Browsing category

Security Operations Center (SOC)

Access Management, Identity and Access Management (IAM), Incident Response (IR), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Security Solutions, Threat Detection,

Bring Order to Chaos By Building SIEM Use Cases, Standards, Baselining and Naming Conventions

Security operations centers (SOCs) are struggling to create automated detection and response capabilities. While custom security information and event management (SIEM) use cases can allow businesses to improve automation, creating use cases requires clear business logic. Many security organizations lack efficient, accurate methods to distinguish between authorized and unauthorized activity patterns across components of the enterprise network.

Even the most intelligent SIEM can fail to deliver value when it’s not optimized for use cases, or if rules are created according to incorrect parameters. Creating a framework that can accurately detect suspicious activity requires baselines, naming conventions and effective policies.

Defining Parameters for SIEM Use Cases Is a Barrier to SOC Success

Over the past few years, I’ve consulted with many enterprise SOCs to improve threat detection and incident response capabilities. Regardless of SOC maturity, most organizations struggle to accurately define the difference between authorized and suspicious patterns of activity, including users, admins, access patterns and scripts. Countless SOC leaders are stumped when they’re asked to define authorized patterns of activity for mission-critical systems.

SIEM rules can be used to automate detection and response capabilities for common threats such as distributed denial-of-service (DDoS), authentication failures and malware. However, these rules must be built on clear business logic for accurate detection and response capabilities. Baseline business logic is necessary to accurately define risky behavior in SIEM use cases.

Building a Baseline for Cyber Hygiene

Cyber hygiene is defined as the consistent execution of activities necessary to protect the integrity and security of enterprise networks, including users, data assets and endpoints. A hygiene framework should offer clear parameters for threat response and acceptable use based on policies for user governance, network access and admin activities. Without an understanding of what defines typical, secure operations, it’s impossible to create an effective strategy for security maintenance.

A comprehensive framework for cybersecurity hygiene can simplify security operations and create guidelines for SIEM use cases. However, capturing an effective baseline for systems can strengthen security frameworks and create order in chaos. To empower better hygiene and threat detection capabilities based on business logic, established standards such as a naming convention can create clear parameters.

VLAN Network Categories

For the purpose of simplified illustration, imagine that your virtual local area networks (VLANs) are categorized among five criticality groups — named A, B, C, D and E — with the mission-critical VLAN falling into the A category (_A).

A policy may be created to dictate that A-category VLAN systems can communicate directly with any other category without compromising data security. However, communication with the A-category VLAN from B, C, D or E networks is not allowed. Authentication to a jump host can accommodate authorized exceptions to this standard, such as when E-category users need access to an A-category server.

Creating a naming convention and policy for VLAN network categories can help you develop simple SIEM use cases to prevent unauthorized access to A resources and automatically detect suspicious access attempts.

Directory Services and Shared Resources

You can also use naming convention frameworks to create a policy for managing groups of user accounts according to access level in directory services, such as Lightweight Directory Access Protocol (LDAP) or Active Directory (AD). A standardized naming convention for directory services provides a clear framework for acceptable user access to shared folders and resources. AD users categorized within the D category may not have access to A-category folders or _A.

Creating effective SIEM rules based on these use cases is a bit more complex than VLAN business logic since it involves two distinct technologies and potentially complex policies for resource access. However, creating standards that connect user access to resources establishes clear parameters for strict, contextual monitoring. Directory users with A-category access may require stricter change monitoring due to the potential for abuse of admin capabilities. You can create SIEM use cases to detect other configuration mistakes, such as a C-category user who is suddenly escalated to A-category.

Username Creation

Many businesses are already applying some logic to standardize username creation for employees. A policy may dictate that users create a seven-character alias that involves three last-name characters, two first-name characters and two digits. Someone named Janet Doe could have the username DoeJa01, for example. Even relatively simple username conventions can support SIEM use cases for detecting suspicious behavior. When eight or more characters are entered into a username field, an event could be triggered to lock the account until a new password is created.

The potential SIEM use cases increase with more complex approaches to username creation, such as 12-character usernames that combine last- and first-name characters with the employee’s unique HR-issued identification. A user named Jonathan Doerty, for instance, could receive an automatically generated username of doertjo_4682. Complex usernames can create friction for legitimate end users, but some minor friction can be justified if it provides greater safeguards for privileged users and critical systems.

An external threat actor may be able to extrapolate simple usernames from social engineering activities, but they’re unlikely to guess an employee’s internal identification number. SIEM rules can quickly detect suspicious access attempts based on username field entries that lack the required username components. Requiring unique identification numbers from HR systems can also significantly lower the risk of admins creating fake user credentials to conceal malicious activity.

Unauthorized Code and Script Locations

Advanced persistent threats can evade detection by creating backdoor access to deploy a carefully disguised malicious code. Standard naming conventions provide a cost-effective way to create logic to detects malware risks. A simple model for script names could leverage several data components, such as department name, script name and script author, resulting in authorized names like HR_WellnessLogins_DoexxJo. Creating SIEM parameters for acceptable script names can automate the detection of malware.

Creating baseline standards for script locations such as /var/opt/scripts and C:Program Files can improve investigation capabilities when code is detected that doesn’t comply with the naming convention or storage parameters. Even the most sophisticated threat actors are unlikely to perform reconnaissance on enterprise naming convention baselines before creating a backdoor and hiding a script. SIEM rules can trigger a response from the moment a suspiciously named script begins to run or a code file is moved into an unauthorized storage location.

Scaling Security Response With Standards

Meaningful threats to enterprise data security often fly under the radar of even the most sophisticated threat detection solutions when there’s no baseline to define acceptable activity. SOC analysts have more technological capabilities than ever, but many are struggling to optimize detection and response with effective SIEM use cases.

Clear, scalable systems to define policies for acceptable activity create order in chaos. The smartest approach to creating effective SIEM use cases relies on standards, a strong naming convention and sound policy. It’s impossible to accurately understand risks without a clear framework for authorized activities. Standards, baselines and naming conventions can remove barriers to effective threat detection and response.

The post Bring Order to Chaos By Building SIEM Use Cases, Standards, Baselining and Naming Conventions appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Ludek Subrt

CISO, Incident Response, Incident Response (IR), Incident Response Plan, Security Intelligence, Security Intelligence & Analytics, Security Operations Center (SOC), Security Professionals, Skills Gap, Threat Intelligence, Threat Sharing,

Need a Sounding Board for Your Incident Response Plan? Join a Security Community

Incident response teams face myriad uphill battles, such as the cybersecurity skills shortage, floods of security alerts and increasing IT complexity, to name just a few. These challenges often overwhelm security teams and leave security operations center (SOC) directors searching for strategies to maximize the productivity of their current team and technologies to build a capable incident response plan.

