Browsing category

Security Information and Event Management (SIEM)

Cyberthreats, RSA Conference, Security Conferences, Security Information and Event Management (SIEM), Security Solutions, Threat Detection, threat hunting, Threat Intelligence, Threat Prevention, Threat Protection,

Hunting for the True Meaning of Threat Hunting at RSAC 2019

After my first-ever RSA Conference experience, I returned to Boston with a lot of takeaways — not to mention a week’s worth of new socks, thanks to generous vendors that had a more functional swag approach than most. I spent the majority of my time at RSAC 2019 at the Master Threat Hunting kiosk within the broader IBM Security booth, where I told anyone who wanted to listen about how we use methodologies and tools from the military and intelligence communities to fight cyberthreats in the private sector. When I wasn’t at the booth, I was scouring the show floor on a hunt of my own — a hunt for the true meaning of threat hunting.

Don’t Believe the Hype: 3 Common Misconceptions About Threat Hunting

At first glance, the results of my hunt seemed promising; I saw the term “threat hunting” plastered all over many of the vendors’ booths. Wanting to learn more, I spoke with the booth personnel about their threat hunting solutions, gathered a stack of marketing one-pagers and continued on my separate hunt for free socks and stress balls.

After digesting the information from booth staff and digging into the marketing materials from the myriad vendors, I was saddened to learn that threat hunting is becoming a full-blown buzzword.

Let’s be honest: “Threat hunting” certainly has a cool ring to it that draws people in and makes them want to learn more. However, it’s important not to lose sight of the fact that threat hunting is an actual approach to cyber investigations that has been around since long before marketers starting using it as a hook.

Below are three of the most notable misconceptions about threat hunting I witnessed as I prowled around the show floor at RSAC 2019.

1. Threat Hunting Should Be Fully Automated

In general, automation is great; I love automating parts of my life to save time and to make things easier. However, there are some things that can’t be fully automated — or shouldn’t be, at least not yet. Threat hunting is one of those things.

While automation can be used within various threat hunting tools, it is still a very manual, human-led process to proactively (and reactively) hunt for unknown threats in your network that may have avoided your rules-based detection solutions. Threat hunting methodologies were derived from the counterterrorism community and repurposed for cybersecurity. There’s a reason why we don’t fully automate counterterrorism analysis, and the same applies to cyber.

2. Threat Hunting and EDR Are One and the Same

This was the most common misconception I encountered while searching for threat hunting solutions at RSAC. It went something like this: I would go into a booth, ask to learn more about the vendor’s threat hunting solution and come to find that what’s actually being marketed is an endpoint detection and response (EDR) solution.

EDR is a crucial piece of threat hunting, but these products are not the only tools threat hunters use. If threat hunting was as easy as using an EDR solution to find threats, we would have a much higher success rate. The truth is that EDR solutions need to be coupled with other tools, such as threat intelligence, open-source intelligence (OSINT) and network data, and brought together in a common platform to visualize anomalies and trends in the data.

3. Threat Hunting Is Overly Complicated

All of the marketing and buzz around threat hunting has overcomplicated what it actually is. It’s not one tool, it’s not automated, it’s not an overly complicated process. It takes multiple tools and a ton of data, it is very much dependent on well-trained analysts that know what they’re looking for, and it is an investigative process just like counterterrorism and law enforcement investigations. Since cyber threat hunting mirrors these investigative techniques, threat hunters should look toward trusted tools from the national security and law enforcement sectors.

What Is the True Meaning of Cyber Threat Hunting?

Don’t get me wrong — I am thrilled that threat hunting is gaining steam and vendors are coming up with innovative solutions to contribute to the definition of threat hunting. As a former analyst, I define threat hunting as an in-depth, human-led, investigative process to discover threats to an organization. My definition may vary from most when it comes to how this is conducted, since most definitions emphasize that threat hunting is a totally proactive approach. While I absolutely agree with the importance of proactivity, there aren’t many organizations that can take a solely proactive approach to threat hunting due to constraints related to budget, training and time.

While not ideal, there is a way to hunt reactively, which is often more realistic for small and midsize organizations. For example, you could conduct a more in-depth cyber investigation to get the context around a cyber incident or alert. Some would argue that’s just incident response, not threat hunting — but it turns into threat hunting when an analyst takes an all-source intelligence approach to enrich their investigation with external sources, such as threat intelligence and social media, and other internal sources of data. This approach can show the who, what, where, when and how around the incident and inform leadership on how to take the best action. The context can be used to retrain the rules-based systems and build investigative baselines for future analysis.

The Definition of Threat Hunting Is Evolving

Cyber threat hunting tools come in all shapes and sizes, but the most advanced tools allow you to reactively and proactively investigate threats by bringing all your internal and external data into one platform. By fusing internal security information and event management (SIEM) data, internal records, access logs and more with external data feeds, cyber threat hunters can identify trends and anomalies in the data and turn it into actionable intelligence to address threats in the network and proactively thwart ones that haven’t hit yet.

Behind the buzz and momentum from RSAC 2019, threat hunting will continue to gain traction, more advanced solutions will be developed, and organizations will be able to hunt down threats more efficiently and effectively. I’m excited to see how the definition evolves in the near future — as long as the cyber threat hunting roots stay strong.

Read the “SANS 2018 Threat Hunting Results” report

The post Hunting for the True Meaning of Threat Hunting at RSAC 2019 appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jake Munroe

Artificial intelligence, Artificial Intelligence (AI), Cognitive Security, IBM Watson, Security Information and Event Management (SIEM), Watson,

With AI for Cybersecurity, We Are Raising the Bar for Smart

It’s hard to imagine something more frustrating to a runner than moving the finish line after the race has started. After all, how can you set a proper pace if the distance keeps changing? How will you know you’ve succeeded if the definition of success is in flux?

In a sense, that’s what has happened over the years in the field of artificial intelligence (AI). What would you call something that could add, subtract, multiply and divide large, complex numbers in an instant? You’d probably call it smart, right? Or what if it could memorize massive quantities of seemingly random data and recall it on the spot, in sequence, and never make a mistake? You might even interpret that sort of brain power as a sign of genius. But what exactly does it mean to be intelligent, anyway?

Now that calculators are included as default features on our phones and smartwatches, we don’t consider them to be particularly intelligent. We also have databases with seemingly infinite capacity at every turn, so we no longer view these abilities as indicative of some sort of higher intelligence, but rather as features of an ordinary, modern computer. The bottom line is that the bar for what is generally considered smart has moved — albeit far from the first time.

What Does It Mean to Be Intelligent?

There was a time when we thought that chess was such a complex game that only people with superior brain power could be champions. Surely, the ability to plot strategies, respond to an opponent’s moves and see many moves ahead with hundreds or even thousands of outcomes was proof of incredible intellect, right?

That was pretty much the case until 1997, when IBM’s Deep Blue computer beat grandmaster and world champion Gary Kasparov in a six-game match. Was Deep Blue intelligent even though the system couldn’t even read a newspaper? Surely, intelligence involved more than just being a chess savant. The bar for smart had moved.

