Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Buyer's guide: context aware security

Buyer's guide: context aware security

|Views: 48|Likes:
Published by quocirca

More info:

Published by: quocirca on May 13, 2013
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Buyer's guide: context aware security – May 2013
Bob Tarzey, Analyst and Director bob.tarzey@quocirca.com, +44 7900 275517
Quocirca Comment 
: how to find out who is doing what to your data systems
Buyer's guide: context aware securit
May 2013 http://www.quocirca.com © 2012 Quocirca Ltd 
Some things only appear suspicious when lookedat in a broader context. An accountant mayregularly access financial data when working at
their organisation’s headquarters in London; it
may also be usual for them to access the samedata on occasions when visiting regional officesin other cities. What would not make sensewould be for the accountant to download data in
New York when the company’s physical security
system shows them to be in London and alreadyaccessing other systems from there.Spotting suspicious activity in such a way is theconcept behind context aware security. Itinvolves reviewing a single event alongside otherevents currently taking place as well againsthistorical log data and relevant information froma range of other sources. This involves real timeaccess to extensive volumes of data and theability to process it in real time. Some callputting in place context aware security a bigdata challenge; i.e. you need the ability toprocess and gain useful insight from largevolumes of data.There is nothing new about storing andprocessing log data. Vendors of log managementsoftware have been around for years, often givenaway by their names, for example LogRhythmand LogLogic (the latter acquired by Tibco in2012). The drivers for investing in logmanagement were principally to do withcompliance, allowing IT staff to produce audits of who h
as been doing what on their organisation’s
IT systems by collecting and analysing data fromthe log files of servers, network devices, securitysystems etc.Log management vendors have evolved theirofferings over the last decade to provide abroader capability to view log data against otherevents happening on and around their systems.This led to the term SIEM (security informationevent management), first used by Gartneraround 2005. SIEM tools combine log data withother information, for example about users andtheir rights, third party feeds (aboutvulnerabilities, malware, news, weather etc.),locational data (using IP addresses, mobiledevice tracking) and new regulatoryrequirements. They use all of this to provideenriched reports for both compliance reportingand security review.As SIEM has become a mainstream offering,many of the big IT security vendors haveentered the market via acquisitions, the mostnotable being; HP/ArcSight (2010), IBM/Q1 Labs(2011), McAfee/Nitro Security (2011), EMC-RSA/Netwitness (2011). LogRhythm is nowconsidered to be a SIEM vendor; others includeRed Lambda, Trustwave and Sensage. Splunk isoften included in list of SIEM vendors, but itsfocus is even broader, using IT operationalintelligence for providing commercial as well assecurity insight (an area Quocirca will bepublishing new research into later in 2013).However, to go further still and provide thepromise of context aware security in real timerequires SIEM tools to be souped-up so that theycan do their analysis at speed and thus providereal time protection. Quocirca termed thisadvanced cyber-security intelligence (ASI) in aJuly 2012 report1, another term used by some isnext-generation SIEM (NG-SIEM).Whatever term you prefer, any vendor claimingto offer a broad context aware security capabilityshould have tools that can do all of the following:
Process and analyse large volumes of data inreal time
Have an advanced correlation engine toprocess and compare information fromdisparate sources
Be able to enforce advanced rules that linkdisparate events and prescribe what shouldhappen if there is an anomaly
Include a range of out-of-the-box rules aswell as allowing customers to write their own
Have the intelligence and insight to act andprevent security breaches as they happen
Have the capability to adapt to events andimprove future responses
Buyer's guide: context aware securit
May 2013 http://www.quocirca.com © 2012 Quocirca Ltd 
Gather data from external feeds
Have the capacity for the long term storageof IT intelligence data in a central repository
Provide an intuitive interface and dashboardfor ease of use by all security staff NG-SIEM is not the only way to provide morecontext aware security. Some vendors haveadded specific capability to provide contextaround their various security products. For
example Kaspersky Lab’s System Watcher