One emerging solution is a familiar one: an ecosystem of developer and expert communities. Collaborative online forums have always been a critical part of the cybersecurity industry, and communities dedicated to incident response are growing more robust than ever.

How to Get Involved in a Developer Community

Incident response communities can be a crucial resource to give security analysts access to hands-on, battle-tested experience. They can deliver highly valuable, lightweight, easy-to-use integrations that can be deployed quickly. Community-driven security can also provide playbooks, standard operating procedures (SOPs), best practices and troubleshooting tips. Most importantly, they can help foster innovation by serving as a sounding board for your team’s ideas and introduce you to new strategies and techniques.

That all sounds great, but how do you know what community can best address your incident response needs? Where do you begin? Below are a few steps to help you get started.

1. Find the Communities That Are Most Relevant to You

To combat new threats that are being coordinated in real time, more and more vendors and services are fostering their own communities. Identify which ones are most relevant to your industry and business goals.

To start, narrow down your search based on the security products you use every day. In all likelihood, you’ll find users in these product-based communities who have faced similar challenges or have run into the same issues as your team.

Once you’ve selected the most relevant communities, make sure you sign up for constant updates. Join discussion forums, opt in to regular updates, and check back frequently for new blogs and other content. By keeping close tabs on these conversations, you can continuously review whether the communities you’ve joined are still relevant and valuable to your business.

2. Identify Existing Gaps in Your Security Processes

Communities are disparate and wide-ranging. Establishing your needs first will save you time and make communities more valuable to you. By identifying what type of intelligence you need to enhance your security strategy and incident response plan ahead of time, you can be confident that you’re joining the right channels and interacting with like-minded users.

Discussion forums are full of valuable information from other users who have probably had to patch up many of the same security gaps that affect your business. These forums also provide a window into the wider purpose of the community; aligning your identified gaps with this mission will help you maximize the value of your interactions.

3. Contribute to the Conversation

By taking part in these conversations, you can uncover unexpected benefits and give your team a sounding board among other users. As a security practitioner, it should be a priority to contribute direct and honest information to the community and perpetuate an industrywide culture of information sharing. Real-time, responsive feedback is a great tool to help you build a better security strategy and align a response plan to the current threat landscape.

Contributing to a community can take various forms. Community-based forums and Slack channels give developers a voice across the organization. By leveraging this mode of communication, you can bring important intelligence to the surface that might otherwise go under the radar. Forum discussions can also expose you to new perspectives from a diverse range of sources.

A Successful Incident Response Plan Starts With Collaboration

For its part, IBM Security gathers insights from experienced users across all its products in the IBM Security Community portal. Through this initiative, IBM has expanded its global network to connect like-minded people in cybersecurity. This collaborative network allows us to adapt to new developments as rapidly as threats evolve.

Collaboration has always been cybercriminals’ greatest weapon. It creates massive challenges for the cybersecurity industry and requires us to fight back with a united front of our own. With the support of an entire security community behind you, incident response tasks won’t seem so overwhelming and your resource-strapped SOC will have all the threat data it needs to protect your business.

The post Need a Sounding Board for Your Incident Response Plan? Join a Security Community appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Ted Julian

Artificial Intelligence (AI), Automation, Cognitive Security, Data Protection, Incident Response (IR), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), threat hunting, Threat Intelligence,

Maturing Your Security Operations Center With the Art and Science of Threat Hunting

Your organization has fallen prey to an advanced persistent threat (APT) after being targeted by a state-sponsored crime collective. Six million records were lost over 18 months of undetected presence on your network. While your security operations center (SOC) is fully staffed with analysts, your threat hunting capabilities failed to detect the subtle signs of threat actors moving laterally through your network and slowly exfiltrating customer data.

How did this happen?

It all started with a highly targeted spear phishing attack on your director of communications. He failed to notice the carefully disguised symbols in an email he thought was sent by the IT department and logged in to a spoofed domain. This credential theft resulted in the spread of zero-day malware and slowly escalated account privileges. While some of the criminals’ behavior triggered alerts in the SOC, your analysts categorized the incidents as benign positives. Your organization is now facing a multimillion-dollar cleanup and a serious loss of customer trust.

Why you need to master threat hunting

Why You Should Hunt Advanced Threats Before They Strike

Situations like the one described above are all too common in our industry. The majority of successful exploits attributed to human error fit a small series of predictable patterns that exploit known vulnerabilities in an organization’s network. As a result, many data breaches can be prevented with effective cyber hygiene tactics.

Advanced threats are a smaller proportion of incidents, but they are typically undetected and cause the most damage. In addition, the rise in state-sponsored crime and criminal activity on the dark web has created an ecosystem that fosters open exchange between the world’s most sophisticated and skilled criminals.

The cost of a serious breach is also trending upward. According to Ponemon, the average cost of a megabreach that results in the loss of more than 1 million customer records is $40 million. And more than 60 percent of data breaches have links to either state actors or advanced, organized crime groups, according to Verizon. APTs that evade detection can result in dwell times that range from three to 24 months, further increasing the total cleanup cost for a data breach.

How can security teams fight these kinds of threats? The majority of enterprise SOCs are now at least three years old, according to a recent study from Exabeam, and are increasing in maturity. While human analysts and manual research methodologies can act as a firewall against many risks, there’s a need to scale SOC intelligence and threat hunting capabilities to safeguard against APTs.

What Is Threat Hunting?

Threat hunting can be defined as “the act of aggressively intercepting, tracking and eliminating cyber adversaries as early as possible in the Cyber Kill Chain.” The practice uses techniques from art, science and military intelligence, with internal and external data sources informing the science of statistical and cognitive analysis. Human intelligence analyzes the results and informs the art of a response. Last year, 91 percent of security leaders reported improved response speed and accuracy as a result of threat detection and investigation, according to the SANS Institute.

Threat hunting is not defined by solutions, although tools and techniques can significantly improve efficiency and outcomes. Instead, it’s defined by a widely accepted framework from Sqrrl. These are the four stages of Sqrrl’s Threat Hunting Loop:

  1. Create a hypothesis.
  2. Investigate via tools and techniques.
  3. Discover new patterns and adversary tactics, techniques and procedures (TTPs).
  4. Inform and enrich automated analytics for the next hunt.

