Browsing category

Security Information and Event Management (SIEM)

Access Management, Identity and Access Management (IAM), Incident Response (IR), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Security Solutions, Threat Detection,

Bring Order to Chaos By Building SIEM Use Cases, Standards, Baselining and Naming Conventions

Security operations centers (SOCs) are struggling to create automated detection and response capabilities. While custom security information and event management (SIEM) use cases can allow businesses to improve automation, creating use cases requires clear business logic. Many security organizations lack efficient, accurate methods to distinguish between authorized and unauthorized activity patterns across components of the enterprise network.

Even the most intelligent SIEM can fail to deliver value when it’s not optimized for use cases, or if rules are created according to incorrect parameters. Creating a framework that can accurately detect suspicious activity requires baselines, naming conventions and effective policies.

Defining Parameters for SIEM Use Cases Is a Barrier to SOC Success

Over the past few years, I’ve consulted with many enterprise SOCs to improve threat detection and incident response capabilities. Regardless of SOC maturity, most organizations struggle to accurately define the difference between authorized and suspicious patterns of activity, including users, admins, access patterns and scripts. Countless SOC leaders are stumped when they’re asked to define authorized patterns of activity for mission-critical systems.

SIEM rules can be used to automate detection and response capabilities for common threats such as distributed denial-of-service (DDoS), authentication failures and malware. However, these rules must be built on clear business logic for accurate detection and response capabilities. Baseline business logic is necessary to accurately define risky behavior in SIEM use cases.

Building a Baseline for Cyber Hygiene

Cyber hygiene is defined as the consistent execution of activities necessary to protect the integrity and security of enterprise networks, including users, data assets and endpoints. A hygiene framework should offer clear parameters for threat response and acceptable use based on policies for user governance, network access and admin activities. Without an understanding of what defines typical, secure operations, it’s impossible to create an effective strategy for security maintenance.

A comprehensive framework for cybersecurity hygiene can simplify security operations and create guidelines for SIEM use cases. However, capturing an effective baseline for systems can strengthen security frameworks and create order in chaos. To empower better hygiene and threat detection capabilities based on business logic, established standards such as a naming convention can create clear parameters.

VLAN Network Categories

For the purpose of simplified illustration, imagine that your virtual local area networks (VLANs) are categorized among five criticality groups — named A, B, C, D and E — with the mission-critical VLAN falling into the A category (_A).

A policy may be created to dictate that A-category VLAN systems can communicate directly with any other category without compromising data security. However, communication with the A-category VLAN from B, C, D or E networks is not allowed. Authentication to a jump host can accommodate authorized exceptions to this standard, such as when E-category users need access to an A-category server.

Creating a naming convention and policy for VLAN network categories can help you develop simple SIEM use cases to prevent unauthorized access to A resources and automatically detect suspicious access attempts.

Directory Services and Shared Resources

You can also use naming convention frameworks to create a policy for managing groups of user accounts according to access level in directory services, such as Lightweight Directory Access Protocol (LDAP) or Active Directory (AD). A standardized naming convention for directory services provides a clear framework for acceptable user access to shared folders and resources. AD users categorized within the D category may not have access to A-category folders or _A.

Creating effective SIEM rules based on these use cases is a bit more complex than VLAN business logic since it involves two distinct technologies and potentially complex policies for resource access. However, creating standards that connect user access to resources establishes clear parameters for strict, contextual monitoring. Directory users with A-category access may require stricter change monitoring due to the potential for abuse of admin capabilities. You can create SIEM use cases to detect other configuration mistakes, such as a C-category user who is suddenly escalated to A-category.

Username Creation

Many businesses are already applying some logic to standardize username creation for employees. A policy may dictate that users create a seven-character alias that involves three last-name characters, two first-name characters and two digits. Someone named Janet Doe could have the username DoeJa01, for example. Even relatively simple username conventions can support SIEM use cases for detecting suspicious behavior. When eight or more characters are entered into a username field, an event could be triggered to lock the account until a new password is created.

The potential SIEM use cases increase with more complex approaches to username creation, such as 12-character usernames that combine last- and first-name characters with the employee’s unique HR-issued identification. A user named Jonathan Doerty, for instance, could receive an automatically generated username of doertjo_4682. Complex usernames can create friction for legitimate end users, but some minor friction can be justified if it provides greater safeguards for privileged users and critical systems.

An external threat actor may be able to extrapolate simple usernames from social engineering activities, but they’re unlikely to guess an employee’s internal identification number. SIEM rules can quickly detect suspicious access attempts based on username field entries that lack the required username components. Requiring unique identification numbers from HR systems can also significantly lower the risk of admins creating fake user credentials to conceal malicious activity.

Unauthorized Code and Script Locations

Advanced persistent threats can evade detection by creating backdoor access to deploy a carefully disguised malicious code. Standard naming conventions provide a cost-effective way to create logic to detects malware risks. A simple model for script names could leverage several data components, such as department name, script name and script author, resulting in authorized names like HR_WellnessLogins_DoexxJo. Creating SIEM parameters for acceptable script names can automate the detection of malware.

Creating baseline standards for script locations such as /var/opt/scripts and C:Program Files can improve investigation capabilities when code is detected that doesn’t comply with the naming convention or storage parameters. Even the most sophisticated threat actors are unlikely to perform reconnaissance on enterprise naming convention baselines before creating a backdoor and hiding a script. SIEM rules can trigger a response from the moment a suspiciously named script begins to run or a code file is moved into an unauthorized storage location.

Scaling Security Response With Standards

Meaningful threats to enterprise data security often fly under the radar of even the most sophisticated threat detection solutions when there’s no baseline to define acceptable activity. SOC analysts have more technological capabilities than ever, but many are struggling to optimize detection and response with effective SIEM use cases.

Clear, scalable systems to define policies for acceptable activity create order in chaos. The smartest approach to creating effective SIEM use cases relies on standards, a strong naming convention and sound policy. It’s impossible to accurately understand risks without a clear framework for authorized activities. Standards, baselines and naming conventions can remove barriers to effective threat detection and response.

The post Bring Order to Chaos By Building SIEM Use Cases, Standards, Baselining and Naming Conventions appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Ludek Subrt

Artificial Intelligence (AI), Automation, Cognitive Security, Data Protection, Incident Response (IR), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), threat hunting, Threat Intelligence,

Maturing Your Security Operations Center With the Art and Science of Threat Hunting

Your organization has fallen prey to an advanced persistent threat (APT) after being targeted by a state-sponsored crime collective. Six million records were lost over 18 months of undetected presence on your network. While your security operations center (SOC) is fully staffed with analysts, your threat hunting capabilities failed to detect the subtle signs of threat actors moving laterally through your network and slowly exfiltrating customer data.