Consider the ability to consume and comprehend huge stores of unstructured content written in a form that humans can read but computers struggle with due to the vagaries of normal expression, such as idioms, puns and other quirks of language. For example, saying, “it’s raining cats and dogs,” or that someone has “cold feet?” The former has nothing to do with animals and the latter is not a condition that can be remedied with wool socks.

What if a system could read this sort of information nonstop across a wide range of categories, never forget anything it reads and recall the facts relevant to a given clue with subsecond response time? What if it was so good at this exercise that it could beat the best in the world with more correct responses in less time? That would surely be the sign of a genius, wouldn’t it?

It would have been until, in 2011, IBM’s Watson computer beat two grand champions at the game of Jeopardy! while the world watched on live TV. Even so, was Watson intelligent, or just really good at a given task as its predecessors had been? The bar for smart had moved yet again.

Passing the Turing Test: Are We Near the Finish Line?

The gold standard for AI — proof that a machine is able to match or exceed human intelligence in its various forms by mimicking the human ability to discover, infer and reason — was established in 1950 by Alan Turing, widely considered the father of theoretical computer science and AI. The Turing Test involved having a person communicate with another human and a machine. If that person was unable to distinguish through written messages whether they were conversing with the other person or the computer, the computer would be considered intelligent.

This elegant test incorporated many elements of what we consider intelligence: natural language processing, general knowledge across a wide variety of subjects, flexibility and creativity, and a certain social intelligence that we all possess, but may take for granted in personal communications until we encounter a system that lacks it. Surely, a computer that can simulate human behavior and knowledge to the extent that a neutral observer could not tell difference would be the realization of the AI dream — finish line crossed.

That was the conventional wisdom until 2014, when a computer managed to fool 33 percent of evaluators into thinking they were talking to a 13-year old Ukrainian boy. Surely, this achievement would have convinced most people that AI was finally here now that a machine had passed the iconic Turing Test, right? Nope — you guessed it — the bar for smart had moved.

How AI for Cybersecurity Is Raising the Bar

Now, we have systems doing what was previously unthinkable, but there is still a sense that we’ve yet to see the full potential of AI for cybersecurity. The good news is that we now have systems like Watson that can do anything from recommending treatment for some of the most intractable cancer cases to detecting when your IT systems are under attack, by whom and to what extent. Watson for Cybersecurity can do the latter today by applying knowledge it has gleaned from reading millions of documents in unstructured form and applying that learning to the precise details of a particular IT environment. Better still, it does all this with the sort of speed even the most experienced security experts could only dream of.

Does it solve all the problems of a modern security operations center (SOC)? Of course not. We still need human intelligence and insight to guide the process, make sense of the results and devise appropriate responses that account for ethical dilemmas, legal considerations, business priorities and more. However, the ability to reduce the time for investigations from a few hours to a few minutes can be a game changer. There’s still much more to be done with AI for cybersecurity, but one thing’s for sure: We have, once again, raised the bar for smart.

The post With AI for Cybersecurity, We Are Raising the Bar for Smart appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jeff Crume

immune system, Indicator of Compromise (IoC), Intrusion Detection System (IDS), Modeling, Network, Network Security, Patch Management, Payment Card Industry (PCI), Risk Management, Risk mitigation, Security Information and Event Management (SIEM), Security Intelligence & Analytics, Vulnerabilities, Vulnerability Management,

Comprehensive Vulnerability Management in Connected Security Solutions

Security vulnerabilities are everywhere — in the software we use, in mobile apps, in hardware and in internet of things (IoT) devices. Almost anything can be hacked, and we can see that in the staggering numbers of vulnerabilities disclosed every year. In fact, there were 10,644 vulnerabilities disclosed in the first half of 2018 alone, according to Risk Based Security. This year will likely top that number, and there is no doubt in my mind the same will be written 12 months from now.

In a threat landscape so replete with opportunities for attackers to make a move, vulnerability management is a central activity that can help organizations reduce their exposure to the attack surface and mitigate risk. Vulnerability management solutions have been available for many years now, yet the process remains a challenge for many organizations today.

Effective and efficient vulnerability management requires the involvement of various stakeholders throughout the organization. They typically come from multiple teams, such as security, asset owners and IT operations, to name a few. It is not enough to scan for vulnerabilities and then send a report over the wall with a large number of issues that have to be addressed; this is a surefire way to waste precious resources and frustrate teams in the process. Worst of all, it can potentially leave some of the riskiest vulnerabilities unaddressed.

According to forecasts released by Gartner1 in 2018, around 30 percent of organizations will adopt a risk-based approach to vulnerability management by 2022, which could help them suffer 80 percent fewer breaches. Sounds like a promising forecast, but how can organizations adopt an effective risk-based approach that could yield such improvement in their security posture?

Let’s explore how connected security solutions can help security teams contextualize and prioritize vulnerabilities.

Risk-Based Vulnerability Management Starts With Prioritization

Vulnerability prioritization is a widely discussed topic in the information security domain. From the Common Vulnerability Scoring System (CVSS) to approaches based on asset value and exploit weaponization, asset value and its criticality and sensitivity are all fundamental elements of vulnerability remediation prioritization.

Foregoing a vulnerability patch on a critical server, a production environment or the database that holds company secrets can result in high-impact damage to the business. On the other hand, an approach based on potential exploit weaponization stipulates that vulnerabilities are only as dangerous as the threats that could exploit them.

How do you prioritize the right patch? Which approach will result in keeping up with the business’ goals? There’s more to it than choosing one or the other. Let’s look more specifically into why and how patch management, security information and event management (SIEM) and network topology modeling can help prioritize addressing vulnerabilities.

Focus Your Efforts Through Patch Management

Imagine a traditional vulnerability assessment program that requires monthly scans. Every month, a scanning solution assesses potential vulnerabilities and completes remediation activities. During the next scan, those vulnerabilities are confirmed as remediated while new ones are identified, and the cycle continues.

But how many of those flaws will have been realistically patched before the next vulnerability scan? How much time will security staff spend looking at vulnerabilities to ensure they have been effectively patched? It would be wise for a vulnerability management process to require a specific scan to validate that a vulnerability has indeed been remediated.

Considering the resources available for investigation in a typical organization, knowing that a patch management solution has reliably applied or scheduled a fix can help security teams focus on the vulnerabilities that have not yet been remediated.

Look at Network Traffic Routes Using Network Topology Modeling

Now let’s shift our focus to network security. Fundamentally, the topology of a network can help define the opportunity for an attacker to exploit a particular vulnerability. Defenders should ask themselves where devices are placed on the network and whether that placement is conducive to optimizing the security they can offer. What rules have been configured on them, and what data drove their creation?

By gathering details on existing network security and the configuration of network devices, threat modeling solutions can help build a network traffic topology. This topology can provide answers to questions such as:

  • Can users access critical/sensitive assets from the edges of the network?
  • What subnetworks have a path to the organization’s crown jewels?
  • Are there vulnerabilities on a particular port that can be exploited from the edge of my network?