The goal for any security team should be to complete this loop as efficiently as possible. The quicker you can do so, the quicker you can automate new processes that will help find the next threat.

The 4 Characteristics of a Comprehensive Threat Hunting Capability

A mature threat hunting capability is closely associated with SOC maturity. The least mature SOCs have human analysts who act as a firewall. As SOCs approach maturity and adopt security information and event management (SIEM) tools, their capacity to reactively investigate indicators of compromise (IoCs) increases. The most mature SOCs take a proactive approach to investigating IoCs, with researchers, analysts, solutions and a clearly defined methodology to orchestrate both investigation and response. A comprehensive capacity for hunting threats is defined by four key characteristics:

  1. Data handling: The ability to handle a deluge of data across siloed networks, including insight into internal risks, advanced activities from external threat actors and real-time threat intelligence from third-party sources.
  2. Data analysis: The ability to correlate a high volume and velocity of disparate data sources into information and, ultimately, intelligence.
  3. Informed action: Resources to increase threat hunters’ skills and easily feed threat intelligence through training, policy and cognitive capabilities.
  4. Orchestrated action: Defined processes and methodologies to hunt threats in a repeatable and orchestrated way that informs proactive security capabilities throughout the organization.

Organizations that fail to increase SOC maturity and adopt the solutions and processes for hunting threats face a number of risks. Relying on manual research methodologies can lead to costly data breaches and permanent brand damage when APTs evade detection. A lack of solutions and methods for an orchestrated IoC investigation process means less efficient and accurate operations. The absence of SOC orchestration encourages heavily manual processes.

The Diverse Business Benefits of Hunting Threats

Using cognitive intelligence tools to enhance SOC capabilities, Sogeti Luxembourg successfully reduced the average time of root cause determination and threat investigation from three hours to three minutes. In the process, the financial institution sped up their threat investigation process by 50 percent and saw a tenfold increase in actionable threat indicators.

Hunting threats can offer a number of benefits to both the business and the security operations center. The outcomes include greater protection of reputation, a more intelligent SOC and orchestrated security response.

Reputation Protection

Falling prey to an APT can cause lasting damage to a brand. One core benefit of implementing a more sophisticated threat hunting capability is the potential to guard against the most costly data breaches, which typically result in millions of lost records or permanent data deletion.

SOC Maturity

SOC analyst stress and falsely assigned benign positives are at record highs. APTs can easily go unnoticed due to the sheer volume of noise, which creates a culture of alert fatigue.

Achieving mature threat detection capabilities can change how analysts work and allow organizations to implement a cognitive SOC. Security analytics platforms enhance human intelligence and reduce manual research, and correlation tools provide real-time insight from a variety of structured and unstructured third-party data sources.

Orchestrated Security Response

With the technological capabilities to outthink adversaries, organizations can inform a proactive, unified approach to incident response (IR) that begins in the SOC. Internal and external data sources augment the intelligence of human analysts, allowing real-time, informed decision-making. Investigations and response can inform action as soon as anomalous behaviors or patterns are detected. The result is a defined process that allows your organization to mitigate threats earlier in the Cyber Kill Chain.

Intelligent Response to Sophisticated Threats

The majority of threats your organization faces each day will fit predictable patterns. While APTs make up a statistically small percentage of incidents investigated by an SOC, sophisticated threat actors use unique tactics and techniques to evade detection in a noisy SOC. These threats are the most likely to evade detection and result in highly expensive cybercrime.

State-sponsored criminal activity and attacks launched by sophisticated crime collectives are increasing. To guard against these increasingly complex threat vectors, organizations need to proactively prepare their defenses. Implementing cognitive tools in the SOC can enable organizations to adopt proactive threat hunting capabilities that leverage both art and science. By combining repeatable processes for threat investigation with intelligent solutions and skilled analysts, organizations can respond to threats earlier in the kill chain and protect their most critical assets.

Read the e-book: Master threat hunting

The post Maturing Your Security Operations Center With the Art and Science of Threat Hunting appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Rob Patey

Artificial intelligence, Chief Information Security Officer (CISO), CISO, Incident Forensics, Incident Management, Incident Response, Incident Response (IR), orchestration, Security Intelligence & Analytics, Security Leaders, Security Operations and Response, Security Operations Center (SOC), Security Professionals, Skills Gap,

Maximize Your Security Operations Center Efficiency With Incident Response Orchestration

It’s 5:48 a.m. — only 48 minutes into your 12-hour shift in the security operations center (SOC), and you’ve already investigated three threats. You were prepared for a long shift, but since an analyst on the night crew just quit, now you’re covering her shift, too. How is anyone supposed to stay vigilant in the thick of a monotonous 24-hour slog in the SOC?

When you first started, you tried talking to your boss about how incident response orchestration software and other tools might work more efficiently. Today, you’re just trying to survive. It’s hard to not feel completely numb when you’re buried in hundreds of alerts you can’t possibly review.

When the tools in the SOC don’t integrate seamlessly into a unified security immune system of solutions, analysts can’t make the most of their time. Given the widening cybersecurity skills gap, the rising cost of a data breach and the blinding speed at which alerts pile up in security information and event management (SIEM) logs, security leaders must empower their analysts to maximize their efficiency.

The first step is to give them the tools they need to accurate prioritize all those alerts — but what does intelligent incident response look like in practice, and how can orchestration and automation help tranform a reactive response system into a proactive security powerhouse? Let’s zoom in on what’s holding SOCs back and how an integrated ecosystem of tools can help analysts overcome these challenges before, during and after an attack.

Learn to orchestrate incident response

Reactive, Manual Processes in the Understaffed SOC

The average security analyst investigates 20–25 incidents each day. It takes the average analyst 13–18 minutes to compare indicators of compromise (IoC) to logs, threat intelligence feeds and external intelligence, and manual research can yield false positive rates of 70 percent or higher.

To make matters worse, as security analysts struggle against an increased volume of complex alerts, the SOC is facing a talent crisis: Sixty-six percent of cybersecurity professionals believe there are too few qualified analysts to handle alert volume in the SOC.

According to the Ponemon Institute’s “2018 Cost of a Data Breach Study,” the average cost of a breach globally is $3.86 million, a 6.4 percent increase from 2017. As threat actors become more effective at evading and targeting the enterprise, the majority of analysts can’t keep up. Twenty-seven percent of SOCs receive more than 1 million alerts each day, and the most common response to alert fatigue is to modify policies for fewer alerts.

