Enterprise Security Blog

Its the LAST DAY to tell SANS what you're doing with your security logs. SANS - the global research and training institute for all things SECURITY - is running their annual survey on Log Management. Intellitactics thinks this year's survey is more important than ever - so much so that we're sponsoring this year's survey. 

The industry has come a long way from voluntary logging by the best practice security practitioners to terabytes of logs collected in the name of compliance by the rest of the world. We believe you can do more with logs and we want you to tell SANS what you are doing today.

To learn more about what you can do with logs to sustain compliance and strengthen security visit Intellitactics where you can listen to a podcast, see a demonstration and read about the success others are having with Intellitactics Security Manager and Intellitactics SAFE.

Remember - today is the LAST DAY! Take the survey today. Sign up for the WhatWorks Log Management Summit in April, 2009.

Security analysts, administrators and operations benefit from security event management from companies like Intellitactics. Alex Goldman, managing editor of ISP Planet brings together CTO with Intellitactics, Sunil Bhargava and Kevin Prince, Chief Security Officer for Perimeter eSecurity a leading MSSP to talk about logs.

Even Alex was surprised to find that security event management goes way beyond collecting logs and shares his findings in this article on ISP Planet today. Security event management software makes the security guys' job easier - the software automates the grunt work.

Intellitactics' MSSP customers range from the global mega providers to MSSPs that serve the SME market.  Perimeter eSecurity, a well known MSSP serving hundreds of financial services companies and others, offers over 50 products designed to strengthen security and enable compliance. Want to see the products mentioned in this article? Visit Intellitactics today!

The exposure of particular Satyam clients, which include such major companies as General Electric and General Motors, is very much a matter of the nature and criticality of the activities that were handed over by them to the outsourcer.

If this turns out to be similar to other such events to which I have been privy, the Satyam tsunami sent a shudder through the boardrooms of client companies, as well as other outsourcers and outsourcing clients. Client firm managers, whose companies are at risk were Satyam to cease operation, are no doubt running around frantically in an attempt to come up contingency plans. Many clients will find that their choices are limited by contractual restrictions, with steep penalties for termination. Others will be weighed down by the effort needed to move critical functions on short notice, particularly in these difficult economic times.

Here are some suggestions to reduce outsourcing risks of dependency on outsourcers.

It is usually a good idea to maintain the ability to bring outsourced functions back in-house. However, over time, such an option may become less feasible, or at least be prohibitively expensive, as internal capabilities atrophy and the scope of outsourced work expands, as it frequently does.

It also makes sense to consider spreading your outsourcing among two or more service providers. Yes, such diversification costs more because of reduced economies of scale, and due to the additional management effort needed to coordinate several operations. But such incremental costs should be considered an insurance premium that will reduce the impact of any one outsourcer failing.

Another proactive approach is co-sourcing, whereby client and outsourcer share activities in some fashion. My personal preference is time-related co-sourcing, in which a function, be it application development, help desk, or security monitoring, “follows the sun.” If one operation is knocked out, the other(s) will be able to take over the load on an interim basis. Another form of co-sourcing is hierarchical. Here, for example, managers remain at the client and the “worker bees” reside at the outsourcer. This works as long as you have shirtsleeve managers who can take over the actual work if necessary. A third option is to have collaborative teams comprising internal and outsourcer staffs, with team members revolving between client’s and outsourcer’s operations, either physically or virtually. Clearly there are many ways to protect your company against outsourcer failure or diminished effectiveness. I've made some suggestions - there are many others. All it requires is foresight and energy.

Intellitactics invited Dr. Warren Axelrod to comment on a recent quote from Robert Baldwin, president and CFO of Heartland Payment Systems:

Dr. Axelrod:  There is an interesting comment by Robert Baldwin, president and chief financial officer of Heartland Payment Systems, which has been the subject of major data breach. He is quoted in a January 20, 2009 Wall Street Journal article “Card Data Breached, Firm Says” to the effect that his firm “…was targeted with malicious software that was ‘light-years more sophisticated’ than malevolent programs commonly downloaded from the Internet.” This has the flavor of an excuse or explanation of why Heartland didn’t do a good job of protecting our personal information. It’s like “Hey, you know, these guys were smarter than we were, what do you expect us to have done?”

This disclosure should send shivers down the spines of security professionals charged with protecting sensitive data handled, stored and transmitted by their organizations. In a forthcoming book, Enterprise Information Security and Privacy, edited by Jennifer Bayuk, Dan Schutzer and me, we quote Marshall McLuhan, who said “Our Age of Anxiety is, in great part, the result of trying to do today’s job with yesterdays tools and yesterday’s concepts.” Yes, we good guys are frequently way behind the criminals in protecting our information assets, and we are continuing to lose ground. The bad guys are often well funded and highly motivated compared to information security managers who are having their budgets whittled down and are worried about holding on to their staff and losing their own jobs.

So what do we do about it? Can we be expected to fix something that we don’t know is broken?