Going through this process can help you use network topology to inform vulnerability prioritization. A high-risk vulnerability on a low-value asset in an area of your network that cannot be reached from the internet is likely less important than a medium-risk vulnerability on a high-value asset that is accessible from the internet. This is why network topology threat modeling can be a helpful tool for prioritizing which vulnerabilities present higher risk and which do not necessarily require immediate action.

While vulnerabilities don’t change in their definition, network configurations do. A network modeling solution should monitor security policies and adjust risk as the context changes.

Let’s say, for example, that a firewall rule has been added to allow traffic from the edge of the network to a low-value asset affected by a high-risk vulnerability. Defining the risk here may seem straightforward, but what if there were additional details to consider? The low-value asset has a network path to high-value assets, for instance. Now the risk associated with the vulnerability has changed, and this should be reflected in how the vulnerabilities are prioritized.

Inform Your Security Team Via Your SIEM

SIEM data can help inform security professionals about the context of the services associated with certain vulnerabilities.

Consider the example of CVE-2014-3566, known as the enabler for the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. According to IBM X-Force Exchange, “Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE attack to decrypt SSL sessions and calculate the plaintext of secure connections.”

While an asset might be running a version of OpenSSL relevant to CVE-2014-3566, the only way for an attacker to “obtain sensitive information” is for that information to exist in the first place. Network flows may tell us that no SSL traffic was ever recorded to or from this service, or they may paint the picture of an HTTPS service used throughout the organization and from outside the organization’s network. Here we have two different scenarios associated with two very different risks that a vulnerability assessment solution alone cannot differentiate.

Using a threat feed, a SIEM solution can help determine not only whether there is traffic from the internet going to a vulnerable service on an asset, but also if that flow is indeed coming from an identified malicious source. This can raise an offense in the SIEM system and should also feed down to a vulnerability management solution to prioritize that particular vulnerability instance.

In addition, let’s say an intrusion detection system (IDS) identified an indicator of compromise (IoC) that clearly points to the exploitation of a vulnerability. Not only will this raise an offense in a SIEM solution for a security team to investigate, it will also be prioritized by a SIEM tool that is integrated with a vulnerability management solution. That particular vulnerability would clearly become a high-priority concern.

Connect Security Solutions to Keep Up With Evolving Modern Threats

While vulnerability management solutions have helped organizations mitigate risk for a couple decades now, cybersecurity threats are more prevalent than ever before. Systems have become increasingly complex, attacks are more sophisticated as a result and the volume of vulnerabilities is beyond the remediation capabilities of many organizations.

To stay ahead of attackers, organizations should consider vulnerability management solutions that integrate with SIEM tools, network and threat modeling capabilities, and patch management systems. Making the best of vulnerability management today means breaking down the silos of security and IT operations solutions and connecting them together.

1 Implement a Risk-Based Approach to Vulnerability Management, August 21, 2018, Prateek Bhajanka and Craig Lawson

The post Comprehensive Vulnerability Management in Connected Security Solutions appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Thibault Barillon

IBM Security, Security Analytics, Security Information and Event Management (SIEM), Security Intelligence, Security Intelligence & Analytics, Security Leaders, Security Leadership, Security Operations Center (SOC), Security Professionals, Threat Detection, Threat Intelligence,

Follow the Leaders: 7 Tried-and-True Tips to Get the Most Out of Your Security Analytics

The practice of analyzing security data for detection and response — otherwise known as security analytics (SA) — comes in many forms and flavors. Consumed data varies from organization to organization, analytic processes span a plethora of algorithms and outputs can serve many use cases within a security team.

In early 2019, IBM Security commissioned a survey to better understand how companies currently use security analytics, identify key drivers and uncover some of the net benefits security decision-makers have experienced. The findings were drawn from more than 250 interviews with information security decision-makers around the globe.

7 Lessons From Top Performers in Security Analytics

Encouragingly, the study revealed rising levels of maturity when it comes to security analytics. Roughly 15 percent of all interviewees scored as high performers, meaning their investigation processes are well-defined and they continuously measure the effectiveness of the output. These respondents are especially strong in terms of volume of investigations (five to 10 times more investigations than the average) and false positives (approximately 30 percent below average). Meanwhile, 97 percent of these leaders successfully built a 24/7 security operations center (SOC) with a total staffing headcount between 25 and 50.

What lessons can organizations with lower levels of SA maturity take away from this shining example? Below are seven key lessons security teams can learn from the top performers identified in the survey:

  1. Top SA performers have a knack for integrating security data. While many mid-performing organizations struggle with this integration and consider the task an obstacle to effective security analytics, leaders identified in the survey have streamlined the process, freeing them to focus on use case and content development.
  2. Nine in 10 high performers have an accurate inventory of users and assets — in other words, they understand the enterprise’s boundaries and potential attack surfaces and continuously update their inventory. This is likely a result of effective, automated discovery using a combination of collected security data and active scanning. By comparison, less than 30 percent of low-performing security teams practice this approach.
  3. A robust detection arsenal contains an equal mix of rule-based matching (i.e., indicators of compromise), statistical modeling (i.e., baselining) and machine learning. In stark contrast, intermediate performers rely more on existing threat intelligence as a primary detection method.
  4. Top performers use content provided by their security analytics vendors. In fact, 80 percent of respondents in this category indicated that the vendor-provided content is sufficient, whether sourced out of the box or via services engagements.
  5. Compared to middling performers, top performers dedicate between two and three times more resources to tuning detection tools and algorithms. To be exact, 41 percent of high performers spend 40 hours or more per week on detection tuning.
  6. High-performing security teams automate the output of the analytics and prioritize alerts based on asset and threat criticality. They also have automated investigation playbooks linked to specific alerts.
  7. Finally, organizations with a high level of SA maturity continuously measure their output and understand the importance of time. Approximately 70 percent of top performers keep track of monthly metrics such as time to respond and time spent on investigation. Low-performing organizations, on the other hand, measure the volume of alerts, and their use of time-based metrics is 60 to 70 percent lower than that of high performers.

Build a Faster, More Proactive and More Transparent SOC

So what do the high performers identified in the survey have to show for their security analytics success? For one thing, they all enjoy superb visibility into the performance of their SOC. While many companies are improving, particularly in the areas of cloud and endpoint visibility, 41 percent of leaders in security analytics claim to have full SOC visibility, compared to 13 percent of intermediate and low performers.

In addition, while lower-performing organizations leverage security analytics to investigate and respond — i.e., react — to threats, high performers use SA to stay ahead of threats proactively. Finally, the leaders identified in the study generate their own threat intelligence and are experts in analyzing security data.

The key takeaway here is that security is a race against time — specifically, to outpace cyber adversaries. Leading security teams know this, which is why they continuously challenge themselves by integrating new data, extracting new insights, implementing smart automation, and, most importantly, measuring the time to detect, investigate and respond.