Orchestration and automation can free overwhelmed analysts in the SOC and significantly improve cyber resiliency throughout the enterprise. In act, research has shown that SOC orchestration can triple incident response volume and reduce time to response significantly.

“While data breach costs have been rising steadily, we see positive signs of cost savings through the use of newer technologies as well as proper planning for incident response, which can significantly reduce these costs,” said Dr. Larry Ponemon.

Automation reduces the average cost of a data breach by $1.55 million. To build a cyber resilient enterprise, security leaders need intelligent solutions for orchestration, automation, machine learning and artificial intelligence (AI).

What Are the Attributes of Intelligent Incident Response?

Enterprises can save an average of $1 million by containing a data breach in under 30 days, according to the Ponemon study. However, the average time to containment is 69 days. Security leaders should consider the risks of failing to adopt solutions to for intelligent and proactive response, including costlier data breaches caused by reactive response and longer containment times.

The SOC is facing a higher volume of more sophisticated threats, and there is a massive shortage of cybersecurity talent to boot. The right approach to intelligent response, therefore, encompasses solutions for the following:

  1. Orchestration and automation — An integrated, streamlined ecosystem can enable organizations to create dynamic incident response (IR) plans and automate remediation.
  2. Human and artificial intelligence — Operationalize human intelligence, leverage advanced threat intelligence and collaborate with experts.
  3. Case management — Establish systems for continual IR plan improvement while developing a clear understanding of internal workloads and skills.

Let’s take a closer look at how intelligence incident response orchestration works in practice and how it can help security leaders free up their overworked analysts for more pressing tasks.

3 Use Cases for Intelligent Incident Response Orchestration

A comprehensive ecosystem of security solutions can enable the enterprise to prepare for sophisticated cyberthreats, respond proactively to risks and apply lessons learned to create future safeguards. Intelligent orchestration creates efficiency and accuracy before an attack, during an incident and after remediation.

1. Before an Attack

Half of respondents to a recent survey believe it’s somewhat or highly likely that their organization will have to respond to a major incident in the next year, while 9 percent have “no doubt.” The right time to address SOC challenges, such as the increased volume of highly targeted threats and too many single-purpose solutions, is before an attack occurs.

The first step to build a cyber resilient enterprise involves adopting an advanced incident response platform to create automated, intelligent workflows that encompass people, processes and technology. This solution can be enhanced with a security information and event management (SIEM) solution to deliver comprehensive incident analytics and visibility into emerging threats.

Enlisting security operations consultants can help organizations supplement their internal talent. Collaborating with external IR experts, meanwhile, can help companies implement effective training and strategic preparation.

2. During an Attack

Minutes count when the enterprise is facing a sophisticated, targeted threat. The incident response platform (IRP) can act as a centralized solution for comprehensive response remediation. When coupled with cognitive intelligence, organizations can rapidly investigate threats without overwhelming their SOC staff.

When a critical incident is detected, the SOC can call in on-demand IR experts for assistance managing and remediating the incident. The IRP generates a response playbook, which updates dynamically as threat intelligence solutions provide analysis of the incident and endpoint analytics solutions deliver details of on-site infection and automated reporting to the legal team.

Using solutions for threat intelligence, forensics and other solutions, IR analysts can research the tactics used by attackers to pinpoint the source of the incident. By following instructions from the playbook, SOC analysts can coordinate with IT on remediation actions, such as global password resets and segregation of privileged accounts.

3. After an Attack

There are few genuinely random cybersecurity attacks. In the last 18 months, 56 percent of organizations that fell victim to a significant attack were targeted again in the same period.

When an attack is fully remediated, security analysts can prepare efficient reporting on the incident using data from security intelligence solutions, forensic investigation tools and insights from the response researchers. This research can be presented directly to the executive leadership team to communicate the status of the incident, actions taken and lessons learned.

By collaborating with third-party response experts and security service consultants, the SOC team can work to refine formal incident response policies and enhance security controls. As SOC operations resume, analysts can improve readiness with a customized response drill training.

Why Incident Response Orchestration Matters

By protecting the enterprise with solutions to automate and orchestrate incident response, security leaders can introduce the benefit of cyber resiliency to the organization. According to Forrester, “Technology products that provide automated, coordinated, and policy-based action of security processes across multiple technologies, [make] security operations faster, less error-prone, and more efficient.” Adding the right solutions for orchestration, cognitive intelligence, and case management can ease the burden on the SOC while reducing cybersecurity risks.

Six steps to proactive and resilient incident response

The post Maximize Your Security Operations Center Efficiency With Incident Response Orchestration appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Dan Carlson

Advanced Persistent Threat (APT), Advanced Threats, Authentication, Behavioral Analytics, CISO, Cost of a Data Breach, Data Breach, Incident Response, Incident Response (IR), Multifactor Authentication (MFA), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Security Solutions, Threat Intelligence,

Close the Gap on Advanced Threats With Integrated Security

The board of directors is finally starting to grasp that security risk equals business risk. But as you finalize your presentation on the company’s cybersecurity posture, you can’t help but second-guess yourself. You know the CEO, CFO and other senior leaders want to hear that the security team has an effective strategy for handling advanced threats, but the truth is that your analysts are drowning in data with little meaningful insight into risks.

Based on your knowledge of the rapidly expanding threat landscape, you know the company is vulnerable to a data breach it can’t afford. The problem is that you can’t demonstrate this risk without adequate visibility into the organization’s sensitive data and the vulnerabilities threat actors might exploit to steal it. What’s worse, your security operations center (SOC) is spread thin across the widening cyber skills gap, and alerts are piling up as analysts slog through manual processes. How can chief information security officers (CISOs) free up their SOC teams to investigate the most pressing alerts and minimize risks before they evolve into costly incidents?

Detect and stop advanced persistent security threats

Why Threats Are Outpacing the SOC

While the security profession is finally gaining respect and attention it deserves, understaffed SOCs are struggling to triage enormous volumes of security event data. And the problem is only getting worse; Cybersecurity Ventures predicted that the industry will have 3.5 million unfilled cybersecurity positions by 2021.

Despite the increased spend, many organizations are failing to see results from their security investments. Some organizations have 85 distinct security solutions from 45 unique vendors, but little confidence in their capacity to detect threats. No matter the size of your security arsenal, these standalone tools cannot adequately protect enterprise networks from today’s advanced threats in isolation.