Heartland didn’t know that malware had been inserted into their systems. So the first order of priority should be to implement effective detection tools that are available commercially today. Second, we need to petition researchers and developers to come up with new tools that overcome the deficiencies of today’s tools. For example, quantum security, if it ever comes to market, will be geared to detecting miniscule changes in messages being transmitted. It functions under the presumption that even someone sniffing data on a line or through the air, alters the message in some way, be it delaying it by nanoseconds, or somehow altering it in other tiny ways. This has a name … “the observer effect.” Could such a technology have detected the Heartland exploit? We don’t really know. It is possible. Research in this area should be encouraged. 

Third, we need to deploy and manage those security tools that are currently available in the marketplace today. Care needs to be taken so as not to waste money on grandiose sounding, but ineffectual, technologies. However, sometimes we should implement unproven technologies not only on the chance that they will work, but also to help advance the state of the art in order to arrive at something that really will do the job.

Comment from Sunil Bhargava, Chief Technology Officer with Intellitactics: What we have today is a serious gap between the technology that is available today  and the technology routinely implemented and used by companies to protect against a breach like this one. For years the industry has been lulled into believing they were "safe" and "secure" because they were collecting, sometimes reviewing and storing logs just like the regulatory standards implied or directed. What has been available and is not always implemented are proactive, real time security event managers that have the ability to detect the type of malware outbreaks that may have plagued Heartland. Of equal concern are all the companies that have multiple tools from multiple vendors -  but the data from the tools individually can't provide the big picture. Isolated security events may appear benign until they are correlated with other events; when viewed together they shine a bright light on slowly growing malicious attacks - capable of sending an organization like Heartland into a crisis state.

Third, we need to deploy and manage those security tools that are currently available in the marketplace today. Care needs to be taken so as not to waste money on grandiose sounding, but ineffectual, technologies. However, sometimes we should implement unproven technologies not only on the chance that they will work, but also to help advance the state of the art in order to arrive at something that really will do the job.

There was an interesting article “In today’s security analytics, every bit of data matters” by Jon Oltsik, posted to CNET on January 22, 2009.

The writer describes how the practice of information security is changing from one where the analyst looked for needle-in-the-haystack events to one of demonstrating to compliance auditors that security controls are in place. I had pointed to security’s evolving emphasis of compliance with regulations in a column “Pershing – Son of Y2K” way back in the November 2000 issue of Information Security Magazine. Since the turn of the century we have seen the increasing demands to comply with security and privacy laws and regulations shape the direction of information security practice.

Mr. Oltsik notes that earlier event data and security data were separate, but that today all data, including those which were formerly considered “noise,” need to be retained and analyzed. He also suggests that it is no longer adequate to just analyze log data, but there is a need to include data on network flows, directories, physical access and so on. He suggests the type of investigations, which are needed in this new environment,  changes the security technology model to include:

• Collecting, normalizing and storing a ton of data
• Applying sophisticated algorithms and processor-intensive query engines
• Integration of physical and information security

Sound familiar?

As his final point, Mr. Oltsik predicts that security information management systems will have to be re-architected to handle these huge volumes of data. Perhaps he should have done a better job of finding out that several companies have been working to provide these capabilities and that organizations serious about security have been using them for quite awhile.

What is data ex-filtration? Many Intellitactics customers use Intellitactics Security Manager to defend against data ex-filtration. The following example is contributed by the Intellitactics Solution Architects - the security experts that work Intellitactics customers to help them do more faster with their SIEM.

            Frequently, security incidents involve data ex-filtration via DNS: Data ex-filtration via DNS is not something that can be blocked using normal security mechanisms and is not easily detected by conventional security products.  Using acquired data from both DNS servers and firewalls the Intellitactics SIEM automatically performs advanced correlation that looks for many unique DNS queries against a single host. 

When the correlation detects data ex-filtration in progress it generates an alert along with a corresponding action. Intellitactics alerts are more than notifications. The alerts offer complete assessments including the underlying events that were correlated and escalated as an alert. Alerts are also scored based on the risk they represent to the organization - prioritizing for focus and efficiency. This speed and accuracy gives the security personnel many options on how to handle the incident as soon as it occurs rather than finding out about it days or weeks later or, worse yet, missing it all together.  Some of the options which can be made available to address this type of incident include:  remotely shutting down the target host, blocking traffic from that target host or creating ACL's to protect the network from traffic from the source of the attack. For example, one customer, chose to automate the resolution for this type of attack - even during normal working hours. 

Register for Intellitactics weekly demonstrations of SIEM capabilities to learn more about using a SIEM for complying with PCI DSS.

From the desk of Dr.Warren Axelrod (Author, Bank of America & US Trust alumni)

Just as we were perhaps becoming too complacent about the security of payment systems because of such advances as the upgrading on PCI DSS (Payment Card Industry Data Security Standard), another company has a breach – perhaps the largest known breach to date. I say “known” because the victim, Heartland Payment Systems, reportedly didn’t even suspect that a breach had occurred until it was brought to their attention by Visa and MasterCard.

This brings us to a fundamental question:  Are we, as security professionals, able to protect our companies from the sophisticated “malware insertion” and “data exfiltration” such as took place within Heartland’s systems? It does not appear so. The jury is still out whether Heartland was in compliance with the PCI DSS. If the company is found to be in compliance, then chalk up another one, along with Hannaford Brothers, to the ineffectiveness of the standard.

