Newsletters
|
| For media and analyst queries, please contact:
Harmala Singh-Francois Phone: (443) 539-3773 hfrancois@prismmicrosys.com |
EventSource April 2008 – The Weakest Link in Security
Featured Article
The Quick Win: Showing immediate value from Security Management
By Mike Rothman
Last month we spoke about the 5 W’s of security management, delving into the true nature you are trying to accomplish through a security management project. Far too many initiatives fail because there isn’t adequate focus on why, who, what, where, and when. Now that you’ve (presumably) gotten funding and are in the initial stages of implementation, we are going to focus on getting a quick win.
Why is a quick win important? For the simple reason that security management is hardly tangible, especially to those that write the checks. You (as the administrator) can certainly speak of how the new platform makes you more efficient and effective until you are blue in the face. Since the security management platform is unlikely to directly result in your organization selling more product, or even spending less money – the executives just don’t want to hear about it.
Thus we need to provide substantial evidence – proof of an emerging attack that you headed off at the pass, or an investigation that was greatly accelerated with more comprehensive data – that the implementation helped you do something that wouldn’t have been possible without the security management platform.
First Watch,
The first step is to install the product and let it run. Yes, just let it run for a while to gather data, which will provide a baseline for all the analysis to come. This can be hard because most folks want to instantly start doing, but without a firm idea of what's going on, it's hard to make sure you are focusing on the right stuff.
To determine the “right stuff,” look at the data with a critical eye. A bunch of things will become apparent during the first few days or weeks of monitoring the logs and other security information. Make sure to ask a bunch of questions of the data. Has there been a breach? Are traffic flows and inbound attacks as you expected? We are looking for the surprises coming out of the data, which will then give us an idea of what could be a quick win.
I know that isn’t a lot of direction, but you’ll know an issue when you see it. Basically, you’ll be scratching your head and wondering how that could be happening. You’ll figure the data is just wrong. Maybe an employee is running an externally accessible web server on his/her desk. Or perhaps some of your employees are sending email directly from their devices (as opposed to your email sever). Or maybe you have 50 wireless access points you had no idea about.
It could be anything, and it will be surprising.
Then Act…
If some of the things you have been watching just seem too hard to believe, then you should investigate immediately. One of the quickest wins you can get is to identify compromised machines (that your AV product somehow missed) or rouge devices on the network. These can be the most dangerous of issues, so being able to detect and remove these unauthorized devices can provide a huge, tangible value almost immediately. This is the stuff I’ll call low hanging fruit. You’ll pick it and you’ll eat well for a little while.
Keep in mind what’s important
Every security professional should have a good idea of what is most important in their environment. You know, the systems that are most critical - where downtime results in someone being fired. This will allow you to prioritize the issues you find from your initial analysis of the data. Sadly enough, you will probably find more stuff wrong than you can fix immediately. Thus you need to use this filter of “what’s important” to guide your first set of actions.
Remember fixing a low profile system will not provide sufficient value to provide a quick win. This is where some tough decisions need to be made. What is the single most important issue to address based on the data generated by the security management platform?
Fix it (and then claim victory)
Once you determine which issue to focus on, now jump into action. Maybe it’s taking those rogue devices off the network. It could be re-imaging a device that’s been turned into a bot. Maybe it’s working with HR and the General Counsel to begin investigating a case of corporate espionage. It doesn’t really matter what it is, as long as it is sufficiently high profile to get the attention of the folks that pay the bills.
Once the issue has been remediated, don’t forget to thump your chest a bit. No one is going to do it for you, so make it very clear how the issue was found, isolated, and fixed. Also be sure to highlight the new security management platform’s critical role in the successful resolution of the issue.
I know a lot of security professionals are not comfortable banging the drum and highlighting their victories. If you liked to do that you would have gone into sales, right? The fact is the role of a security professional moving forward is to influence, not necessarily to do everything themselves.
Increasingly our resources will be within the technology operational groups (networks, data center, applications), so we all need to become more adept at “marketing.” You may not like this aspect of the job, but you don’t have a choice.