Coupled with the skills crisis, the SOC is grappling with the increasing complexity of the threat landscape. Costly, difficult-to-detect insider attacks have increased by 46 percent since 2014. Meanwhile, 62 percent of security experts believe threat actors will weaponize artificial intelligence (AI) to launch targeted attacks at scale in the next year, according to a Cylance survey.

A New Approach to Detect and Stop Advanced Threats

Despite record-breaking spend on security solutions, the SOC is losing ground for more reasons than the skills shortage and evolving threats. Technology is a barrier for many enterprises in which the security organization lacks a comprehensive view of the risk landscape. Disconnected systems, the IT skills gap and a lack of automation have made it very difficult for these organizations to distinguish advanced threats from false positives.

The cost of failing to adopt a new approach to threat detection and remediation is higher than ever. According to the “2018 Cost of a Data Breach Study,” sponsored by IBM Security and conducted by the Ponemon Institute, a mega breach of 50 million or more records can cost as much as $350 million. Targeted, malicious attacks and botnets are among the most expensive types of security incident.

“With a variety of threat vectors to contend with, companies must proactively implement policies and technologies that mitigate the risk of facing a costly breach,” said Larry Ponemon, chairman and founder of Ponemon Institute.

By creating an integrated security ecosystem of solutions, policies and people, organizations can more efficiently and effectively detect advanced threats. AI, machine learning and automation can improve the accuracy and speed of threat investigations, while solutions to orchestrate systems, processes and users minimize the impact of incidents.

5 Use Cases for Advanced Threat Detection and Prevention

How’s this for a use case: With an intelligent security ecosystem, Wimbledon achieved 60 times greater efficiency in threat investigations over manual processes. IBM solutions helped the oldest brand in tennis investigate five times more incidents during the annual tournament, with zero security impact to operations.

Use cases for operations strategy, managed incident response, SOC automation, behavioral analytics and user authentication demonstrate how IBM Security solutions offer a complete spectrum of protection against sophisticated threats.

1. Operational Strategy

A recent survey of Black Hat 2018 attendees revealed that sophisticated, targeted attacks are the top concern for 47 percent of security professionals. Other frequently cited challenges facing the enterprise include social engineering, insider threats and cloud risks. When an enterprise is facing these known risks and lacks confidence in existing technologies, it’s critical to strengthen operations proactively.

Partnering with security operations and consulting services can enable the enterprise to design and build a comprehensive response with a cognitive SOC, SOC training and security incident event management (SIEM) optimization.

2. Incident Response

According to Marsh & McLennan, 14 percent of organizations are “not at all confident” or unsure if they are adequately prepared to respond to or recover from a cyber incident. As vulnerabilities and risks evolve, organizations need a culture of continuous improvement to weather the coming storm of advanced threats.

Developing relationships with industry detection and response experts can provide organizations with decades of threat intelligence experience. Managed SIEM services can offer cognitive intelligence for cybersecurity and comprehensive, compliant infrastructure.

3. SOC Automation

Enterprise SOCs encounter 200,000 unique security events each day on average. A cognitive SOC with automation, machine learning, AI and orchestration solutions eases the burden on analysts and improves effectiveness. Incident response automation can reduce the total cost of a data breach by $1.55 million. Meanwhile, intelligent SIEM solutions deliver cognitive security analytics and automation with contextual intelligence to identify significant risks.

4. Visibility Into Anomalies

According to Fidelis Security, 83 percent of SOCs triage less than half of the alerts received each day. This may be due in part to too much time spent chasing false alerts; manual research processes can yield false positive rates of 70 percent or higher.

Organizations can identify user risks and suspicious behavior by investing in behavioral analytics that provide at-a-glance visibility into anomalies.

5. User Authentication

As the enterprise pursues digital transformation, a smarter approach to identity is the new perimeter. While just 67 percent of respondents are currently comfortable using biometrics and other advanced forms of authentication, according to “The Future of Identity,” 87 percent believe they’ll be comfortable in the future.

With cloud-based multifactor authentication, organizations can simplify and scale a checkbox approach to authentication policies across web and mobile applications, including risk-based approaches to user access and biometric authentication methods.

Closing the Gap on Enterprise Threats

Enterprises are spending more than ever on security solutions. However, industry surveys and breach rates show that standalone tools aren’t providing meaningful protection against sophisticated threats.

As the threat landscape continues to evolve, organizations need an integrated ecosystem of solutions that provide visibility into internal and external risks. By continuously aligning systems, policies and people, security teams can improve the accuracy and speed of threat investigations and minimize the risks of advanced threats at each stage of the attack chain.

Advanced threats: 3 steps to safety

The post Close the Gap on Advanced Threats With Integrated Security appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Rob Patey

Access Management, Artificial Intelligence (AI), Chief Information Officer (CIO), Chief Information Security Officer (CISO), CISO, Data Breaches, Data Protection, Data Security, database security, Hybrid Cloud, Incident Response (IR), Integrated Security, Network Security, Patch Management, Risk Assessment, Risk mitigation, Security Operations Center (SOC), Vulnerability Management,

Your Security Strategy Is Only as Strong as Your Cyber Hygiene

It’s an all-too familiar scenario: An email directive to apply a patch to a web server goes ignored, and no one follows up to be sure the patch has been applied. As a result of this simple lack of cyber hygiene, the organization falls prey to a widespread strain of malware.

The team that should have handled the update was probably busy and might not have been fully staffed. There may not have been enough budget to hire enough of the right kind of talent, or perhaps there were just too many factors to be checked and covered. None of that matters, though; the network was breached, and it was entirely preventable. Failure to cover the basics was the downfall, and it could lead to negative publicity and loss of business.

Learn more about enhancing security hygiene

Your Security Improvements Could Be Missing the Point

The average enterprise security team has more solutions in its arsenal than ever before. As reported by ZDNet, some companies have more than 70 unique security applications and tools in place. While chief information security officers (CISOs) and their teams  may be drowning in technology, the enterprise isn’t becoming more secure. In fact, the chances of facing a data breach have increased exponentially over the last several years, according to research from the Identity Theft Resource Center.

The truth is that the vast majority of data breaches can be prevented with basic actions, such as vulnerability assessments, patching and proper configurations. An Online Trust Alliance study estimated that 93 percent of reported incidents could have been avoided with basic cyber hygiene best practices, a figure that remains largely unchanged in the past decade. While advanced threats are growing in volume and sophistication, organizations are still getting breached due to poor key management, unpatched applications and misconfigured cloud databases.