The post Follow the Leaders: 7 Tried-and-True Tips to Get the Most Out of Your Security Analytics appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Bart Lenaerts

Business Continuity, Career, Chief Information Security Officer (CISO), CISO, Endpoint Protection, Executives, Incident Response (IR), Incident Response Plan, IT Infrastructure, Log Management, Risk Management, Security Awareness, Security Information and Event Management (SIEM), Security Leadership, Security Management, Security Training, Skills Gap,

6 Steps Every New CISO Should Take to Set Their Organization Up for Success

Congrats! You’ve landed a new job as a chief information security officer (CISO). Now where do you start?

With some figures putting the typical CISO tenure at just around two years, it’s clear turnover in this role is high. According to a Ponemon Institute study sponsored by Opus, 44 percent of CISOs surveyed said they plan to make a lateral move in their organization outside of IT security, and 40 percent said they expect to change careers. All of this considered, the window of time to make a mark as an effective security leader is short — and, in turn, stressful.

What are some best practices for getting started on the path to success in a new security management position? What do you need to do, who do you need to talk to, and what are the first actions you need to take to make an immediate impact and set yourself up for future wins?

Here are six steps to help you get started in a new security executive role.

1. Take Stock of Technology

One of the most important steps you will take in the first few days is reviewing the IT infrastructure of your new company. How are firewalls and servers configured? How many different endpoints connect to the network? What other technology is in place?

According to CSO, you should start by taking stock of which incident prevention security controls are preventing and reporting on malicious activity. You should also determine which security control management consoles, security information and event management (SIEM) tools, and log management solutions are collecting logs and alerts.

Understanding your systems and defenses is priority No. 1 because knowing what your new organization has in place — and where you may need to make additions and changes — will inform the next steps in your first few months in the CISO role.

2. Assess Your Processes

After gaining a comprehensive view into the technology that is in place, it is time to review and evaluate the processes in place for security. Is there an incident response (IR) plan in place? For 77 percent of organizations, the answer is no. Is the IR plan written and tested? What about awareness training? Is it done monthly? Annually? This information will give you a clearer picture of how the company has prioritized security in the past — and an idea of where it needs to go in the future.

This is also the time to poke holes in policies and standards that do not have formal processes attached, and develop and define them to be more effective. Clear, well-defined processes minimize confusion and chaos, and ensure your organization can comply with the policies you want to enforce.

3. Build Out Your Team

Whether you are utilizing existing employees or hiring new team members, building your security team is an immediate priority for a new security leader, according to Dan Lohrmann, former CISO for the state of Michigan and current chief security officer and chief strategist at Security Mentor.

“Focus on talent and relationships,” Lohrmann wrote in an article for Government Technology. “Surround yourself with security pros that work well together and cover skill set weaknesses.”

Direct reports that you will be managing are the first employees you need to get to know. Have one-on-one meetings with each team member if time allows to understand their strengths, weaknesses and insights on where security strategy stands in the organization. These employees have the institutional knowledge you don’t yet have and have dealt with issues and problems already. This time can also be an opportunity to build a relationship of trust so that your direct reports know they can come to you with concerns and feedback going forward.

If you have the luxury of hiring, after getting to know the existing security team, now is the time to assess whether you are lacking certain skills and talent on your team and look to the external talent pool to add to your ranks. This may be easier said than done, since the cybersecurity skills gap has made hiring challenging in recent years.

4. Talk to Key Internal Stakeholders

You want to gain a deeper understanding of the business, its mission, its immediate priorities and its long-term goals as soon as you get in the door. The CISO role is about security and business enablement. You will be expected to protect the organization and contribute to strategic goals.

Start by meeting with executive management when possible, as well as heads of business units. Understand their goals, visions, pain points and objectives. Ask how security management can assist with all of these. Getting to know these stakeholders will be the start of what should be an ongoing relationship and conversation that will give security a strong voice in the organization.

5. Get to Know Customers

Equally important to understanding the executive vision of the company is having a solid comprehension of the people the company serves. Getting to know key customers and clients on the front lines will give you the advantage of grasping how the enterprise is viewed from the outside. The customer lens of the organization will be invaluable in positioning security as a business driver instead of a hindrance.

6. Start Thinking About Your Budget

Gartner predicted that companies would spend around $96 billion on security products and services in 2018. But how can CISOs prove their investments had a measurable impact on corporate risk? It is no longer enough to simply deliver security to an organization; CISOs are also expected to demonstrate return on investment (ROI) and find ways to deliver direct business benefits.

Collecting data, evidence and metrics to demonstrate the need for security investments, why they are necessary in the near future and the proof of corporate payoff is another essential step for new security management. Additionally, this needs to be positioned in a way that business leaders understand, which takes us back to the importance of the prior steps. Without investing time in getting to know executive management and understanding customers, you will be less equipped to make the case for budgetary dollars for security priorities down the road.

Start Your CISO Tenure Off on the Right Foot

Starting a new job in the CISO role can feel overwhelming. But the time for security to be seen as a key player — and to have a major business impact — has never been better. While there may be multiple challenges to address right out of the gate in a new organization, heed these suggestions to start making a positive impact on day one.

The post 6 Steps Every New CISO Should Take to Set Their Organization Up for Success appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Joan Goodchild

Advanced Persistent Threat (APT), Advanced Threat Protection, Advanced Threats, Data Protection, Data Security, Security Information and Event Management (SIEM), Security Intelligence & Analytics, threat hunting, Threat Management, Threat Protection,

Embrace the Intelligence Cycle to Secure Your Business

Regardless of where we work or what industry we’re in, we all have the same goal: to protect our most valuable assets. The only difference is in what we are trying to protect. Whether it’s data, money or even people, the harsh reality is that it’s difficult to keep them safe because, to put it simply, bad people do bad things.

Sometimes these malicious actors are clever, setting up slow-burning attacks to steal enterprise data over several months or even years. Sometimes they’re opportunistic, showing up in the right place at the wrong time (for us). If a door is open, these attackers will just waltz on in. If a purse is left unattended on a table, they’ll quickly swipe it. Why? Because they can.

The Intelligence Cycle

So how do we fight back? There is no easy answer, but the best course of action in any situation is to follow the intelligence cycle. Honed by intelligence experts across industries over many years, this method can be invaluable to those investigating anything from malware to murders. The process is always the same.

Stage 1: Planning and Direction

The first step is to define the specific job you are working on, find out exactly what the problem is and clarify what you are trying to do. Then, work out what information you already have to deduce what you don’t have.

Let’s say, for example, you’ve discovered a spate of phishing attacks — that’s your problem. This will help scope subsequent questions, such as:

  • What are the attackers trying to get?
  • Who is behind the attacks?
  • Where are attacks occurring?
  • How many attempts were successful?

Once you have an idea of what you don’t know, you can start asking the questions that will help reveal that information. Use the planning and direction phase to define your requirements. This codifies what you are trying to do and helps clarify how you plan on doing it.

Stage 2: Collection

During this stage, collect the information that will help answer your questions. If you cannot find the answers, gather data that will help lead to those answers.