How did this happen?

It all started with a highly targeted spear phishing attack on your director of communications. He failed to notice the carefully disguised symbols in an email he thought was sent by the IT department and logged in to a spoofed domain. This credential theft resulted in the spread of zero-day malware and slowly escalated account privileges. While some of the criminals’ behavior triggered alerts in the SOC, your analysts categorized the incidents as benign positives. Your organization is now facing a multimillion-dollar cleanup and a serious loss of customer trust.

Why you need to master threat hunting

Why You Should Hunt Advanced Threats Before They Strike

Situations like the one described above are all too common in our industry. The majority of successful exploits attributed to human error fit a small series of predictable patterns that exploit known vulnerabilities in an organization’s network. As a result, many data breaches can be prevented with effective cyber hygiene tactics.

Advanced threats are a smaller proportion of incidents, but they are typically undetected and cause the most damage. In addition, the rise in state-sponsored crime and criminal activity on the dark web has created an ecosystem that fosters open exchange between the world’s most sophisticated and skilled criminals.

The cost of a serious breach is also trending upward. According to Ponemon, the average cost of a megabreach that results in the loss of more than 1 million customer records is $40 million. And more than 60 percent of data breaches have links to either state actors or advanced, organized crime groups, according to Verizon. APTs that evade detection can result in dwell times that range from three to 24 months, further increasing the total cleanup cost for a data breach.

How can security teams fight these kinds of threats? The majority of enterprise SOCs are now at least three years old, according to a recent study from Exabeam, and are increasing in maturity. While human analysts and manual research methodologies can act as a firewall against many risks, there’s a need to scale SOC intelligence and threat hunting capabilities to safeguard against APTs.

What Is Threat Hunting?

Threat hunting can be defined as “the act of aggressively intercepting, tracking and eliminating cyber adversaries as early as possible in the Cyber Kill Chain.” The practice uses techniques from art, science and military intelligence, with internal and external data sources informing the science of statistical and cognitive analysis. Human intelligence analyzes the results and informs the art of a response. Last year, 91 percent of security leaders reported improved response speed and accuracy as a result of threat detection and investigation, according to the SANS Institute.

Threat hunting is not defined by solutions, although tools and techniques can significantly improve efficiency and outcomes. Instead, it’s defined by a widely accepted framework from Sqrrl. These are the four stages of Sqrrl’s Threat Hunting Loop:

  1. Create a hypothesis.
  2. Investigate via tools and techniques.
  3. Discover new patterns and adversary tactics, techniques and procedures (TTPs).
  4. Inform and enrich automated analytics for the next hunt.

The goal for any security team should be to complete this loop as efficiently as possible. The quicker you can do so, the quicker you can automate new processes that will help find the next threat.

The 4 Characteristics of a Comprehensive Threat Hunting Capability

A mature threat hunting capability is closely associated with SOC maturity. The least mature SOCs have human analysts who act as a firewall. As SOCs approach maturity and adopt security information and event management (SIEM) tools, their capacity to reactively investigate indicators of compromise (IoCs) increases. The most mature SOCs take a proactive approach to investigating IoCs, with researchers, analysts, solutions and a clearly defined methodology to orchestrate both investigation and response. A comprehensive capacity for hunting threats is defined by four key characteristics:

  1. Data handling: The ability to handle a deluge of data across siloed networks, including insight into internal risks, advanced activities from external threat actors and real-time threat intelligence from third-party sources.
  2. Data analysis: The ability to correlate a high volume and velocity of disparate data sources into information and, ultimately, intelligence.
  3. Informed action: Resources to increase threat hunters’ skills and easily feed threat intelligence through training, policy and cognitive capabilities.
  4. Orchestrated action: Defined processes and methodologies to hunt threats in a repeatable and orchestrated way that informs proactive security capabilities throughout the organization.

Organizations that fail to increase SOC maturity and adopt the solutions and processes for hunting threats face a number of risks. Relying on manual research methodologies can lead to costly data breaches and permanent brand damage when APTs evade detection. A lack of solutions and methods for an orchestrated IoC investigation process means less efficient and accurate operations. The absence of SOC orchestration encourages heavily manual processes.

The Diverse Business Benefits of Hunting Threats

Using cognitive intelligence tools to enhance SOC capabilities, Sogeti Luxembourg successfully reduced the average time of root cause determination and threat investigation from three hours to three minutes. In the process, the financial institution sped up their threat investigation process by 50 percent and saw a tenfold increase in actionable threat indicators.

Hunting threats can offer a number of benefits to both the business and the security operations center. The outcomes include greater protection of reputation, a more intelligent SOC and orchestrated security response.

Reputation Protection

Falling prey to an APT can cause lasting damage to a brand. One core benefit of implementing a more sophisticated threat hunting capability is the potential to guard against the most costly data breaches, which typically result in millions of lost records or permanent data deletion.

SOC Maturity

SOC analyst stress and falsely assigned benign positives are at record highs. APTs can easily go unnoticed due to the sheer volume of noise, which creates a culture of alert fatigue.

Achieving mature threat detection capabilities can change how analysts work and allow organizations to implement a cognitive SOC. Security analytics platforms enhance human intelligence and reduce manual research, and correlation tools provide real-time insight from a variety of structured and unstructured third-party data sources.

Orchestrated Security Response

With the technological capabilities to outthink adversaries, organizations can inform a proactive, unified approach to incident response (IR) that begins in the SOC. Internal and external data sources augment the intelligence of human analysts, allowing real-time, informed decision-making. Investigations and response can inform action as soon as anomalous behaviors or patterns are detected. The result is a defined process that allows your organization to mitigate threats earlier in the Cyber Kill Chain.

Intelligent Response to Sophisticated Threats

The majority of threats your organization faces each day will fit predictable patterns. While APTs make up a statistically small percentage of incidents investigated by an SOC, sophisticated threat actors use unique tactics and techniques to evade detection in a noisy SOC. These threats are the most likely to evade detection and result in highly expensive cybercrime.

State-sponsored criminal activity and attacks launched by sophisticated crime collectives are increasing. To guard against these increasingly complex threat vectors, organizations need to proactively prepare their defenses. Implementing cognitive tools in the SOC can enable organizations to adopt proactive threat hunting capabilities that leverage both art and science. By combining repeatable processes for threat investigation with intelligent solutions and skilled analysts, organizations can respond to threats earlier in the kill chain and protect their most critical assets.