CISOs aren’t blind to these trends. According to the “2018 Black Hat USA Attendee Survey,” 36 percent of leaders spend the majority of their time on any given day trying to accurately measure their organization’s security posture. Sixteen percent believe their organization’s greatest failure is “a lack of integration in security architecture” and “too many single-purpose solutions.” Security teams are drowning in alerts and grasping for solutions that streamline cyber hygiene activities.

What Does Cybersecurity Hygiene Entail?

Cyber hygiene refers to maintaining the security and health of an enterprise’s network, endpoints and applications through routine efforts to avoid vulnerabilities and other fundamental activities. It means perfecting the basics, including:

  • Deleting redundant user accounts;
  • Enforcing access and passwords with policy;
  • Backing up mission-critical data;
  • Securing physical and cloud databases;
  • Application whitelisting; and
  • Managing configurations.

When put into practice on an enterprise network, security hygiene is a continuous cycle of identifying vulnerabilities, mitigating risks and improving response capabilities. This begins with a vulnerability assessments of your network and data assets. After all, knowledge is the first step toward effective security hygiene.

Why Preventable Data Breaches Continue to Happen

Organizations that fail to perform basic security improvements face near-certain risks. Last year, IBM X-Force reported a twofold increase in injection attacks aimed at vulnerable applications and devices over the previous year. In total, injection attacks comprised 79 percent of all malicious network activity. An unpatched server or misconfigured cloud database can also lead to costly consequences. The loss of consumer trust could be more severe in the event that an organization is forced to admit it didn’t perform the basics.

The reason why organizations are struggling with cyber hygiene goes beyond human negligence. Networks are more complex than ever, and cyber hygiene requires the effective alignment of people, policies, processes and technology. Organizations fall prey to fully preventable attacks due to increased endpoints, cloud adoption, stolen credentials and the immense resources needed to address regulatory shifts.

“Security in a hyperconnected era presents a new set of challenges, but these can be greatly eased by implementing innovative practices and adopting a more integrated, holistic approach,” said Marc van Zadelhoff, former IBM Security General Manager, in a statement. “CISOs that prioritize these factors can help their organizations significantly improve business processes and achieve measurable success.”

Enterprise networks are complex, and fragmented security solutions for vulnerability assessment don’t reveal the full picture. Security operations centers (SOCs) are overwhelmed with alerts and relying on manual threat research. Performing basic security improvements is impossible without the right ecosystem to identify data risks.

5 Steps to Create an Effective Cyber Hygiene Practice

Hygiene is at the core of a security risk mitigation strategy. Security hygiene is a cultural mindset that spans security, IT, leadership and the individual. To adequately address basic risks, CISOs need full buy-in to continually review data management practices, improve response capabilities and enhance employee awareness. Let’s take a closer look at five steps organizations can take to create an effective cyber hygiene practice.

1. Identify Risks

Data is a modern organization’s most valuable asset. Solutions for security hygiene must comprehensively identify the location and sensitivity of business data, extending to risk assessment, remediation and vulnerability assessments of hybrid cloud environments.

Risk needs to translate into action, and CISOs should actively share knowledge of data security with other executives to improve privacy. Solutions for comprehensive, real-time vulnerability assessment can help in the development of a stronger approach to risk and compliance.

2. Prioritize Response

Security hygiene is a continuous effort to address risks in real time and prioritize the protection of the most sensitive data assets. Organizations must develop a response policy based on data sensitivity. Cognitive security solutions can help orchestrate efforts to remediate the highest-risk vulnerabilities and automate activities to enforce policy or regulatory requirements.

3. Improve Risk Awareness

CISOs, risk officers and business leaders should collaborate to improve incident response (IR) capabilities where hygiene is viewed as an imperative. Third-party expertise can increase risk awareness and orchestration capabilities and design thinking can help increase the use of cognitive technologies, artificial intelligence (AI) and risk management automation for streamlined security hygiene.

4. Secure Digital Transformation

Change is inevitable and constant in a contemporary enterprise network environment. Security hygiene involves a forward-thinking attitude that creates policies for secure deployment and management of new technologies. Change management efforts should incorporate discussions on how to actively secure Internet of Things (IoT) deployments and other emerging technologies.

5. Disseminate Responsibility

Leaders should create a culture that encourages compliant behaviors in employees. Silent security can safeguard data privacy across endpoints without sacrificing user productivity. A culture of shared responsibility helps mitigate the risks of shadow IT, especially when coupled with employee awareness initiatives.

Take Preventative Measures Against Meaningful Security Risks

The most crucial improvement to your organization’s security stance may not be acquiring new solutions; it could be a shift to a culture of cyber hygiene. CISOs must collaborate with other leadership to address one of today’s most significant business risks: failure to check off the basics effectively.

The majority of today’s security breaches are caused by inadvertent insider mistakes, such as unpatched systems, misconfigured cloud databases and incomplete risk assessments. Without full network visibility and regular utilization of cyber hygiene best practices, your enterprise could face very real, but entirely preventable, security risks.

Read the e-book: Enhance security hygiene

The post Your Security Strategy Is Only as Strong as Your Cyber Hygiene appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kami Haynes

Cybersecurity Jobs, Cybersecurity Training, Data Classification, Data Management, Security Operations Center (SOC), Skills Gap, Threat Detection, threat hunting, Threat Intelligence, Threat Monitoring, Threat Prevention, Threat Protection,

More Than Just a Fad: Lessons Learned About Threat Hunting in 2018

The year has very nearly come and gone, and some fads that we saw throughout 2018 are going with it. Fidget spinners are collecting dust in cubicles, the mannequin challenge is something only seen in department stores, and the Nae Nae is becoming extinct on dance floors across the country.

It’s no different in the cybersecurity community; trending tools and buzzwords come and go as quickly as viral internet memes. However, one capability that it’s here to stay is threat hunting, a proactive approach to discovering and mitigating threats. The term and practice of threat hunting has actually been around for quite some time, but it is becoming more of a household concept throughout security operations centers (SOCs), governments and private sector companies around the world. This is largely due to studies around the benefits of the practice and real-world use cases that are rapidly emerging.

In the past year, we learned about the pros and cons of this approach, what it is, what it isn’t and everything in between. Let’s break down some of the lessons we learned about threat hunting in 2018.

Invest in Training and Methodology Before Technology

When a new security capability gains momentum in the industry, most companies’ first investment is in the tools to get them started. The same is true when it comes to investments in threat hunting, where an emphasis on methodology and tradecraft is paramount.