combines information from its firewall, behaviouranalyser and cloud-based reputation server toprovide a broader overall risk assessment of suspected malware.Other tools provide very specific contextawareness. For example Finsphere, uses mobilephone numbers as an additional means of userauthentication. The vendor compares this withinformation about the users location to makesure a given login makes sense (similar to theexample used at the start of this article). Toachieve the high speed processing necessary toachieve this in real time, Finsphere has justsigned a deal with Violin Memory.Context aware security is not a replacement forexisting point security technologies such as anti-virus, firewalls and intrusion prevention systems(IPS), but a supplement to them. It providesinsight that can identify a malicious attack orundesirable user behaviour (an even greater riskthat needs to be mitigated).Here are some examples of where ASI maysucceed where point security products may fail:
Detecting zero day attacks: signature-basedanti-virus software cannot detect newlyconstructed malware, which is often usedduring targeted attacks. Correlating serveraccess logs to identify that the same serveris being used to contact many other serversand user end-points on the same privatenetwork and is sending messages home toan unusual IP address would give an earlywarning that something is amiss.
Detecting hacking/preventing data theft: Anintrusion prevention system (IPS) mayprevent multiple failed attempts to access aserver from a particular IP address, but maynot see that data is already being copiedfrom that server due to a single successfulpenetration from the same IP address.Correlating log and event files could identifythat two such events are related and lead tothe prevention of a data theft. Target attacksoften have this sort of profile.
Non-compliant movement of data: it mightbe usual for an employee to access customerinformation; it may also be usual for them todownload it to a file for reporting reasons.However, for them to copy the data to a non-compliant location, for example a cloudstorage resource in a certain country, shouldraise an alarm. This requires rules thatunderstand user access rights and currentcompliance requirements and the ability tocorrelate these in real time with attempts tocopy data and the location of the targetstorage service.
Absence of an event: SCADA systems areoften controlled using human machineinterfaces (HMI); this requires someone tobe present, which, with a physical securitymeasures in place, should be preceded by arecord of the employee involved having usedan ID badge to enter the premises inquestion. So, if an action is logged on anHMI system at a remote location that is notpreceded by a valid record of physical entry,then either someone has gainedunauthorised access or the HMI has beenhacked remotely. An advanced correlationrule that looks for the presence of the badgereader log within a specified time prior to anHMI access request enables such a breach tobe detected
Anomalous sys-admin activity: if a systemadministrator account has been compromisedthere may be an attempt to create a newaccount for future use. Correlating thisactivity with a change control system willidentify that the creation of such accountshas not been authorised.
Unexpected access routes: some databasesare only normally accessed via certainapplications, for example credit card data iswritten by an e-commerce application andonly read by the accounts application; accessattempts via other routes should raise analarm if the tools are in place to correlatesuch events and observe that a rule aboutthe normal access route is being broken.For businesses, there will no end to the struggleto get the upper hand over cyber-criminals,hacktivists and indeed, their own users. Forgovernments, the situation is arguably evenworse, as cyber-space becomes the 5th theatre
Buyer's guide: context aware securit
May 2013 http://www.quocirca.com © 2012 Quocirca Ltd 
for warfare (after land, sea, air and space) andterrorists see cyber-space as a way to go aftercritical infrastructure. All have to keep uppingthe ante, to avoid falling too far behind, orperhaps even get ahead, turning cyber securityinto an offensive rather than defensive act.So much criminal activity and political activismhas now been displaced from the physical worldto cyber-space, or at least extended to coverboth, that IT security teams are now in the frontline when it comes to ensuring that thebusinesses they serve can continue to functionand that their continued good reputations arepreserved. To this end they must be enabledwith the tools that provide broader context forthe activity on the systems they manage in orderto protect their business from problemstomorrow that no one can envisage today.
Quocirca’s report Advanced Cyber Security
This article first appeared on:

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->