The Business Value of Log Management Software - part 3

Start here, Part 2

3. Fraud Discovery

Security intelligence is absolutely essential for effective fraud detection. The key ingredient, in addition to network telemetry, data from the switching and routing fabric, and the security device enforcement layer is an understanding of the users and the application data.

Fraud detection requires monitoring of everything that goes on across the network: network activity and events, host and application activity, and individual user activity. Security intelligence allows you to bind the user to a particular asset, By tying together network, DNS server and application activity with directory information, for example, security intelligence can tie a specific user, to a specific IP address for a specific VPN session.

The Business Value of Log Management Software - part 2

Start here

2. Threat Detection

In a few short years, as enterprises have opened themselves to Internet-based commerce and remote users, security has moved from a perimeter-based model with all policy centered on the firewall to distributed security. Security is now focused on hosts, applications and the content of information moving out of the organization.

Moreover, we’re seeing growing incidence of highly targeted attacks, such as the attacks on NASDAQ and other high-profile companies. Sophisticated, targeted intrusions are typically multi-staged and multifaceted, difficult to detect and very difficult to eradicate; advanced persistent threats (APT) are characterized by the tenacity of the attackers and resources at their disposal.

An over-arching intelligence should be applied to the diverse security technologies that have been developed in response to the evolving threat landscape. As noted in the discussion of security context, an activity that appears innocuous to one part of an infrastructure may be revealed as a threat when that data is correlated with other sources. So, for example, an attacker may disable logging, but can’t shut down network activity. Proprietary applications may not produce logs; some parts of the network may be without firewalls. Security intelligence can still identify the applications and services running between that host and the network in these cases and flag a potential threat.

The Business Value of Log Management Software

One of the most compelling arguments for security intelligence is operational effi ciency: better use of people, time and infrastructure. It’s the ability to incorporate several security and network technologies into an integrated system rather than products operating independently.
The focus on security intelligence is particularly relevant as operational responsibility for security is increasingly being placed in the hands of the network operations teams. It makes sense to mirror this consolidation of operational responsibilities with consolidation at the intelligence layer. Think in terms of enabling multiple tasks in single platform and cross-functional development of skills across the organization, then to deploy access based on roles.

Further, security intelligence adds value in other areas of IT, such as troubleshooting system problems, network issues, and user support and authorization analysis.
Security intelligence enables organizations to use integrated tools across a common framework, and leverage a unified data set to address problems along the entire security spectrum. This can be illustrated in five of the most prominent use cases in which security intelligence provides high value.

1. Consolidating Data Silos

Without automated technology, business intelligence analytic are difficult to execute. The data to enable you to understand inventory returns, supply chains, etc., is available, but is siloed in different applications and databases. It falls upon the analyst to compile data from all those sources and pour them into spreadsheets or databases to perform manual analysis. Security analysis poses similar problems, and security intelligence provides similar inefficiencies. From a security perspective, data can exist in three types of silos:

1. Data locked up in disparate security devices, applications and databases
2. Data that’s collected from point products, applications, etc., creating, in effect, yet another silo. It’s another database where that data is stored, but there’s no communication, no coordination between, for example, your configuration database
3. Organizational silos of data segregated by business unit, operations group, department, etc.

In the first two cases, security intelligence breaks down the silos by integrating data feeds from disparate products into a common framework for automated analysis across different security and IT technologies. From a security perspective, this brings in all the enhanced detection and risk assessment capabilities the consolidated telemetry of security intelligence can deliver. From a CIO perspective, the reduction of these silos enables the rationalization of security products that would otherwise have to be managed on a point product basis. The third case requires considerable cooperation among groups that are typically separated, meaning a realigning of processes and responsibilities, and perhaps, some pressure exerted by management.

The crushing cumulative volume of all this disparate data exacerbates the problem exponentially. Each of these silos can create enormous volumes of data, in different formats, for different purposes and, in some cases, different policies, and even compliance requirements. Only automated security intelligence can effectively manage petabytes of security-related data and analyze it across organizational and operational silos.

Moving Beyond Log Management and SIEM

The concept of security intelligence is partially realized in security information and event management (SIEM) tools, which correlate and analyze aggregated and normalized log data. Log management tools centralize and automate the query process, but lack the flexibility, and sophisticated correlation and analysis capabilities of SIEM and, ultimately, security intelligence.
But SIEM should be regarded as a way point rather than a destination. The end goal is comprehensive security intelligence. SIEM is very strong from an event management perspective and plays a particularly important role in threat detection. Comprehensive security intelligence must encompass and analyze a far broader range of information: it requires continuous monitoring of all relevant data sources across the IT infrastructure and evaluating information in contexts that extend beyond typical SIEM capabilities.