A key finding from the SANS 2018 threat hunting survey revealed that the No. 1 investment area for threat hunting is still technology, although respondents indicated that the lack of trained staff in numerous areas was an important reason why they did not perform threat hunting or why they did not perform it as effectively as they should. The tools are only as good as the trained professional. This is as true with threat hunters as it is with construction workers, and it should not be forgotten.

Training and hiring the right people is especially important since threat hunting requires individuals with a knowledge of intelligence analysis and an understanding of the technical aspects of the SOC. Currently, threat hunting falls within a skills gap, which means finding a trained threat hunter to use the tools that a company has invested in is like finding a unicorn.

Going into 2019, organizations that practice threat hunting should take a holistic look at their programs and, if it’s lacking, assess whether it’s the fancy tools or the lack of trained cyberthreat hunters that is the issue. Similarly, organizations that are new to the threat hunting game should evaluate the threat hunters they have or plan to hire before pulling the trigger on the latest tools.

Threat Hunting Is Only as Effective as Your Intelligence Framework

To launch an effective threat hunting program, you also need access to the right data. In terms of efficiency and accuracy, this should consist of internal data from the company mixed with external deep web, dark web, open source and third-party threat intelligence that provides context about threats manifesting through global cybercrime networks.

The SANS survey showed that a solid blend of internal, self-generated intelligence augmented with a combination of external data sources can reduce overall adversary dwell times across organizations’ networks. But it is more than just the access to the data itself; an organization could have access to all the data feeds in the world, but if it lacks the ability to provide context and formulate actionable hypotheses, then the data is next to useless.

In the counterterrorism community, we always said that intelligence drives operations. Yes, we needed access to the right data, but more importantly, we needed the ability to fuse all sources of data and develop actionable advice for operators. It’s the same with threat hunting: Data is key, but there needs to be a way to ingest, fuse and analyze data to formulate hypotheses about threats.

Threat Hunting Is Here to Stay in 2019

Going into 2019, the cybersecurity community will continue to learn about the world of threat hunting and how organizations can implement an effective threat hunting program. Just like the fads that will inevitably come and go in 2019, there will be new cybersecurity tools, methodologies and lessons in the new year. Due to the tangible benefits that organizations are seeing after implementing threat hunting programs, it’s apparent that the practice is not just another security fad.

As organizations train analysts on methodology before technology — and explore how to close the threat hunter skills gap, get access to the right data and generate actionable hypotheses to uncover threats — we will continue to learn how effective a threat hunting program can be when properly implemented.

Read the SANS 2018 threat hunting survey

The post More Than Just a Fad: Lessons Learned About Threat Hunting in 2018 appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jake Munroe

Automation, Gartner Magic Quadrant, Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Security Services, Security Solutions, Threat Detection, Threat Intelligence,

3 Security Business Benefits From a 2018 Gartner Magic Quadrant SIEM Leader

Last week Gartner published its 2018 Magic Quadrant for Security Information and Event Management (SIEM). As in past years, the report supports the steady evolution of SIEM technology and the growing demand from customers for simple SIEM functionality with an architecture built to scale that meets both current and future use cases.

So how do we interpret from Gartner what it means to be a SIEM leader in 2018? Based on a quick dissection, the main characteristics of a leading SIEM tool are centered around innovation in early threat detection, adaptation to customer environments and strong market presence.

Read the 2018 Gartner Magic Quadrant for SIEM

What Separates a SIEM Leader From the Rest of the Market?

The first element, early detection via analytics — more clearly stated as efficacy in threat detection and response — remains the centerpiece of any effective SIEM solution. Security analysts and security operations center (SOC) leaders today need to detect both known and unknown threats in real time. By applying analytics to a combination of threat intelligence, behavioral analytics and a wide variety of security monitoring data, organizations can improve both their time to detection and total alert volumes. While these two basic outcomes — reduced dwell time and fewer alerts — sound tactical, they can ultimately help security teams become less distracted and more effective at managing threats, which helps reduce business risks and liabilities and maintain a positive brand reputation.

IBM is a leader in the 2018 Gartner Magic Quadrant for SIEM

The second element of Gartner’s definition of a leader, rapid adaptation to customer environments, is becoming a core factor in how much return on investment (ROI) customers realize and how quickly they realize it. Ad hoc content, add-on applications and flexibility in upgrading the platform are all required to mature a SIEM system in an affordable way once it’s installed.

Also included in this element is the ability to scale the platform in terms of both network coverage and security capabilities. By using out-of-the-box content to automate and streamline more security workflows, organizations can better combat challenges related to the shortage of skills and headcount and better enable the business to adopt new technologies that can help increase its competitive position.

The third element of a leading SIEM is strong market presence and easy access to services. Growth rates around the world still vary based on local security maturity, regulations and specific geographic needs. Customers are looking for access to local resources to help meet their unique requirements and learn lessons from a local community that has already gone through SIEM deployment. It is not uncommon for customers to first select a SIEM platform and then find a local managed service provider or systems integrator for operational support or oversight. Support for this approach provides SIEM users with multiple options to help optimize operating expenses without cutting into expertise.

Take Your SIEM Deployment to the Next Level

IBM was named a SIEM leader in the 2018 Gartner Magic Quadrant report. The IBM QRadar platform has demonstrated continuous innovation that has expanded its value, from its origins in network behavior anomaly detection to real-time threat detection to more recent developments that help automate investigations and streamline orchestrated response processes.

Unique to QRadar is the simplified approach to provide a continuous evolution of use cases and deployment options via optimized content packs, easily downloadable apps from IBM Security App Exchange and flexible deployment options that support organizations regardless of where they are on their cloud journey.

Market presence also contributed to IBM’s leadership; a community of thousands of customers worldwide, a strong business partner network and a wealth of services options allows QRadar customers to easily find knowledgeable local resources that can help them maintain and scale their platform.

To learn more about Gartner’s full review of QRadar, SIEM market trends and vendor evaluation criteria, download your complimentary copy of the 2018 Gartner Magic Quadrant for SIEM. We also invite you to register forour upcoming webinar, “Stay Ahead of Threat Detection & Response with a Scalable SIEM Platform.” The webinar will take place Dec. 18 at 11 a.m. ET and will be available to watch on-demand thereafter.