Read the e-book: Master threat hunting

The post Maturing Your Security Operations Center With the Art and Science of Threat Hunting appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Rob Patey

Behavioral Analytics, Machine Learning, Network Security, Security Information and Event Management (SIEM), Security Intelligence, Security Intelligence & Analytics, Security Solutions, Security Tools,

SIEM Event Normalization Makes Raw Data Relevant to Both Humans and Machines

A security information and event management (SIEM) system is an indispensable tool for any security operations center (SOC). It collects events from devices in your network infrastructure such as servers, cloud devices, firewalls and Wi-Fi access points to give operations professionals fine-grained visibility into activity on the network and help them spot anomalies that may signal a cyberattack.

In its raw form, this log data is almost impossible for a human to process, so advanced SIEM solutions conduct a process called event normalization to deliver a homogeneous view. Event normalization consists of breaking each field of a raw event into variables and combining them into views that are relevant to security administrators. This is a crucial step in the process of finding meaning in often isolated and heterogeneous events.

Visualize Your Network Activity

There are thousands of vendors and models of devices and software that an organization may want to monitor. It’s impossible for a SIEM to read raw events from all of them, let alone keep up with versions and new releases. Using correlation rules and tools such as a DSM editor, security administrators can translate raw data into a single, normalized stream, making it possible for the SIEM to present data from nearly any device or log source in a meaningful form. Event normalization enables administrators to detect anomalies even when data is streaming in from multiple locations.

For example, a brute-force attack consists of a series of authentication attempts against a system, either from a single IP or multiple addresses. Sorting through authentication logs one by one is a tedious task, but a SIEM solution can solve the problem using correlation rules. This enables administrators to see anomalies such as login attempts from suspicious locations, network scans and simultaneous authentication attempts by the same user from different locations. A SIEM can also monitor network traffic for unusual activity, such as large file downloads.

Behold the Power of Event Normalization

To give you a sense of the power of normalization, here’s an example of a raw log from a firewall:

<;;5>logver=54 dtime=1536072238 devid=FG74E83E17000037 devname=firewall-fort vd=External date=2018-09-04 time=14:43:58 slot=4 logid=0000000013 type=traffic subtype=forward level=notice srcip=10.10.10.200 srcport=44000 srcintf=”DMZ” dstip=172.217.15.206 dstport=443 dstintf=”External” poluuid=55555555-5b5b-5a5a-5c5c-5a5b5c5d5f55 sessionid=555555555 proto=6 action=close policyid=55 policytype=policy dstcountry=”United States” srccountry=”United States” trandisp=snat transip=Pub-IP-Address transport=44000 service=”tcp_1-65535″ duration=11 sentbyte=1699 rcvdbyte=6002 sentpkt=16 rcvdpkt=13 appcat=”unscanned”

Buried in this nearly unreadable stream is important information, including:

  • Hostname;
  • Date and time;
  • Source IP of the traffic;
  • Destination IP;
  • Source port;
  • Destination port;
  • Action taken by the firewall;
  • Source country;
  • Destination country;
  • Application discovered; and
  • Translated IP addresses.

Using correlation rules, we can extract these important details automatically into a report or chart that helps us visualize activity from many sources. The process of creating events consists of finding patterns in raw data, mapping it to known expressions, and assigning unique categories and identifiers. If the SIEM encounters an unknown log source or data type, we can use the editor to define an event and assign variables such as name, severity and facility.

Get the Most Out of Your SIEM Deployment

Good normalization practices are essential to maximizing the value of your SIEM. Tools such as DSM editors make it fast and easy for security administrators to define, test, organize and reuse events, thereby ensuring the maximum visibility into everything that takes place on the enterprise’s computing fabric. It turns steams of machine data into something humans can use.

The post SIEM Event Normalization Makes Raw Data Relevant to Both Humans and Machines appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Moises Monge

Advanced Persistent Threat (APT), Advanced Threats, Authentication, Behavioral Analytics, CISO, Cost of a Data Breach, Data Breach, Incident Response, Incident Response (IR), Multifactor Authentication (MFA), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Security Solutions, Threat Intelligence,

Close the Gap on Advanced Threats With Integrated Security

The board of directors is finally starting to grasp that security risk equals business risk. But as you finalize your presentation on the company’s cybersecurity posture, you can’t help but second-guess yourself. You know the CEO, CFO and other senior leaders want to hear that the security team has an effective strategy for handling advanced threats, but the truth is that your analysts are drowning in data with little meaningful insight into risks.

Based on your knowledge of the rapidly expanding threat landscape, you know the company is vulnerable to a data breach it can’t afford. The problem is that you can’t demonstrate this risk without adequate visibility into the organization’s sensitive data and the vulnerabilities threat actors might exploit to steal it. What’s worse, your security operations center (SOC) is spread thin across the widening cyber skills gap, and alerts are piling up as analysts slog through manual processes. How can chief information security officers (CISOs) free up their SOC teams to investigate the most pressing alerts and minimize risks before they evolve into costly incidents?

Detect and stop advanced persistent security threats

Why Threats Are Outpacing the SOC

While the security profession is finally gaining respect and attention it deserves, understaffed SOCs are struggling to triage enormous volumes of security event data. And the problem is only getting worse; Cybersecurity Ventures predicted that the industry will have 3.5 million unfilled cybersecurity positions by 2021.

Despite the increased spend, many organizations are failing to see results from their security investments. Some organizations have 85 distinct security solutions from 45 unique vendors, but little confidence in their capacity to detect threats. No matter the size of your security arsenal, these standalone tools cannot adequately protect enterprise networks from today’s advanced threats in isolation.

Coupled with the skills crisis, the SOC is grappling with the increasing complexity of the threat landscape. Costly, difficult-to-detect insider attacks have increased by 46 percent since 2014. Meanwhile, 62 percent of security experts believe threat actors will weaponize artificial intelligence (AI) to launch targeted attacks at scale in the next year, according to a Cylance survey.

A New Approach to Detect and Stop Advanced Threats

Despite record-breaking spend on security solutions, the SOC is losing ground for more reasons than the skills shortage and evolving threats. Technology is a barrier for many enterprises in which the security organization lacks a comprehensive view of the risk landscape. Disconnected systems, the IT skills gap and a lack of automation have made it very difficult for these organizations to distinguish advanced threats from false positives.

The cost of failing to adopt a new approach to threat detection and remediation is higher than ever. According to the “2018 Cost of a Data Breach Study,” sponsored by IBM Security and conducted by the Ponemon Institute, a mega breach of 50 million or more records can cost as much as $350 million. Targeted, malicious attacks and botnets are among the most expensive types of security incident.

“With a variety of threat vectors to contend with, companies must proactively implement policies and technologies that mitigate the risk of facing a costly breach,” said Larry Ponemon, chairman and founder of Ponemon Institute.

By creating an integrated security ecosystem of solutions, policies and people, organizations can more efficiently and effectively detect advanced threats. AI, machine learning and automation can improve the accuracy and speed of threat investigations, while solutions to orchestrate systems, processes and users minimize the impact of incidents.

