to expand their capabilities with solutions that can:
Eff ectively normalize vulnerabilities to a common framework
Assess the risk of vulnerabilities in conjunction with how the
network is confi gured. It is important to be able to prioritize
systems that may be easily breached because network
confi gurations would allow specifi c vulnerabilities to be
compromised
Analyze vulnerabilities from many angles, including results
from multiple vulnerability scanners, passive vulnerability
analysis, and behavior analysis
Automate the detection of confi guration changes in the network
that would introduce new risk of vulnerabilities to be compromised
What’s important here is not looking at vulnerabilities in a vacuum,
but rather taking a more holistic risk-based approach that takes a
much more relevant network and security analysis into account.
STEP 5: Implement An Integrated, Risk-Based, Security Intelligence Framework
Over the years, Q1 Labs has learned that many organizations struggle
to gain the necessary security visibility because of the existence of
organizational and/or technology silos. A rule of thumb with most
any security management deployment is that the more information
provided to the solution, the better off the organization will be at
detecting and minimizing risk.
Breaking down silos often requires organizational and/or operational
changes, but in the end when the right hand fi nally learns what the left
hand is doing, the results can be tremendous and budget savings can
also be realized through consolidation.
Organizations that wish to introduce an integrated security intelligence
framework should look to acquire and deploy a solution that can:
Break down technology silos through the integration
and analysis of a broad spectrum of information, including
network, virtual network, security, vulnerability, asset,
application, and confi guration data, among others
Break down operational silos and deliver the most
appropriate security functions to meet the requirements of a
broad spectrum of users, including operators, analysts, auditors,
managers, and executives, among others
Prioritize the risk of a security incident based on the overall
impact to the business
Automate the detection and notifi cation of newly
introduced risks on the network.
Deliver an integrated security intelligence framework
for assessing risk across all relevant information
The key to this step is understanding that total security intelligence
FIVE PRACTICAL STEPS TO PROTECTING YOUR ORGANIZATION AGAINST BREACH
5Q1Labs.com
is all about adding context and correlating that information together
across the entire security intelligence lifecycle. A security intelligence
solution should be able to help an organization understand:
What risks does an organization have and how can risks be
reduced or prevented from happening in the fi rst place
What is happening right now and how to detect threats with
intelligence and visibility
What happened post-exploit and how to understand the
impact or cost with forensics to determine how an event
spread or what was stolen
NEXT STEPS
These fi ve steps have outlined many considerations for how to build
a more mature information security management program. An
important consideration along the way is partnering with a security
intelligence provider that can deliver a range of solutions that meets
the requirements of an organization no matter where they are in their
path to a comprehensive risk-based approach.
Q1 Labs QRadar® Security Intelligence PlatformQ1 Labs provides a family of security intelligence solutions that assist
organizations of all sizes and across multiple industries to meet a
broad spectrum of information security requiments. In addition, the
QRadar® Security Intelligence Platform provides a future-proof family
of products that allows organizations to grow their level of security
intelligence in alignment with the state of their individual information
security program. The diagram below provides a high-level overview of
the QRadar Security Intelligence Platform and the product path many of
our customers have taken to meet their growing security requirements:
Utilizing security intelligence solutions from Q1 Labs, organizations
can eff ectively mature their security program to meet many of the
information security considerations discussed earlier with the most
intelligent, integrated and automated solution available:
Scalable, enterprise-wide log management provides the
ability to:
Centralize the collection and secure storage of events
and logs across an entire multi-vendor organization.
Easily meet compliance mandates.
Gain visibility into log data for actionable IT operations and
security forensics.
Easily upgrade with a future-proof growth path to full SIEM.
Deep visibility with security information and event
management (SIEM) delivers the:
Ability to improve the eff ectiveness of infrastructure
investments through advanced analysis of network behavior
and security information
Comprehensive visibility into an organizations’
information security posture to detect threats
Power to turn billions of events into a priortized list of
security incidents that need to be addressed
Automated detection of threats typically missed by solutions
that have not integrated operational or technology silos
Comprehensive, risk-based security management for:
Automating collection of confi gurations from network
and security infrastructure
Timely detection of the introduction
of risky confi gurations
Powerful risk prioritization that
leverages a broad spectrum of risk
indicators, including network activity,
network topology, and vulnerability
scan results
Advanced threat modeling and
simulation
FIVE PRACTICAL STEPS TO PROTECTING YOUR ORGANIZATION AGAINST BREACH
1
2
3
How Customers Transition from Log management to Total Security Intelligence
6Q1Labs.com
Summary: Considerations for a Long-Term StrategyThere are many considerations that span people, process and
technology that organizations should consider to improve their ability
to protect valuable information assets. Thinking about the fi nish
line, when just starting the race, can seem overwhelming to any size
organization. When planning a long-term strategy it is imporant to
understand that incremental improvements in a security program will
return signfi cant dividends, provided enough thought and planning
has gone into defi ning and implementing these improvements. Q1
Labs’ experience with customers has shown there are a few tried and
true steps that should be considered that will greatly reduce the risk
from information breach, including:
Deployment of suffi cient network and security technologies that
can properly gate access to sensitive information
Implementation of an eff ective log management and/or
SIEM solution that can leverage a broad spectrum of
security data to properly monitor, detect, and remediate
signifi cant security incidents
Taking a proactive, risk-based approach to security
management that can minimize risky network confi guration
and system vulnerabilities
A reality in today’s world is that there are criminals out there that are
doing everything they can to steal the valuable data of almost any
organization they can breach. Companies that leverage total security
intelligence solutions to mature their security program - utilizing many
of the methods described above - will be less likely to be breached by
these criminals, inside or outside the organization.
FIVE PRACTICAL STEPS TO PROTECTING YOUR ORGANIZATION AGAINST BREACH
Q1 Labs
890 Winter Street, Suite 230
Waltham, MA 02451 USA
1.781.250.5800, [email protected]
Copyright 2011 Q1 Labs, Inc. All rights reserved. Q1 Labs, the Q1 Labs logo, Total Security Intelligence,
and QRadar are trademarks or registered trademarks of Q1 Labs, Inc. All other company or product
names mentioned may be trademarks, registered trademarks, or service marks of their respective hold-
ers. The specifi cations and information contained herein are subject to change without notice.
WP5SPOB0211