Register for the webinar

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post 3 Security Business Benefits From a 2018 Gartner Magic Quadrant SIEM Leader appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: John Burnham

Automation, Gartner Magic Quadrant, Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Security Services, Security Solutions, Threat Detection, Threat Intelligence,

3 Security Business Benefits From a 2018 Gartner Magic Quadrant SIEM Leader

Last week Gartner published its 2018 Magic Quadrant for Security Information and Event Management (SIEM). As in past years, the report supports the steady evolution of SIEM technology and the growing demand from customers for simple SIEM functionality with an architecture built to scale that meets both current and future use cases.

So how do we interpret from Gartner what it means to be a SIEM leader in 2018? Based on a quick dissection, the main characteristics of a leading SIEM tool are centered around innovation in early threat detection, adaptation to customer environments and strong market presence.

Read the 2018 Gartner Magic Quadrant for SIEM

What Separates a SIEM Leader From the Rest of the Market?

The first element, early detection via analytics — more clearly stated as efficacy in threat detection and response — remains the centerpiece of any effective SIEM solution. Security analysts and security operations center (SOC) leaders today need to detect both known and unknown threats in real time. By applying analytics to a combination of threat intelligence, behavioral analytics and a wide variety of security monitoring data, organizations can improve both their time to detection and total alert volumes. While these two basic outcomes — reduced dwell time and fewer alerts — sound tactical, they can ultimately help security teams become less distracted and more effective at managing threats, which helps reduce business risks and liabilities and maintain a positive brand reputation.

IBM is a leader in the 2018 Gartner Magic Quadrant for SIEM

The second element of Gartner’s definition of a leader, rapid adaptation to customer environments, is becoming a core factor in how much return on investment (ROI) customers realize and how quickly they realize it. Ad hoc content, add-on applications and flexibility in upgrading the platform are all required to mature a SIEM system in an affordable way once it’s installed.

Also included in this element is the ability to scale the platform in terms of both network coverage and security capabilities. By using out-of-the-box content to automate and streamline more security workflows, organizations can better combat challenges related to the shortage of skills and headcount and better enable the business to adopt new technologies that can help increase its competitive position.

The third element of a leading SIEM is strong market presence and easy access to services. Growth rates around the world still vary based on local security maturity, regulations and specific geographic needs. Customers are looking for access to local resources to help meet their unique requirements and learn lessons from a local community that has already gone through SIEM deployment. It is not uncommon for customers to first select a SIEM platform and then find a local managed service provider or systems integrator for operational support or oversight. Support for this approach provides SIEM users with multiple options to help optimize operating expenses without cutting into expertise.

Take Your SIEM Deployment to the Next Level

IBM was named a SIEM leader in the 2018 Gartner Magic Quadrant report. The IBM QRadar platform has demonstrated continuous innovation that has expanded its value, from its origins in network behavior anomaly detection to real-time threat detection to more recent developments that help automate investigations and streamline orchestrated response processes.

Unique to QRadar is the simplified approach to provide a continuous evolution of use cases and deployment options via optimized content packs, easily downloadable apps from IBM Security App Exchange and flexible deployment options that support organizations regardless of where they are on their cloud journey.

Market presence also contributed to IBM’s leadership; a community of thousands of customers worldwide, a strong business partner network and a wealth of services options allows QRadar customers to easily find knowledgeable local resources that can help them maintain and scale their platform.

To learn more about Gartner’s full review of QRadar, SIEM market trends and vendor evaluation criteria, download your complimentary copy of the 2018 Gartner Magic Quadrant for SIEM. We also invite you to register forour upcoming webinar, “Stay Ahead of Threat Detection & Response with a Scalable SIEM Platform.” The webinar will take place Dec. 18 at 11 a.m. ET and will be available to watch on-demand thereafter.

Register for the webinar

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post 3 Security Business Benefits From a 2018 Gartner Magic Quadrant SIEM Leader appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: John Burnham

Endpoint, Endpoint Management, Endpoint Protection, Endpoint Security, Endpoint Security Solutions, Network, patch, Patch Management, Security Intelligence & Analytics, Security Operations Center (SOC), Security Professionals, software vulnerability, Vulnerabilities, Vulnerability Management,

Think Your Network Is Safe? If You Don’t Have Visibility Into Hardware Vulnerabilities, Think Again

If you follow basic security best practices and quickly patch software issues as they arise, you may think your network is safe from cyberthreats. But think again.

Although the number of reported software vulnerabilities is growing year to year, it’s hardware vulnerabilities that can be even more difficult to fix and can cause extensive damage to enterprise networks. With attack surfaces growing and cybercriminal tactics becoming more dangerous and sophisticated by the minute, security teams can’t afford to neglect hardware flaws.

Security operations center (SOC) analysts need full visibility into Common Vulnerabilities and Exposures (CVE) and other sources of vulnerability data to effectively identify, manage and remediate hardware vulnerabilities. Let’s explore some steps you can take to achieve this visibility and plug security gaps before threat actors can exploit them to breach your network.

Assess Your Inventory to Gain Visibility Into Hardware Vulnerabilites

The first step is to understand your infrastructure. Collect key data on your hardware and software, such as central processing unit (CPU) vendor and model, firmware and basic input/output system (BIOS) version, motherboard vendor and model, and a list of connected devices. These attributes will help you understand the potential impact from a highly visible attack like Meltdown or Spectre and build a response plan accordingly.

If hardware is impacted, it may be very difficult to fix the problem. Often the only viable mitigation strategy is to apply a software patch. Hardware issues frequently occur at the chip level and sometimes require collaboration between hardware and software vendors. Therefore, you need a consolidated view into your hardware and software inventory to assess the exposure level of any hardware vulnerability and know which machines already have a software patch applied.

Identify Reliable Sources of Vulnerability Data

Once you know what hardware and software you have deployed, the next step is to correlate the inventory data with reliable sources of vulnerability data. Data normalization is a known challenge during this phase, and you may choose to either build your own solution or invest in a ready-made application programming interface (API) enriched with vulnerability information. But even with automation, manual work is often required to further enrich this vulnerability data with hardware attributes, assess the impact and prioritize the response accordingly.

Fulfill Your SOC Team’s Need for Speed

To mount a worthy fight against the growing number of cyberthreats amid a growing industrywide skills gap, SOC teams need a solution that addresses their need for speed. If you’re ready to step up to the challenge of hardware vulnerability management, it’s time to shift from a reactive to a proactive approach to endpoint security. Improved visibility into your hardware vulnerabilities is the key to taking that next step.

Make Security Analytics More Effective with Deep Insight into Endpoints

The post Think Your Network Is Safe? If You Don’t Have Visibility Into Hardware Vulnerabilities, Think Again appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Piotr Godowski