5 Use Cases for Advanced Threat Detection and Prevention

How’s this for a use case: With an intelligent security ecosystem, Wimbledon achieved 60 times greater efficiency in threat investigations over manual processes. IBM solutions helped the oldest brand in tennis investigate five times more incidents during the annual tournament, with zero security impact to operations.

Use cases for operations strategy, managed incident response, SOC automation, behavioral analytics and user authentication demonstrate how IBM Security solutions offer a complete spectrum of protection against sophisticated threats.

1. Operational Strategy

A recent survey of Black Hat 2018 attendees revealed that sophisticated, targeted attacks are the top concern for 47 percent of security professionals. Other frequently cited challenges facing the enterprise include social engineering, insider threats and cloud risks. When an enterprise is facing these known risks and lacks confidence in existing technologies, it’s critical to strengthen operations proactively.

Partnering with security operations and consulting services can enable the enterprise to design and build a comprehensive response with a cognitive SOC, SOC training and security incident event management (SIEM) optimization.

2. Incident Response

According to Marsh & McLennan, 14 percent of organizations are “not at all confident” or unsure if they are adequately prepared to respond to or recover from a cyber incident. As vulnerabilities and risks evolve, organizations need a culture of continuous improvement to weather the coming storm of advanced threats.

Developing relationships with industry detection and response experts can provide organizations with decades of threat intelligence experience. Managed SIEM services can offer cognitive intelligence for cybersecurity and comprehensive, compliant infrastructure.

3. SOC Automation

Enterprise SOCs encounter 200,000 unique security events each day on average. A cognitive SOC with automation, machine learning, AI and orchestration solutions eases the burden on analysts and improves effectiveness. Incident response automation can reduce the total cost of a data breach by $1.55 million. Meanwhile, intelligent SIEM solutions deliver cognitive security analytics and automation with contextual intelligence to identify significant risks.

4. Visibility Into Anomalies

According to Fidelis Security, 83 percent of SOCs triage less than half of the alerts received each day. This may be due in part to too much time spent chasing false alerts; manual research processes can yield false positive rates of 70 percent or higher.

Organizations can identify user risks and suspicious behavior by investing in behavioral analytics that provide at-a-glance visibility into anomalies.

5. User Authentication

As the enterprise pursues digital transformation, a smarter approach to identity is the new perimeter. While just 67 percent of respondents are currently comfortable using biometrics and other advanced forms of authentication, according to “The Future of Identity,” 87 percent believe they’ll be comfortable in the future.

With cloud-based multifactor authentication, organizations can simplify and scale a checkbox approach to authentication policies across web and mobile applications, including risk-based approaches to user access and biometric authentication methods.

Closing the Gap on Enterprise Threats

Enterprises are spending more than ever on security solutions. However, industry surveys and breach rates show that standalone tools aren’t providing meaningful protection against sophisticated threats.

As the threat landscape continues to evolve, organizations need an integrated ecosystem of solutions that provide visibility into internal and external risks. By continuously aligning systems, policies and people, security teams can improve the accuracy and speed of threat investigations and minimize the risks of advanced threats at each stage of the attack chain.

Advanced threats: 3 steps to safety

The post Close the Gap on Advanced Threats With Integrated Security appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Rob Patey

Automation, Gartner Magic Quadrant, Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Security Services, Security Solutions, Threat Detection, Threat Intelligence,

3 Security Business Benefits From a 2018 Gartner Magic Quadrant SIEM Leader

Last week Gartner published its 2018 Magic Quadrant for Security Information and Event Management (SIEM). As in past years, the report supports the steady evolution of SIEM technology and the growing demand from customers for simple SIEM functionality with an architecture built to scale that meets both current and future use cases.

So how do we interpret from Gartner what it means to be a SIEM leader in 2018? Based on a quick dissection, the main characteristics of a leading SIEM tool are centered around innovation in early threat detection, adaptation to customer environments and strong market presence.

Read the 2018 Gartner Magic Quadrant for SIEM

What Separates a SIEM Leader From the Rest of the Market?

The first element, early detection via analytics — more clearly stated as efficacy in threat detection and response — remains the centerpiece of any effective SIEM solution. Security analysts and security operations center (SOC) leaders today need to detect both known and unknown threats in real time. By applying analytics to a combination of threat intelligence, behavioral analytics and a wide variety of security monitoring data, organizations can improve both their time to detection and total alert volumes. While these two basic outcomes — reduced dwell time and fewer alerts — sound tactical, they can ultimately help security teams become less distracted and more effective at managing threats, which helps reduce business risks and liabilities and maintain a positive brand reputation.

IBM is a leader in the 2018 Gartner Magic Quadrant for SIEM

The second element of Gartner’s definition of a leader, rapid adaptation to customer environments, is becoming a core factor in how much return on investment (ROI) customers realize and how quickly they realize it. Ad hoc content, add-on applications and flexibility in upgrading the platform are all required to mature a SIEM system in an affordable way once it’s installed.

Also included in this element is the ability to scale the platform in terms of both network coverage and security capabilities. By using out-of-the-box content to automate and streamline more security workflows, organizations can better combat challenges related to the shortage of skills and headcount and better enable the business to adopt new technologies that can help increase its competitive position.

The third element of a leading SIEM is strong market presence and easy access to services. Growth rates around the world still vary based on local security maturity, regulations and specific geographic needs. Customers are looking for access to local resources to help meet their unique requirements and learn lessons from a local community that has already gone through SIEM deployment. It is not uncommon for customers to first select a SIEM platform and then find a local managed service provider or systems integrator for operational support or oversight. Support for this approach provides SIEM users with multiple options to help optimize operating expenses without cutting into expertise.

Take Your SIEM Deployment to the Next Level

IBM was named a SIEM leader in the 2018 Gartner Magic Quadrant report. The IBM QRadar platform has demonstrated continuous innovation that has expanded its value, from its origins in network behavior anomaly detection to real-time threat detection to more recent developments that help automate investigations and streamline orchestrated response processes.

Unique to QRadar is the simplified approach to provide a continuous evolution of use cases and deployment options via optimized content packs, easily downloadable apps from IBM Security App Exchange and flexible deployment options that support organizations regardless of where they are on their cloud journey.

Market presence also contributed to IBM’s leadership; a community of thousands of customers worldwide, a strong business partner network and a wealth of services options allows QRadar customers to easily find knowledgeable local resources that can help them maintain and scale their platform.

To learn more about Gartner’s full review of QRadar, SIEM market trends and vendor evaluation criteria, download your complimentary copy of the 2018 Gartner Magic Quadrant for SIEM. We also invite you to register forour upcoming webinar, “Stay Ahead of Threat Detection & Response with a Scalable SIEM Platform.” The webinar will take place Dec. 18 at 11 a.m. ET and will be available to watch on-demand thereafter.