Where this comes from will depend on you and your organization. If you are protecting data from advanced threats, for instance, you might gather information internally from your security information and event management (SIEM) tool. If you’re investigating more traditional organized crime, by contrast, you might knock on doors and whisper to informants in dark alleys to collect your information.

You can try to control the activity of collection by creating plans to track the process of information gathering. These collection plans act as guides to help information gatherers focus on answering the appropriate questions in a timely manner. Thorough planning is crucial in both keeping track of what has been gathered and highlighting what has not.

Stage 3: Processing and Exploitation

Collected information comes in many forms: handwritten witness statements, system logs, video footage, data from social networks, the dark web, and so on. Your task is to make all the collected information usable. To do this, put it into a consistent format. Extract pertinent information (e.g., IP addresses, telephone numbers, asset references, registration plate details, etc.), place some structure around those items of interest and make it consistent. It often helps to load it into a schematized database.

If you do this, your collected information will be in a standard shape and ready for you to actually start examining it. The value is created by putting this structure around the information. It gives you the ability to make discoveries, extract the important bits and understand your findings in the context of all the other information. If you can, show how attacks are connected, link them to bad actors and collate them against your systems. It helps to work with the bits that are actually relevant to the specific thing you’re working on. And don’t forget to reference this new data you collected against all the old stuff you already knew; context is king in this scenario.

This stage helps you make the best decisions you can against all the available information. Standardization is great; it is hard to work with information when it’s in hundreds of different formats, but it’s really easy when it’s in one.

Of course, the real world isn’t always easy. Sometimes it is simply impossible to normalize all of your collected information into a single workable pot. Maybe you collected too much, or the data arrived in too many varied formats. In these cases, your only hope is to invest in advanced analytical tools and analysts that will allow you to fuse this cacophony of information into some sensible whole.

Stage 4: Analysis Production

The analysis production stage begins when you have processed your information into a workable state and are ready to conduct some practical analysis — in other words, you are ready to start producing intelligence.

Think about the original task you planned to work on. Look at all the lovely — hopefully standardized — information you’ve collected, along with all the information you already had. Query it. Ask questions of it. Hypothesize. Can you find the answer to your original question? What intelligence can you draw from all this information? What stories can it tell? If you can’t find any answers — if you can’t hypothesize any actions or see any narratives — can you see what is missing? Can you see what other information you would need to collect that would help answer those questions? This is the stage where you may be able to draw new conclusions out of your raw information. This is how you produce actionable intelligence.

Actionable intelligence is an important concept. There’s no point in doing all this work if you can’t find something to do at the end of it. The whole aim is to find an action that can be performed in a timely manner that will help you move the needle on your particular task.

Finding intelligence that can be acted upon is key. Did you identify that phishing attack’s modus operandi (MO)? Did you work out how that insider trading occurred? It’s not always easy, but it is what your stakeholders need. This stage is where you work out what you must do to protect whatever it is you are safeguarding.

Stage 5: Dissemination

The last stage of the intelligence cycle is to go back to the stakeholders and tell them what you found. Give them your recommendations, write a report, give a presentation, draw a picture — however you choose to do it, convey your findings to the decision-makers who set the task to begin with. Back up your assertions with your analysis, and let the stakeholders know what they need to do in the context of the intelligence you have created.

Timeliness is very important. Everything ages, including intelligence. There’s no point in providing assessments for things that have already happened. You will get no rewards for disseminating a report on what might happen at the London Marathon a week after the last contestant finished. Unlike fine wine, intelligence does not improve with age.

To illustrate how many professionals analyze and subsequently disseminate intelligence, below is an example of an IBM i2 dissemination chart:

The Intelligence Cycle

The analysis has already happened and, in this case, the chart is telling your boss to go talk to that Gene Hendricks chap — he looks like one real bad egg.

Then what? If you found an answer to your original question, great. If not, then start again. Keep going around the intelligence cycle until you do. Plan, collect, process, analyze, disseminate and repeat.

Gain an Edge Over Advanced Threats

We are all trying to protect our valued assets, and using investigation methodologies such as the intelligence cycle could help stop at least some malicious actors from infiltrating your networks. The intelligence cycle can underpin the structure of your work both with repetitive processes, such as defending against malware and other advanced threats, and targeted investigations, such as searching for the burglars who stole the crown jewels. Embrace it.

Whatever it is you are doing — and whatever it is you are trying to protect — remember that adopting this technique could give your organization the edge it needs to fight back against threat actors who jealously covet the things you defend.

To learn more, read the interactive white paper, “Detect, Disrupt and Defeat Advanced Physical and Cyber Threats.”

Read the white paper

The post Embrace the Intelligence Cycle to Secure Your Business appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Matthew Farenden

Access Management, Identity and Access Management (IAM), Incident Response (IR), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Security Solutions, Threat Detection,

Bring Order to Chaos By Building SIEM Use Cases, Standards, Baselining and Naming Conventions

Security operations centers (SOCs) are struggling to create automated detection and response capabilities. While custom security information and event management (SIEM) use cases can allow businesses to improve automation, creating use cases requires clear business logic. Many security organizations lack efficient, accurate methods to distinguish between authorized and unauthorized activity patterns across components of the enterprise network.

Even the most intelligent SIEM can fail to deliver value when it’s not optimized for use cases, or if rules are created according to incorrect parameters. Creating a framework that can accurately detect suspicious activity requires baselines, naming conventions and effective policies.

Defining Parameters for SIEM Use Cases Is a Barrier to SOC Success

Over the past few years, I’ve consulted with many enterprise SOCs to improve threat detection and incident response capabilities. Regardless of SOC maturity, most organizations struggle to accurately define the difference between authorized and suspicious patterns of activity, including users, admins, access patterns and scripts. Countless SOC leaders are stumped when they’re asked to define authorized patterns of activity for mission-critical systems.

SIEM rules can be used to automate detection and response capabilities for common threats such as distributed denial-of-service (DDoS), authentication failures and malware. However, these rules must be built on clear business logic for accurate detection and response capabilities. Baseline business logic is necessary to accurately define risky behavior in SIEM use cases.

Building a Baseline for Cyber Hygiene

Cyber hygiene is defined as the consistent execution of activities necessary to protect the integrity and security of enterprise networks, including users, data assets and endpoints. A hygiene framework should offer clear parameters for threat response and acceptable use based on policies for user governance, network access and admin activities. Without an understanding of what defines typical, secure operations, it’s impossible to create an effective strategy for security maintenance.

A comprehensive framework for cybersecurity hygiene can simplify security operations and create guidelines for SIEM use cases. However, capturing an effective baseline for systems can strengthen security frameworks and create order in chaos. To empower better hygiene and threat detection capabilities based on business logic, established standards such as a naming convention can create clear parameters.

VLAN Network Categories

For the purpose of simplified illustration, imagine that your virtual local area networks (VLANs) are categorized among five criticality groups — named A, B, C, D and E — with the mission-critical VLAN falling into the A category (_A).