Security intelligence should include a much broader range of data, leveraging the full context in which systems are operating. That context includes, but is not limited to: security and network device logs; vulnerabilities; configuration data; network traffic telemetry; application events and activities; user identities; assets, geo-location and application content.
This produces a staggering amount of data. Security intelligence provides great value in leveraging that data to establish very specific context around each potential area of concern and executes sophisticated analytic to accurately detect more and different types of threats.

For example, a potential exploit of a Web server reported by an IDS can be validated by detection of unusual outbound network activity detected by network behavioral anomaly detection (NBAD) capability, and vice-versa.

Or, you have a report that a server has a potential vulnerability that has just been disclosed. But it’s one of hundreds in your organization, so how do you evaluate the threat for this particular server? Security intelligence can analyze all available data and tell you:

1. The presence or absence of the vulnerability;
2. The value the organization assigns to the asset and/or data;
3. The likelihood of exploit based on attack path threat models;
4. Configuration information, which may indicate, for example, that the server is not accessible because a default setting has been changed;
5. The presence of protective controls, such as an IPS;

Or, consider the insider threat. The 250,000 diplomatic cables given to WikiLeaks were obtained by a user, Pfc. Manning, who was acting within his authorized privileges. Chances are any given security mechanism would fail to detect this kind of action, but analysis of correlated data, applying contexts from multiple sources, may have stopped the leak before it could cause damage.

Log Management Solutions

Security intelligence, built on the same concepts that have made business intelligence an essential enterprise technology, is the critical next step for organizations that recognize the importance of information security to their business health.

Too often, the response to new security threats is a “finger in the dam” approach with a particular point technology or reactive new policies or rules.

This is in large part because a unified security program, based on automated analysis of unified information from across the IT infrastructure, is costly, complex, difficult to implement and inefficient. As a result, most organizations lack accurate threat detection and informed risk management capabilities.

In this series of posts, you will learn how security intelligence addresses these shortcomings and empowers organizations from Fortune Five companies to mid-sized enterprises to government agencies to maintain comprehensive and cost-effective information security. In particular, we will show how security intelligence enables critical concerns in five key areas:

1. Data silo consolidation
2. Threat detection
3. Fraud discovery
4. Risk assessment and management
5. Regulatory compliance

Why Security Intelligence?

High-performance enterprises excel in business in large part because they know how to put their information to work. Aided by the automated use of business intelligence technology, they apply analytic to extract maximum value from the massive amounts of data available to them.

The same approach should be applied to securing that information by implementing a security intelligence program. Just as business intelligence helps enterprises make decisions that maximize opportunities and minimize business risks, security intelligence enables them to better detect threats, identify security risks and areas of noncompliance, and set priorities for remediation.

The case for business intelligence is compelling. It enables organizations to support their critical decision-making by automating the data analysis processes at a level that manual analysis can scarcely approach. By applying computer-based business analytic to their unique environments, successful organizations derive the greatest possible value from their amassed terabytes and petabytes of data, from sales revenue and customer demographics to the cost of shipping and raw materials.

The case for security intelligence is equally, if not more, compelling. Enterprises and government organizations have vast quantities of data that can help detect threats and areas of high risk, if they have the means and the commitment to collect, aggregate and, most importantly, analyze it. This data comes not only from point security products, but also from sources such as network device configurations, servers, network traffic telemetry, applications, and end users and their activities.

Security intelligence reduces risk, facilitates compliance, shows demonstrable ROI and maximizes investment in existing security technologies. By analogy to business intelligence, the goals of security intelligence are to:

• Distill large amounts of information into an efficient decision-making process, reducing a billion pieces of data to a handful of action items.
• Operationalize data collection and analysis through automation and ease of use.
• Deliver high-value applications that help organizations derive the most benefit from their data to understand and control risk, detect problems and prioritize remediation.
• Validate that you have the right policies in place.
• Assure that the controls you have implemented are effectively enforcing those policies.

Organizations have a long way to go in understanding their IT security environment. Consider a 2010 survey by CSO magazine, sponsored by Deloitte, which reported that seven in 10 security incidents are never reported. According to Deloitte, indications are that in most cases the victim organizations are not even aware they have been compromised.

Q1 RADAR Log Manager

QRadar SIEM excels at collecting, correlating and reporting on diverse activity. In this demo, we look at how the integration of identity and access management data enables real-time user activity monitoring. You'll see how QRadar can identify risky or abnormal activity of user groups such as employees with privileged access, contractors, or terminated employees.