Register for the webinar

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post 3 Security Business Benefits From a 2018 Gartner Magic Quadrant SIEM Leader appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: John Burnham

Automation, Gartner Magic Quadrant, Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Security Services, Security Solutions, Threat Detection, Threat Intelligence,

3 Security Business Benefits From a 2018 Gartner Magic Quadrant SIEM Leader

Last week Gartner published its 2018 Magic Quadrant for Security Information and Event Management (SIEM). As in past years, the report supports the steady evolution of SIEM technology and the growing demand from customers for simple SIEM functionality with an architecture built to scale that meets both current and future use cases.

So how do we interpret from Gartner what it means to be a SIEM leader in 2018? Based on a quick dissection, the main characteristics of a leading SIEM tool are centered around innovation in early threat detection, adaptation to customer environments and strong market presence.

Read the 2018 Gartner Magic Quadrant for SIEM

What Separates a SIEM Leader From the Rest of the Market?

The first element, early detection via analytics — more clearly stated as efficacy in threat detection and response — remains the centerpiece of any effective SIEM solution. Security analysts and security operations center (SOC) leaders today need to detect both known and unknown threats in real time. By applying analytics to a combination of threat intelligence, behavioral analytics and a wide variety of security monitoring data, organizations can improve both their time to detection and total alert volumes. While these two basic outcomes — reduced dwell time and fewer alerts — sound tactical, they can ultimately help security teams become less distracted and more effective at managing threats, which helps reduce business risks and liabilities and maintain a positive brand reputation.

IBM is a leader in the 2018 Gartner Magic Quadrant for SIEM

The second element of Gartner’s definition of a leader, rapid adaptation to customer environments, is becoming a core factor in how much return on investment (ROI) customers realize and how quickly they realize it. Ad hoc content, add-on applications and flexibility in upgrading the platform are all required to mature a SIEM system in an affordable way once it’s installed.

Also included in this element is the ability to scale the platform in terms of both network coverage and security capabilities. By using out-of-the-box content to automate and streamline more security workflows, organizations can better combat challenges related to the shortage of skills and headcount and better enable the business to adopt new technologies that can help increase its competitive position.

The third element of a leading SIEM is strong market presence and easy access to services. Growth rates around the world still vary based on local security maturity, regulations and specific geographic needs. Customers are looking for access to local resources to help meet their unique requirements and learn lessons from a local community that has already gone through SIEM deployment. It is not uncommon for customers to first select a SIEM platform and then find a local managed service provider or systems integrator for operational support or oversight. Support for this approach provides SIEM users with multiple options to help optimize operating expenses without cutting into expertise.

Take Your SIEM Deployment to the Next Level

IBM was named a SIEM leader in the 2018 Gartner Magic Quadrant report. The IBM QRadar platform has demonstrated continuous innovation that has expanded its value, from its origins in network behavior anomaly detection to real-time threat detection to more recent developments that help automate investigations and streamline orchestrated response processes.

Unique to QRadar is the simplified approach to provide a continuous evolution of use cases and deployment options via optimized content packs, easily downloadable apps from IBM Security App Exchange and flexible deployment options that support organizations regardless of where they are on their cloud journey.

Market presence also contributed to IBM’s leadership; a community of thousands of customers worldwide, a strong business partner network and a wealth of services options allows QRadar customers to easily find knowledgeable local resources that can help them maintain and scale their platform.

To learn more about Gartner’s full review of QRadar, SIEM market trends and vendor evaluation criteria, download your complimentary copy of the 2018 Gartner Magic Quadrant for SIEM. We also invite you to register forour upcoming webinar, “Stay Ahead of Threat Detection & Response with a Scalable SIEM Platform.” The webinar will take place Dec. 18 at 11 a.m. ET and will be available to watch on-demand thereafter.

Register for the webinar

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post 3 Security Business Benefits From a 2018 Gartner Magic Quadrant SIEM Leader appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: John Burnham

Application Security, Compliance, Data Breach, Data Loss Prevention (DLP), Data Management, Data Privacy, Data Protection, Data Security, General Data Protection Regulation (GDPR), Personal Data, privacy regulations, Risk, Risk Management, Security Information and Event Management (SIEM), Sensitive Data,

A New Privacy Frontier: Protect Your Organization’s Gold With These 5 Data Risk Management Tips

This is the third and final blog in a series about the new digital frontier for data risk management. For the full picture, be sure to read part 1 and part 2.

Mining customer information for valuable nuggets that enable new business opportunities gets riskier by the day — not only because cyberthieves constantly find new ways to steal that gold, but also due to the growing number of privacy regulations for corporations that handle increasingly valuable data.

The enactment of the European Union (EU)’s General Data Protection Regulation (GDPR) in May of this year was just the start. Beginning in early 2020, the California Consumer Privacy Act of 2018 (CCPA) will fundamentally change the way businesses manage the personal information they collect from California residents. Among other changes, organizations will find a much broader definition of personal information in the CCPA compared to other state data breach regulations. Pundits expect this legislation to be followed by a wave of additional data privacy laws aimed at shoring up consumers’ online privacy.

One major factor behind these new regulations is the widely perceived mishandling of personal information, whether intentionally or unintentionally as a result of a serious data breach perpetrated by cybercriminals or malicious insiders.

Taming the Wild West With New Privacy Laws

The first GDPR enforcement action happened in September, when the U.K. Information Commissioner’s Office charged Canadian data analytics firm AggregateIQ with violating the GDPR in its handling of personal data for U.K. political organizations. This action highlights the consequences that come with GDPR enforcement beyond the regulation’s potential penalty of up to 20 million euros, or 4 percent of a company’s annual revenues worldwide, whichever is higher. It can also require the violator to cease processing the personal information of affected EU citizens.

Although the CCPA does not take effect until January 2020, companies that handle the personal information of Californians will need to begin keeping records no later than January 2019 to comply with the new mandate, thanks to a 12-month look-back requirement. The act calls for new transparency and disclosure processes to address consumer rights, including the ability to opt in and out, access and erase personal data, and prevent its sale. It applies to most organizations that handle the data of California residents, even if the business does not reside in the state, and greatly expands the definition of personal information to include IP addresses, geolocation data, internet activity, households, devices and more.

While it’s called the Consumer Privacy Act, it really applies to any resident, whether they are a consumer, employee or business contact. There may still be corrections or clarifications to come for the CCPA — possibly including some exclusions for smaller organizations as well as health and financial information — but the basic tenants are expected to hold.

Watch the on-demand webinar to learn more

Potential Civil Lawsuits and Statutory Penalties

The operational impact of these new regulations will be significant for businesses. For example, unlike other regulations, companies will be required to give consumers a “do not sell” button at the point of collecting personal information. Companies will also be required to include at least two methods to submit requests, including a toll-free number, in their privacy statements.