 OK. So PCI DSS may be inadequate, but that is no excuse for companies not to implement strong security, particularly when they have custody of so much sensitive personal data.

 Another approach to consider is implementing extensive monitoring, analysis and reporting. Perhaps if Heartland is not up to it, then Visa, MasterCard and others need to install or arrange for installation of sensors and data aggregators and correlators within the payment processors systems and networks in order to see that adequate data protection is in place. In addition, acquiring banks (that is, banks that accept payments for products or services on behalf of merchants) should also be privy to the activity logs and reports.

 We have gone on long enough just trusting that major third-party service providers have adequate data protection in place. It’s time for responsible client and oversight companies to be more proactive and demand transparent views into providers’ systems. If the service provider won’t accept having customers and overseers probe their networks and systems, then they should hire a mutually acceptable security vendor to do the monitoring and share the results.

John Sawyer, with Dark Reading, had a great article on the importance of situational awareness in managing security. John describes situational awareness as a way for "security professionals, both managers and techies, [to] have a keen understanding of their environments and the dependencies on them so they can fully assess the impact of a change or event.. . . the importance of each IT resource, the nature and value of the data that resides on each resource and what threats they face."   

Well John, I thought you would be happy to know that one security information and event manager (SIEM) from Intellitactics automatically provides situational awareness. We call it alert scoring and alert enrichment. Intellitactics provides real time correlation and automated alerting on connections across the enterprise.

Some products provide a lot of data for YOU to investigate - just like the network behavior analysis (NBA) tools that John talks about in the article. Instead the Intellitactics SIEM automates the analysis and present the results textually or visually. You get the BIG PICTURE faster and that means accelerated response to ongoing threats. Our SIEM also provides alert enrichment. This means you can choose other sources of security information and link that data instantly to Intellitactics alerts. For Intellitactics alerts are more than notifications. Intellitactics alerts are assessed and scored based on the history of the assets, vulnerability, importance to the enterprise and they are enriched with context from related data sources.

In the article Mr. Sawyer calls out the benefits of Network Behavior Analysis (NBA) in providing situational awareness, but NBA is more valuable in context. Our SIEM provides real time context to NBA and accelerates investigation – all the data is at your fingertips. Intellitactics automated risk scoring is the best packaged situational awareness you can buy. Check it out and tell John Sawyer at Dark Reading what you think!

Open Technologies, a leading Russian IT company providing full cycle system integration services, today announced a business partnership with Intellitactics to sell and provide services for the entire portfolio of Intellitactics products:  Intellitactics Security Manager, Intellitactics SAFE, Intellitactics SAM and Advanced Analytics. Open Technologies provides full lifecycle system integration services: design, develop and support of integrated information systems to all types of enterprises like the Central Bank of the Russian Federation, Gazprom, SABMiller, Alcatel, and Motorola. 

Svetlana Nikishina, Open Technologies Information Security Product Manager, explains the company’s commitment to their customers: “Open Technologies and their 500 employees is a trusted partner known for helping customers select the optimum solutions and then guiding them through implementation and supporting them over the long term.”  According to Open Technologies the Russian market for information security is growing each year. The main driver is regulatory compliance.

Nikishina describes the process for selecting the Intellitactics products for their portfolio: “Our specialists analyzed and tested the Intellitactics SIEM products. They concluded that the Intellitactics products excel in their ability to adapt to enterprise security management processes. This is a critical success factor in this market and our customers want a solution that can be implemented to meet their unique needs.” 

Brent Davidson, Director of International Sales for Intellitactics explains the value of the Open Technologies partnership: “This is a company with expert knowledge of the most demanding and influential customers in this region. They are trusted by their partners and their customers to find and bring to them the best products. Their selection of Intellitactics is an important endorsement in this region.” 

One of the most challenging threat scenarios is the low and slow attack primarily because it’s impossible to detect or defend with manual log review or manual event management.

Dark Reading  featured an article describing how attackers entrench themselves inside a network and then make configuration changes to facilitate their attacks. Altering the network to allow access enables attackers to operate at their leisure. Intellitactics recommends strict change control rules, whether preventative or detective, combined with diligent monitoring of configuration activity. Some may recall that in the TJX example attackers created user accounts for themselves to log in and alter the network.

You don’t need to be a victim of the low and slow attack!

Intellitactics' Mark Gillett, SIEM guru and Manager in charge of Intellitactics product quality suggests the following steps:

• Maintain lists of the accounts authorized to make changes and use your SIEM to alert when users outside the list make changes; this could prevent an attack. These tasks can be monitored
• When authorized users are compromised, monitoring configuration changes become an effective alternative. We suggest scheduling change reports to run daily for review
• Create a status at a glance or a dashboard item which can illustrate in real time all major configuration changes for operations reviews
• Create rules to establish when and how changes may be made and send notifications to operations for activity that falls outside these parameters
• Finally, the Intellitactics SIEM can create a device status alert when Intellitactics ISM stops receiving logs from any security device; this alert is easily investigated by the SOC or security analyst

See how Intellitactics can help you protect against low and slow attacks.