A policy may be created to dictate that A-category VLAN systems can communicate directly with any other category without compromising data security. However, communication with the A-category VLAN from B, C, D or E networks is not allowed. Authentication to a jump host can accommodate authorized exceptions to this standard, such as when E-category users need access to an A-category server.

Creating a naming convention and policy for VLAN network categories can help you develop simple SIEM use cases to prevent unauthorized access to A resources and automatically detect suspicious access attempts.

Directory Services and Shared Resources

You can also use naming convention frameworks to create a policy for managing groups of user accounts according to access level in directory services, such as Lightweight Directory Access Protocol (LDAP) or Active Directory (AD). A standardized naming convention for directory services provides a clear framework for acceptable user access to shared folders and resources. AD users categorized within the D category may not have access to A-category folders or _A.

Creating effective SIEM rules based on these use cases is a bit more complex than VLAN business logic since it involves two distinct technologies and potentially complex policies for resource access. However, creating standards that connect user access to resources establishes clear parameters for strict, contextual monitoring. Directory users with A-category access may require stricter change monitoring due to the potential for abuse of admin capabilities. You can create SIEM use cases to detect other configuration mistakes, such as a C-category user who is suddenly escalated to A-category.

Username Creation

Many businesses are already applying some logic to standardize username creation for employees. A policy may dictate that users create a seven-character alias that involves three last-name characters, two first-name characters and two digits. Someone named Janet Doe could have the username DoeJa01, for example. Even relatively simple username conventions can support SIEM use cases for detecting suspicious behavior. When eight or more characters are entered into a username field, an event could be triggered to lock the account until a new password is created.

The potential SIEM use cases increase with more complex approaches to username creation, such as 12-character usernames that combine last- and first-name characters with the employee’s unique HR-issued identification. A user named Jonathan Doerty, for instance, could receive an automatically generated username of doertjo_4682. Complex usernames can create friction for legitimate end users, but some minor friction can be justified if it provides greater safeguards for privileged users and critical systems.

An external threat actor may be able to extrapolate simple usernames from social engineering activities, but they’re unlikely to guess an employee’s internal identification number. SIEM rules can quickly detect suspicious access attempts based on username field entries that lack the required username components. Requiring unique identification numbers from HR systems can also significantly lower the risk of admins creating fake user credentials to conceal malicious activity.

Unauthorized Code and Script Locations

Advanced persistent threats can evade detection by creating backdoor access to deploy a carefully disguised malicious code. Standard naming conventions provide a cost-effective way to create logic to detects malware risks. A simple model for script names could leverage several data components, such as department name, script name and script author, resulting in authorized names like HR_WellnessLogins_DoexxJo. Creating SIEM parameters for acceptable script names can automate the detection of malware.

Creating baseline standards for script locations such as /var/opt/scripts and C:Program Files can improve investigation capabilities when code is detected that doesn’t comply with the naming convention or storage parameters. Even the most sophisticated threat actors are unlikely to perform reconnaissance on enterprise naming convention baselines before creating a backdoor and hiding a script. SIEM rules can trigger a response from the moment a suspiciously named script begins to run or a code file is moved into an unauthorized storage location.

Scaling Security Response With Standards

Meaningful threats to enterprise data security often fly under the radar of even the most sophisticated threat detection solutions when there’s no baseline to define acceptable activity. SOC analysts have more technological capabilities than ever, but many are struggling to optimize detection and response with effective SIEM use cases.

Clear, scalable systems to define policies for acceptable activity create order in chaos. The smartest approach to creating effective SIEM use cases relies on standards, a strong naming convention and sound policy. It’s impossible to accurately understand risks without a clear framework for authorized activities. Standards, baselines and naming conventions can remove barriers to effective threat detection and response.

The post Bring Order to Chaos By Building SIEM Use Cases, Standards, Baselining and Naming Conventions appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Ludek Subrt

Artificial Intelligence (AI), Automation, Cognitive Security, Data Protection, Incident Response (IR), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), threat hunting, Threat Intelligence,

Maturing Your Security Operations Center With the Art and Science of Threat Hunting

Your organization has fallen prey to an advanced persistent threat (APT) after being targeted by a state-sponsored crime collective. Six million records were lost over 18 months of undetected presence on your network. While your security operations center (SOC) is fully staffed with analysts, your threat hunting capabilities failed to detect the subtle signs of threat actors moving laterally through your network and slowly exfiltrating customer data.

How did this happen?

It all started with a highly targeted spear phishing attack on your director of communications. He failed to notice the carefully disguised symbols in an email he thought was sent by the IT department and logged in to a spoofed domain. This credential theft resulted in the spread of zero-day malware and slowly escalated account privileges. While some of the criminals’ behavior triggered alerts in the SOC, your analysts categorized the incidents as benign positives. Your organization is now facing a multimillion-dollar cleanup and a serious loss of customer trust.

Why you need to master threat hunting

Why You Should Hunt Advanced Threats Before They Strike

Situations like the one described above are all too common in our industry. The majority of successful exploits attributed to human error fit a small series of predictable patterns that exploit known vulnerabilities in an organization’s network. As a result, many data breaches can be prevented with effective cyber hygiene tactics.

Advanced threats are a smaller proportion of incidents, but they are typically undetected and cause the most damage. In addition, the rise in state-sponsored crime and criminal activity on the dark web has created an ecosystem that fosters open exchange between the world’s most sophisticated and skilled criminals.

The cost of a serious breach is also trending upward. According to Ponemon, the average cost of a megabreach that results in the loss of more than 1 million customer records is $40 million. And more than 60 percent of data breaches have links to either state actors or advanced, organized crime groups, according to Verizon. APTs that evade detection can result in dwell times that range from three to 24 months, further increasing the total cleanup cost for a data breach.

How can security teams fight these kinds of threats? The majority of enterprise SOCs are now at least three years old, according to a recent study from Exabeam, and are increasing in maturity. While human analysts and manual research methodologies can act as a firewall against many risks, there’s a need to scale SOC intelligence and threat hunting capabilities to safeguard against APTs.

What Is Threat Hunting?

Threat hunting can be defined as “the act of aggressively intercepting, tracking and eliminating cyber adversaries as early as possible in the Cyber Kill Chain.” The practice uses techniques from art, science and military intelligence, with internal and external data sources informing the science of statistical and cognitive analysis. Human intelligence analyzes the results and informs the art of a response. Last year, 91 percent of security leaders reported improved response speed and accuracy as a result of threat detection and investigation, according to the SANS Institute.

Threat hunting is not defined by solutions, although tools and techniques can significantly improve efficiency and outcomes. Instead, it’s defined by a widely accepted framework from Sqrrl. These are the four stages of Sqrrl’s Threat Hunting Loop:

  1. Create a hypothesis.
  2. Investigate via tools and techniques.
  3. Discover new patterns and adversary tactics, techniques and procedures (TTPs).
  4. Inform and enrich automated analytics for the next hunt.

The goal for any security team should be to complete this loop as efficiently as possible. The quicker you can do so, the quicker you can automate new processes that will help find the next threat.