The cost of failure to comply with data privacy regulations is steep. Organizations could face the prospect of civil penalties levied by the attorney general, from $2,500 for each unintentional violation up to $7,500 for each intentional violation, with no upper limit. Consumers can also sue organizations that fail to implement and maintain reasonable security procedures and practices and receive statutory payments between $100 and $750 per California resident and incident or actual damages, whichever is greater. As one of the most populous states in the nation, representing the fifth-largest economy in the world, a major breach affecting California residents could be disastrous.

5 Tips to Help Protect Your Claim

The need to comply with data privacy regulations has obviously taken on greater urgency. To do it effectively requires a holistic approach, rather than one-off efforts aimed at each specific set of regulations. Organizations need a comprehensive program that spans multiple units, disciplines and departments. Creating such a program can be a daunting, multiyear effort for larger organizations, one that requires leadership from the executive suite to be successful. The following five tips can help guide a coordinated effort to comply with data privacy regulations.

1. Locate All Personal and Sensitive Data

This information is not just locked up in a well-secured, centralized database. It exists in a variety of formats, endpoints and applications as both structured and unstructured data. It is handled in a range of systems, from human resources (HR) to customer relationship management (CRM), and even in transactional systems if they contain personally identifiable data.

Determining where this information exists and its usage, purpose and business context will require the help of the owners or custodians of the sensitive data. This phase can take a significant amount of time to complete, so take advantage of available tools to help discover sensitive data.

2. Assess Your Security Controls

Once personal data is identified, stakeholders involved in creating a risk management program must assess the security controls applied to that data to learn whether they are adequate and up-to-date. As part of this activity, it is crucial to proactively conduct threshold assessments to determine whether the business and operating units are under the purview of the CCPA.

At the same time, it’s important to assess how personal information is handled and by whom to determine whether processes for manipulating the data need to change and whether the access rights of data handlers are appropriate.

3. Collaborate Across the Enterprise

Managing data risk is a team effort that requires collaboration across multiple groups within the organization. The tasks listed here require the involvement of data owners, line-of-business managers, IT operations and security professionals, top executives, legal, HR, marketing, and even finance teams. Coordination is required between data owners and custodians, who must establish appropriate policies for who can access data, how it should be handled, the legal basis for processing, where it should be stored, and how IT security professionals should be responsible for enforcing those policies.

4. Communicate With Business Leaders

Effectively communicating data risk, including whether existing controls are adequate or require additional resources and how effectively the organization is protecting customer and other sensitive data, requires a common language that can be understood by business executives. Traditional IT security performance metrics, such as block rates, vulnerabilities patched and so on, don’t convey what the real business risks are to C-level executives or board members. It’s critical to use the language of risk and convey data security metrics in the context of the business.

5. Develop a Remediation Plan

Once the business’s compliance posture with the CCPA is assessed, organizations should develop risk remediation plans that account for all the processes that need to change and all the relevant stakeholders involved in executing the plan.

Such a plan should include a map of all relevant personal information that takes into account where the data is stored, how it is used and what controls around that data need to be updated. It should also describe how the organization will safely enable access, deletion and portability requests of California residents, as well as process opt-out requests for sharing their data.

Automate Your Data Risk Management Program

Thankfully, there are tools available to help automate some of the steps required in developing and maintaining a holistic data risk management initiative. Useful data from security information and event management (SIEM), data loss prevention (DLP), application security, and other IT tools can be combined with advanced integration platforms to streamline efforts.

Privacy mandates such as the GDPR and the CCPA are just the start; a California-style gold rush of data privacy regulations is on the horizon. Countries such as Brazil and India are already at work on new data privacy laws. A comprehensive data risk management program established before more regulations go into effect is well worth its weight in gold.

Watch the on-demand webinar

The post A New Privacy Frontier: Protect Your Organization’s Gold With These 5 Data Risk Management Tips appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Paula Musich

Data Exfiltration, Distributed Denial-of-Service (DDoS) Attacks, DNS Hijacking, Domain Name System (DNS), Incident Response (IR), Indicator of Compromise (IoC), Malware, Network Security, Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Threat Detection, Threat Intelligence, Threat Prevention,

5 Tips for Uncovering Hidden Cyberthreats with DNS Analytics

The internet has fueled growth opportunities for enterprises by allowing them to establish an online presence, communicate with customers, process transactions and provide support, among other benefits. But it’s a double-edged sword: A cyberattack that compromises these business advantages can easily result in significant losses of money, customers, credibility and reputation, and increases the risk of completely going out of business. That’s why it’s critical to have a cybersecurity strategy in place to protect your enterprise from attackers that exploit internet vulnerabilities.

How DNS Analytics Can Boost Your Defense

The Domain Name System (DNS) is one of the foundational components of the internet that malicious actors commonly exploit and use to deploy and control their attack framework. The internet relies on this system to translate names, known as Uniform Resource Locators (URLs), into numbers, known as Internet Protocol (IP) addresses. Giving each IP a unique identifier allows computers and devices to send and receive information across networks. However, DNS also opens the door for opportunistic cyberattackers to infiltrate networks and access sensitive information.

Here are five tips to help you uncover hidden cyberthreats and protect your enterprise with DNS analytics.

1. Think Like an Attacker to Defend Your Enterprise

To protect the key assets of your enterprise and allocate sufficient resources to defend them, you must understand why a threat actor would be interested in attacking your organization. Attacker motivations can vary depending on the industry and geography of your enterprise, but the typical drivers are political and ideological differences, fame and recognition, and the opportunity to make money.

When it comes to DNS, bad actors have a vast arsenal of weapons they can utilize. Some of the most common methods of attack to anticipate are distributed denial-of-service (DDoS) attacks, DNS data exfiltration, cache poisoning and fast fluxing. As enterprises increase their security spending, cyberattacks become more innovative and sophisticated, including novel ways to abuse the DNS protocol. Malware continues to be the preferred method of threat actors, and domain generation algorithms (DGAs) are still widely used, but even that method has evolved to avoid detection.

2. Make DNS Monitoring a Habit

Passive DNS data is important because it is unlikely that a new network connection doesn’t have an associated DNS lookup. It also means that if you collect DNS data correctly, you can see most of the network activity in your environment. A more interesting subject is what we can do with this data to create more local security insights. Even though it is not hard to bypass DNS lookup, such network connections are suspicious and easy to detect.

3. Understand Communication and Traffic Patterns

Attackers leverage the DNS protocol in various ways — some of which are way ahead of our detection tools — however, there are always anomalies that we can observe in the DNS request sent out by endpoints. DNS traffic patterns vary by enterprise, so understanding what the normal pattern for your organization is will enable you to spot pattern anomalies easily.