Success is a journey, not a destination
As much as we’d like to think there is light at the end of the tunnel, the bad guys are always coming up with new ways to shred our defenses. We live in a dynamic and complicated world. Thus, we must always keep our guard up and we have to be paying attention and looking for the imminent threats.
The quick win helps us continue the battle and get more funding for the critical projects we need to improve our defenses. Our long-term success hinges on remembering to focus on the most important systems and making sure they are protected.
Our job is never done, but by leveraging the data gathered by our security management platform, always focusing on trying to REACT FASTER to potential issues, and communicating our victories – you can not only be an effective security professional, you can be perceived as an effective security professional.
Industry News
Malware cited in supermarket data breach
Unauthorized software that was secretly installed on servers in Hannaford Bros. Co.'s supermarkets across the Northeast and in Florida enabled the massive data breach that compromised up to 4.2 million credit and debit cards, the company said.
News that unauthorized government workers illegally accessed passport files of candidates Clinton, Obama, and McCain, and that UCLA medical personnel snooped in Britney spears’ medical files earlier this month was no surprise to some industry sources
Data center automation helps one small company comply with SOX
For Robert Sheridan K. Smith, the key to achieving and sustaining Sarbanes-Oxley (SOX) compliance is automation. As an IT manager for Arch Reinsurance Ltd., in Bermuda, a publicly held company that provides specialty property and casualty reinsurance, Smith has deployed data center automation tools wherever possible to help his company meet SOX requirements. "Given our limited staff and resources," Smith said, "it would be very difficult to sustain SOX compliance if we didn't use automation in our data centers."
Autoscribe selects EventTracker for meeting PCI Compliance
“Selecting EventTracker was an obvious choice. It came with a number of pre-built reports specifically mapped to PCI requirements and as an added bonus, provided us with both Event Management and Change Management capabilities. This allowed us to not only comply with section 10, which describes log data monitoring and reporting requirements, but also section 11, which details requirements relating to monitoring changes on critical systems.”
Log Talk
Get the latest insight on all things related to Log Management on the Prism Microsystems blog. Go to http://www.prismmicrosys.com/Logtalk and feel free to leave comments and share your thoughts.
A couple of recent posts:
The Weakest Link in Security - The three basic ingredients of any business are technology, processes and people. From an IT security standpoint, which of these is the weakest link in your organization? Whichever it is, it’s likely to be the focus of attack.
Know your requirements - In 2006, SIEM was located in the ‘Trough of Disillusionment’ in the Gartner Hype Cycle. This segment of the curve represents a technology that has failed to meet expectations. How do you avoid disillusionment with your security implementation? Three words – Know Your Requirements.
Featured Webinars
Using behavior-based correlation to detect threats in real-time
April 16, 2008 - 1:00 PM EDT
This webinar will describe how you can substantially tighten your security profile and detect security threats in real time by using simple behavior-based Correlation. The webinar will introduce the technique and demonstrate how it allows you to detect specific security threats.
Log Management Secrets – how to monitor Unix/Linux based systems with EventTracker
April 15th, 2008 – 11:00 AM EDT
Use EventTracker to create reports and alerts on Unix/Linux events. See practical examples of how this data can bring you value
Legal
This document is provided for informational purposes only. The information contained in this document represents the current view of Prism Microsystems, Inc. on the issues discussed as of the date of publication. Because Prism must respond to changes in market conditions, it should not be interpreted to be a commitment on the part of Prism and Prism cannot guarantee the accuracy of any information presented after the date of publication.
INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND FREEDOM FROM INFRINGEMENT.
The user assumes the entire risk as to the accuracy and the use of this document. This document may be copied and distributed subject to the following conditions: 1) All text must be copied without modification and all pages must be included; 2) All copies must contain Prism's copyright notice and any other notices provided therein; and 3) This document may not be distributed for profit. All trademarks acknowledged. Copyright Prism Microsystems, Inc. 2005.
Prism Microsystems, Inc.
6990 Columbia Gateway Drive Suite 250
Columbia MD 21046