The 4 Characteristics of a Comprehensive Threat Hunting Capability

A mature threat hunting capability is closely associated with SOC maturity. The least mature SOCs have human analysts who act as a firewall. As SOCs approach maturity and adopt security information and event management (SIEM) tools, their capacity to reactively investigate indicators of compromise (IoCs) increases. The most mature SOCs take a proactive approach to investigating IoCs, with researchers, analysts, solutions and a clearly defined methodology to orchestrate both investigation and response. A comprehensive capacity for hunting threats is defined by four key characteristics:

  1. Data handling: The ability to handle a deluge of data across siloed networks, including insight into internal risks, advanced activities from external threat actors and real-time threat intelligence from third-party sources.
  2. Data analysis: The ability to correlate a high volume and velocity of disparate data sources into information and, ultimately, intelligence.
  3. Informed action: Resources to increase threat hunters’ skills and easily feed threat intelligence through training, policy and cognitive capabilities.
  4. Orchestrated action: Defined processes and methodologies to hunt threats in a repeatable and orchestrated way that informs proactive security capabilities throughout the organization.

Organizations that fail to increase SOC maturity and adopt the solutions and processes for hunting threats face a number of risks. Relying on manual research methodologies can lead to costly data breaches and permanent brand damage when APTs evade detection. A lack of solutions and methods for an orchestrated IoC investigation process means less efficient and accurate operations. The absence of SOC orchestration encourages heavily manual processes.

The Diverse Business Benefits of Hunting Threats

Using cognitive intelligence tools to enhance SOC capabilities, Sogeti Luxembourg successfully reduced the average time of root cause determination and threat investigation from three hours to three minutes. In the process, the financial institution sped up their threat investigation process by 50 percent and saw a tenfold increase in actionable threat indicators.

Hunting threats can offer a number of benefits to both the business and the security operations center. The outcomes include greater protection of reputation, a more intelligent SOC and orchestrated security response.

Reputation Protection

Falling prey to an APT can cause lasting damage to a brand. One core benefit of implementing a more sophisticated threat hunting capability is the potential to guard against the most costly data breaches, which typically result in millions of lost records or permanent data deletion.

SOC Maturity

SOC analyst stress and falsely assigned benign positives are at record highs. APTs can easily go unnoticed due to the sheer volume of noise, which creates a culture of alert fatigue.

Achieving mature threat detection capabilities can change how analysts work and allow organizations to implement a cognitive SOC. Security analytics platforms enhance human intelligence and reduce manual research, and correlation tools provide real-time insight from a variety of structured and unstructured third-party data sources.

Orchestrated Security Response

With the technological capabilities to outthink adversaries, organizations can inform a proactive, unified approach to incident response (IR) that begins in the SOC. Internal and external data sources augment the intelligence of human analysts, allowing real-time, informed decision-making. Investigations and response can inform action as soon as anomalous behaviors or patterns are detected. The result is a defined process that allows your organization to mitigate threats earlier in the Cyber Kill Chain.

Intelligent Response to Sophisticated Threats

The majority of threats your organization faces each day will fit predictable patterns. While APTs make up a statistically small percentage of incidents investigated by an SOC, sophisticated threat actors use unique tactics and techniques to evade detection in a noisy SOC. These threats are the most likely to evade detection and result in highly expensive cybercrime.

State-sponsored criminal activity and attacks launched by sophisticated crime collectives are increasing. To guard against these increasingly complex threat vectors, organizations need to proactively prepare their defenses. Implementing cognitive tools in the SOC can enable organizations to adopt proactive threat hunting capabilities that leverage both art and science. By combining repeatable processes for threat investigation with intelligent solutions and skilled analysts, organizations can respond to threats earlier in the kill chain and protect their most critical assets.

Read the e-book: Master threat hunting

The post Maturing Your Security Operations Center With the Art and Science of Threat Hunting appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Rob Patey

Behavioral Analytics, Machine Learning, Network Security, Security Information and Event Management (SIEM), Security Intelligence, Security Intelligence & Analytics, Security Solutions, Security Tools,

SIEM Event Normalization Makes Raw Data Relevant to Both Humans and Machines

A security information and event management (SIEM) system is an indispensable tool for any security operations center (SOC). It collects events from devices in your network infrastructure such as servers, cloud devices, firewalls and Wi-Fi access points to give operations professionals fine-grained visibility into activity on the network and help them spot anomalies that may signal a cyberattack.

In its raw form, this log data is almost impossible for a human to process, so advanced SIEM solutions conduct a process called event normalization to deliver a homogeneous view. Event normalization consists of breaking each field of a raw event into variables and combining them into views that are relevant to security administrators. This is a crucial step in the process of finding meaning in often isolated and heterogeneous events.

Visualize Your Network Activity

There are thousands of vendors and models of devices and software that an organization may want to monitor. It’s impossible for a SIEM to read raw events from all of them, let alone keep up with versions and new releases. Using correlation rules and tools such as a DSM editor, security administrators can translate raw data into a single, normalized stream, making it possible for the SIEM to present data from nearly any device or log source in a meaningful form. Event normalization enables administrators to detect anomalies even when data is streaming in from multiple locations.

For example, a brute-force attack consists of a series of authentication attempts against a system, either from a single IP or multiple addresses. Sorting through authentication logs one by one is a tedious task, but a SIEM solution can solve the problem using correlation rules. This enables administrators to see anomalies such as login attempts from suspicious locations, network scans and simultaneous authentication attempts by the same user from different locations. A SIEM can also monitor network traffic for unusual activity, such as large file downloads.

Behold the Power of Event Normalization

To give you a sense of the power of normalization, here’s an example of a raw log from a firewall:

<;;5>logver=54 dtime=1536072238 devid=FG74E83E17000037 devname=firewall-fort vd=External date=2018-09-04 time=14:43:58 slot=4 logid=0000000013 type=traffic subtype=forward level=notice srcip=10.10.10.200 srcport=44000 srcintf=”DMZ” dstip=172.217.15.206 dstport=443 dstintf=”External” poluuid=55555555-5b5b-5a5a-5c5c-5a5b5c5d5f55 sessionid=555555555 proto=6 action=close policyid=55 policytype=policy dstcountry=”United States” srccountry=”United States” trandisp=snat transip=Pub-IP-Address transport=44000 service=”tcp_1-65535″ duration=11 sentbyte=1699 rcvdbyte=6002 sentpkt=16 rcvdpkt=13 appcat=”unscanned”

Buried in this nearly unreadable stream is important information, including:

  • Hostname;
  • Date and time;
  • Source IP of the traffic;
  • Destination IP;
  • Source port;
  • Destination port;
  • Action taken by the firewall;
  • Source country;
  • Destination country;
  • Application discovered; and
  • Translated IP addresses.

Using correlation rules, we can extract these important details automatically into a report or chart that helps us visualize activity from many sources. The process of creating events consists of finding patterns in raw data, mapping it to known expressions, and assigning unique categories and identifiers. If the SIEM encounters an unknown log source or data type, we can use the editor to define an event and assign variables such as name, severity and facility.