A robust, secure system should be able to detect exfiltration via DNS tunneling software, which is not as easy as it sounds due to their different communication patterns. DNS tunneling software communication is reliable and frequent, the flow is bidirectional, and it is typically long. On the other hand, DNS exfiltration communication is opportunistic and unexpected, and possibly unidirectional since attackers are looking for the right moment to sneak out valuable data.

4. Get the Right Tools in Place

When analyzing which tools are the best to protect your organization against attacks leveraging DNS, consider what assets you want to protect and the outcomes you would like your analysts to achieve. There are many tools that can be pieced together to create a solution depending on your goals, such as firewalls, traffic analyzers and intrusion detection systems (IDSs).

To enhance the day-to-day activities of your security operations center (SOC), enable your team to conduct comprehensive analysis on domain activity and assign an appropriate risk rating, your SOC analysts should take advantage of threat intelligence feeds. These feeds empower analysts to understand the tactics, techniques and procedures (TTPs) of attackers and provide them with a list of malicious domains to block or alert on their security system. When this information is correlated with internal enterprise information through a security information and event management (SIEM) platform, analysts have full visibility to detect or anticipate ongoing attacks.

5. Be Proactive and Go Threat Hunting

Technology is a very useful tool that allows us to automate processes and alerts us of suspicious activity within our networks — but it is not perfect. Threat hunting can complement and strengthen your defense strategy by proactively searching for indicators of compromise (IoC) that traditional detection tools might miss. To succeed at threat hunting, you must define a baseline within your environment and then define the anomalies that you are going to look for.

A standard method for threat hunting is searching for unusual and unknown DNS requests, which can catch intruders that have already infiltrated your system as well as would-be intruders. Some indicators of abnormal DNS requests tinclude the number of NXDOMAIN records received by an endpoint, the number of queries an endpoint sends out and new query patterns. If you identify a potential threat, an incident response (IR) team can help resolve and remediate the situation by analyzing the data.

Learn More

Every organization is unique, but by understanding the basics of DNS analytics, the common methods of attack and the tools available to security teams, you will be better prepared to protect your enterprise from hidden cyberthreats.

We invite you to attend a live webinar at 11 a.m. ET on Dec. 11 (and available on-demand thereafter) to learn even more about DNS threat hunting.

Register for the webinar

The post 5 Tips for Uncovering Hidden Cyberthreats with DNS Analytics appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Paola Miranda

Artificial Intelligence (AI), Log Management, Network Security, Risk Management, Security Analytics, Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Threat Detection, Threat Intelligence, Threat Response, User Behavior Analytics (UBA),

Why User Behavior Analytics Is an Application, Not a Cybersecurity Platform

Last year, a cybersecurity manager at a bank near me brought in a user behavior analytics (UBA) solution based on a vendor’s pitch that UBA was the next generation of security analytics. The company had been using a security information and event management (SIEM) tool to monitor its systems and networks, but abandoned it in favor of UBA, which promised a simpler approach powered by artificial intelligence (AI).

One year later, that security manager was looking for a job. Sure, the UBA package did a good job of telling him what his users were doing on the network, but it didn’t do a very good job of telling him about threats that didn’t involve abnormal behavior. I can only speculate about what triggered his departure, but my guess is it wasn’t pretty.

UBA hit the peak of the Gartner hype cycle last year around the same time as AI. The timing isn’t surprising given that many UBA vendors tout their use of machine learning to detect anomalies in log data. UBA is a good application of SIEM, but it isn’t a replacement for it. In fact, UBA is more accurately described as a cybersecurity application that rides on top of SIEM — but you wouldn’t know that the way it’s sometimes marketed.

User Behavior Analytics Versus Security Information and Event Management

While SIEM and UBA do have some similar features, they perform very different functions. Most SIEM offerings are essentially log management tools that help security operators make sense of a deluge of information. They are a necessary foundation for targeted analysis.

UBA is a set of algorithms that analyze log activity to spot abnormal behavior, such as repeated login attempts from a single IP address or large file downloads. Buried in gigabytes of data, these patterns are easy for humans to miss. UBA can help security teams combat insider threats, brute-force attacks, account takeovers and data loss.

UBA applications require data from an SIEM tool and may include basic log management features, but they aren’t a replacement for a general-purpose SIEM solution. In fact, if your SIEM system has anomaly detection capabilities or can identify whether user access activity matches typical behavior based on the user’s role, you may already have UBA.

Part of the confusion comes from the fact that, although SIEM has been around for a long time, there is no one set of standard features. Many systems are only capable of rule-based alerting or limited to canned rules. If you don’t have a rule for a new threat, you won’t be alerted to it.

Analytical applications such as UBA are intended to address certain types of cybersecurity threat detection and remediation. Choosing point applications without a unified log manager creates silos of data and taxes your security operations center (SOC), which is probably short-staffed to begin with. Many UBA solutions also require the use of software agents, which is something every IT organization would like to avoid.

Start With a Well-Rounded SIEM Solution

A robust, well-rounded SIEM solution should cross-correlate log data, threat intelligence feeds, geolocation coordinates, vulnerability scan data, and both internal and external user activity. When combined with rule-based alerts, an SIEM tool alone is sufficient for many organizations. Applications such as UBA can be added on top for more robust reporting.

Gartner’s latest “Market Guide for User and Entity Behavior Analytics” forecast significant disruption in the market. Noting that the technology is headed downward into Gartner’s “Trough of Disillusionment,” researchers explained that some pure-play UBA vendors “are now focusing their route to market strategy on embedding their core technology in other vendors’ more traditional security solutions.”

In my view, that’s where it belongs. User behavior analytics is a great technology for identifying insider threats, but that’s a use case, not a security platform. A robust SIEM tool gives you a great foundation for protection and options to grow as your needs demand.

The post Why User Behavior Analytics Is an Application, Not a Cybersecurity Platform appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Richard P. Gingras

Automation, Compliance, Data Protection, Endpoint, Endpoint Management, Endpoint Security, Endpoint Security Solutions, Integrated Security, Patch Management, Security Information and Event Management (SIEM), Vulnerabilities, Vulnerability Management,

How to Reduce Hidden Endpoint Management Costs and Increase Efficiency

This is the second blog in a two-part series about the hidden costs of endpoint management and how to avoid them. Be sure to read part 1 for the full story.

We all want faster, better endpoint management solutions at a reduced cost — but how? In part one of this series, we broke down the SANS Institute report, “Understanding the (True) Costs of Endpoint Management,” and identified the top five factors that increase endpoint management costs, from an overabundance of tools to deficient compliance enforcement.

Now that we’ve acknowledged these challenges, how can security teams address and overcome them? The good news is that there’s no big secret; it simply comes down to following well-established security best practices. Let’s dive in to some steps you can follow to avoid these incremental expenses while also reducing complexity and improving agility.

Consolidate the Number of Endpoint Management Tools in Use

Begin by evaluating your current tools: If they don’t help you reduce hidden costs, consider alternative solutions. Too many tools can impact agility and cause slowdowns within the endpoint management process. As analysts and administrators have to sift through more data and dashboards, the ability to effectively manage endpoints becomes more complex, subject to inaccuracies, and susceptible to response delays and other inefficiencies.

Let’s face it: It’s hard to manage multiple tools. To avoid these incremental expenses, consolidate the number of tools your organization uses with a single endpoint management solution across all operating systems (OSs). A single solution saves time and effort because you only have to go to one dashboard to determine how many endpoints are at risk or push patches.

This also helps reduce infrastructure costs because you won’t need as many management servers — and all their associated software — to gain visibility into your endpoints. This helps reduce software, maintenance, support and assurance costs. Finally, with fewer tools to manage, your IT staff will be able to quickly remediate threats and respond to information requests — and have more confidence in their answers.

Watch the on-demand webinar to learn more

Garner Visibility Across Your Endpoint Landscape

Access to timely, accurate endpoint information across the enterprise starts with comprehensive endpoint visibility — but it’s not always available or easy to obtain. Seeing only part of the picture is not enough, because you can’t fix what you can’t see.

Improve visibility by using a single solution that gives you the real-time information you need across all OSs throughout the enterprise. Make sure it provides up-to-date information on all endpoints, including those not currently on the corporate network at the time of query.

Next, verify the level of accuracy your endpoint security solution provides so you can be confident in your information and make sound decisions based on actual vulnerability exposure and risk.

Finally, make sure your solution provides endpoint information quickly so the data you collect is relevant and high-value. Together, these factors will enable you to effectively prioritize and respond to the most critical vulnerabilities in a timely manner.

Improve Patching Efficiency

Keeping up with the number and frequency of patching demands across mobile devices, servers and/or automated teller machines (ATMs) can be a struggle — one that is exacerbated by the sheer number of devices, OSs, dispersed locations, intermittent network connectivity and even slow bandwidth. Suboptimal first-pass patching success rates also tend to complicate things.

According to the SANS report, 68 percent of respondents had first-pass patch success rates below 90 percent, with 16 percent acknowledging rates below 60 percent and 12 percent admitting they didn’t know how successful they were on their first attempt to patch endpoints. Inefficient patching increases both costs and security risks by leaving endpoints open to attack. This impacts IT response time and consumes scarce resources.

To improve patching efficiency, follow a “build once, use many” methodology and look for a single endpoint management solution that enables you to create and apply patches, regardless of OS, across all your endpoints simultaneously — even those not on a corporate network or in locations with low bandwidth. Use a tool with as few patch dependencies as possible to further improve efficiency. The fewer the dependencies, the fewer things that can go wrong, and the more stable your patch agents and efforts will be in the long term.

Patch verification is another way to improve efficiency. Use a tool that not only checks to see if a patch was installed, but also performs a deeper inspection to see if the vulnerabilities the patch was supposed to update were in fact updated. For example, was the dynamic-link library (DLL) version updated, and is it now at the correct version level?

Drive Consistent Compliance Throughout the Enterprise

IT and security teams want to execute their company’s security mission, improve its security posture, and adhere to regulatory and corporate mandates. But achieving a steady state of compliance can sometimes be challenging.

To better enforce compliance and consistently remediate drift, use an endpoint management solution that supports relevant industry standards. Leverage prepackaged content for these standards, but also ensure that the tool can be customized for your unique environment. This will help simplify and shorten compliance efforts.

Verify that your solution actively and consistently enforces your endpoint compliance policies and make sure it automates the process of deploying or re-implementing your golden image consistently across all endpoints. In addition, use tools that can quickly and accurately verify endpoint compliance status to better understand your current attack surface and reduce risk. Finally, evaluate the reporting and trending analysis capabilities of your tool to ensure that you can adequately track compliance performance over time.

Automate and Integrate Endpoint Management and Security Tools

Let’s not forget about the importance of integration and automation. IT infrastructure and security teams have different responsibilities, are typically siloed and use different, nonintegrated tools. Over time, most organizations purchase multiple point products to address multiple emerging threats.

Security teams are typically responsible for identifying endpoint vulnerabilities and prioritizing remediation efforts, but they usually can’t make changes on endpoints and often don’t have the visibility to make well-informed decisions. On the other side, infrastructure teams, who are tasked with making changes on endpoints, can be overwhelmed by the number of tools and endpoints and the constant volume of required changes. Additionally, these teams often lack insight into risk rankings, so it’s hard to prioritize activities such as patching. This exacerbates the lack of visibility, inefficient processes, sporadic endpoint hygiene and inconsistent compliance problems we’ve previously outlined, and can also delay your ability to respond to potential threats and active attacks.

So where do you begin? Look for an endpoint security solution that enables automated and repeatable processes across OSs. Leverage a tool that enables you to build once and use many times, so you don’t have to re-engineer multiple times for different tools and OSs. Different tools provide data in different formats, which can impact your ability to quickly and accurately collate meaningful information and share data between systems. An endpoint management tool should support industry-standard application programming interfaces (APIs) such as Simple Object Access Protocol (SOAP) and Representational State Transfer (REST). This will enable easier, faster data collation and sharing since the data will be available in compatible formats and require less engineering effort to reformat into a common data set.

If you need custom integration work, understand the level of effort needed to share endpoint data with other applications. For example, does your existing tool incorporate common vulnerability information so you can evaluate and prioritize where to start when it comes to patching? How easily does your endpoint data integrate with your configuration management database (CMDB)?

If you are going down the custom integration path, start with integrations between your security information and event management (SIEM) and endpoint management tools. This will enable your security teams to have the visibility they need to assess endpoint vulnerability risk and prioritize patching for your operations teams. It will also reduce your attack surface and help ensure that your teams focus on the most important security risks first.

Reduce Costs With the Right Endpoint Management Solution

Endpoint management comes with its fair share of hidden, inherent costs. To reduce these costs, look for solutions with discovery capabilities that enable fast, accurate and comprehensive visibility into your endpoint landscape, regardless of whether endpoints are connected to a network. Regularly evaluate your endpoint management capabilities and consider options that enable you to consolidate tools and increase efficiency. Finally, look for an endpoint management solution that enhances security by constantly monitoring and enforcing security and compliance policies across all your endpoints.

Watch the on-demand webinar to learn more

The post How to Reduce Hidden Endpoint Management Costs and Increase Efficiency appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Teresa Worth