Get the Most Out of Your SIEM Deployment

Good normalization practices are essential to maximizing the value of your SIEM. Tools such as DSM editors make it fast and easy for security administrators to define, test, organize and reuse events, thereby ensuring the maximum visibility into everything that takes place on the enterprise’s computing fabric. It turns steams of machine data into something humans can use.

The post SIEM Event Normalization Makes Raw Data Relevant to Both Humans and Machines appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Moises Monge

Advanced Persistent Threat (APT), Advanced Threats, Authentication, Behavioral Analytics, CISO, Cost of a Data Breach, Data Breach, Incident Response, Incident Response (IR), Multifactor Authentication (MFA), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Security Solutions, Threat Intelligence,

Close the Gap on Advanced Threats With Integrated Security

The board of directors is finally starting to grasp that security risk equals business risk. But as you finalize your presentation on the company’s cybersecurity posture, you can’t help but second-guess yourself. You know the CEO, CFO and other senior leaders want to hear that the security team has an effective strategy for handling advanced threats, but the truth is that your analysts are drowning in data with little meaningful insight into risks.

Based on your knowledge of the rapidly expanding threat landscape, you know the company is vulnerable to a data breach it can’t afford. The problem is that you can’t demonstrate this risk without adequate visibility into the organization’s sensitive data and the vulnerabilities threat actors might exploit to steal it. What’s worse, your security operations center (SOC) is spread thin across the widening cyber skills gap, and alerts are piling up as analysts slog through manual processes. How can chief information security officers (CISOs) free up their SOC teams to investigate the most pressing alerts and minimize risks before they evolve into costly incidents?

Detect and stop advanced persistent security threats

Why Threats Are Outpacing the SOC

While the security profession is finally gaining respect and attention it deserves, understaffed SOCs are struggling to triage enormous volumes of security event data. And the problem is only getting worse; Cybersecurity Ventures predicted that the industry will have 3.5 million unfilled cybersecurity positions by 2021.

Despite the increased spend, many organizations are failing to see results from their security investments. Some organizations have 85 distinct security solutions from 45 unique vendors, but little confidence in their capacity to detect threats. No matter the size of your security arsenal, these standalone tools cannot adequately protect enterprise networks from today’s advanced threats in isolation.

Coupled with the skills crisis, the SOC is grappling with the increasing complexity of the threat landscape. Costly, difficult-to-detect insider attacks have increased by 46 percent since 2014. Meanwhile, 62 percent of security experts believe threat actors will weaponize artificial intelligence (AI) to launch targeted attacks at scale in the next year, according to a Cylance survey.

A New Approach to Detect and Stop Advanced Threats

Despite record-breaking spend on security solutions, the SOC is losing ground for more reasons than the skills shortage and evolving threats. Technology is a barrier for many enterprises in which the security organization lacks a comprehensive view of the risk landscape. Disconnected systems, the IT skills gap and a lack of automation have made it very difficult for these organizations to distinguish advanced threats from false positives.

The cost of failing to adopt a new approach to threat detection and remediation is higher than ever. According to the “2018 Cost of a Data Breach Study,” sponsored by IBM Security and conducted by the Ponemon Institute, a mega breach of 50 million or more records can cost as much as $350 million. Targeted, malicious attacks and botnets are among the most expensive types of security incident.

“With a variety of threat vectors to contend with, companies must proactively implement policies and technologies that mitigate the risk of facing a costly breach,” said Larry Ponemon, chairman and founder of Ponemon Institute.

By creating an integrated security ecosystem of solutions, policies and people, organizations can more efficiently and effectively detect advanced threats. AI, machine learning and automation can improve the accuracy and speed of threat investigations, while solutions to orchestrate systems, processes and users minimize the impact of incidents.

5 Use Cases for Advanced Threat Detection and Prevention

How’s this for a use case: With an intelligent security ecosystem, Wimbledon achieved 60 times greater efficiency in threat investigations over manual processes. IBM solutions helped the oldest brand in tennis investigate five times more incidents during the annual tournament, with zero security impact to operations.

Use cases for operations strategy, managed incident response, SOC automation, behavioral analytics and user authentication demonstrate how IBM Security solutions offer a complete spectrum of protection against sophisticated threats.

1. Operational Strategy

A recent survey of Black Hat 2018 attendees revealed that sophisticated, targeted attacks are the top concern for 47 percent of security professionals. Other frequently cited challenges facing the enterprise include social engineering, insider threats and cloud risks. When an enterprise is facing these known risks and lacks confidence in existing technologies, it’s critical to strengthen operations proactively.

Partnering with security operations and consulting services can enable the enterprise to design and build a comprehensive response with a cognitive SOC, SOC training and security incident event management (SIEM) optimization.

2. Incident Response

According to Marsh & McLennan, 14 percent of organizations are “not at all confident” or unsure if they are adequately prepared to respond to or recover from a cyber incident. As vulnerabilities and risks evolve, organizations need a culture of continuous improvement to weather the coming storm of advanced threats.

Developing relationships with industry detection and response experts can provide organizations with decades of threat intelligence experience. Managed SIEM services can offer cognitive intelligence for cybersecurity and comprehensive, compliant infrastructure.

3. SOC Automation

Enterprise SOCs encounter 200,000 unique security events each day on average. A cognitive SOC with automation, machine learning, AI and orchestration solutions eases the burden on analysts and improves effectiveness. Incident response automation can reduce the total cost of a data breach by $1.55 million. Meanwhile, intelligent SIEM solutions deliver cognitive security analytics and automation with contextual intelligence to identify significant risks.

4. Visibility Into Anomalies

According to Fidelis Security, 83 percent of SOCs triage less than half of the alerts received each day. This may be due in part to too much time spent chasing false alerts; manual research processes can yield false positive rates of 70 percent or higher.

Organizations can identify user risks and suspicious behavior by investing in behavioral analytics that provide at-a-glance visibility into anomalies.

5. User Authentication

As the enterprise pursues digital transformation, a smarter approach to identity is the new perimeter. While just 67 percent of respondents are currently comfortable using biometrics and other advanced forms of authentication, according to “The Future of Identity,” 87 percent believe they’ll be comfortable in the future.

With cloud-based multifactor authentication, organizations can simplify and scale a checkbox approach to authentication policies across web and mobile applications, including risk-based approaches to user access and biometric authentication methods.

Closing the Gap on Enterprise Threats

Enterprises are spending more than ever on security solutions. However, industry surveys and breach rates show that standalone tools aren’t providing meaningful protection against sophisticated threats.

As the threat landscape continues to evolve, organizations need an integrated ecosystem of solutions that provide visibility into internal and external risks. By continuously aligning systems, policies and people, security teams can improve the accuracy and speed of threat investigations and minimize the risks of advanced threats at each stage of the attack chain.

Advanced threats: 3 steps to safety

The post Close the Gap on Advanced Threats With Integrated Security appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Rob Patey