If this year’s attacks on Adobe, LexisNexis, NASDAQ, US Airways, and dozens
of other large and technologically sophisticated US enterprises didn’t provide
sufficient evidence that we are losing the cyber security war, the ongoing
breaches by Anonymous make it undeniable. Why are the world’s most IT savvy
companies unable to keep attackers out of their networks?
Several factors are tipping the scales in favor of cyber criminals. These
include lack of (threat) information sharing; insufficient automation of threat
and vulnerability remediation; the absence of correlation between compliance,
security and risk posture; the need to perform continuous security monitoring;
and the ability to process huge volumes of data in order to detect and mitigate
cyber-attacks in a timely manner.
Fortunately, a new breed of security technology called Integrated Risk
Management (IRM) platforms has emerged which can make threats and
vulnerabilities visible and actionable, while enabling organizations to
prioritize and address high risk security exposures before breaches occur.
Let’s take a look at how IRM systems can level the playing field in the
cyber security war.
Contextualization of Threat Intelligence
The sharing of sensitive threat information is essential to preventing a
widespread attack across different verticals and industries. Cyber criminals
are coordinating their efforts and are well versed in sharing vulnerabilities
and attack methodologies, so to counter them governments and private industry
must work hand-in-hand to quickly distribute information about threats.
While initiatives to introduce a Cyber Information Sharing law have failed,
information sharing communities such as the Financial Services Information
Sharing and Analysis Center (FS ISAC) and Red Sky Alliance are offering threat
feeds that organizations can leverage to contextualize the threat information
within their own enterprise architecture.
IRM systems are capable of consuming threat intelligence data feeds and
cross-correlating those with organizational attributes such as control and
configuration settings, asset criticality, vulnerabilities, patch status, etc.
This enables otherwise labor-intensive work to be avoided and common attack
patterns to be detected and analyzed automatically, which dramatically reduces
the risk of exposure.
Automating Threat and Vulnerability Remediation
Most organizations rely on multiple, best-of-breed, silo-based tools (e.g.,
fraud and data loss prevention, vulnerability management or SIEM) to produce
the security data necessary to detect or prevent cyber-attacks. This model
generates a high volume, high velocity stream of complex data that must be
analyzed, normalized, and prioritized.
Unlike adaptive authentication, which is being used to automate behavioral
pattern analysis for fraud prevention in the payments industry, many commonly
used security tools lack the capability to provide self-analysis. IRM platforms
can piece together data from different sources, connect the dots, and detect
suspicious patterns that would indicate a cyber-attack or data breach, instead
of requiring security operations staff to do so manually.
Relying on manual processes to comb through
mountains of logs is one of the main reasons that critical issues are not being
addressed in a timely fashion. According to theVerizon 2013 Data Breach
Investigations Report, 69% of breaches were discovered by a third party and not
through internal resources. To make matters worse, 66% of the breaches took
months or even years to discover. IRM can shorten the window attackers have to
exploit a software or network configuration flaw.
Adding the Notion of
Risk in Security
The majority of existing
security products lack the ability to assign risk-based prioritization. They
produce a wealth of logs, but do not indicate which vulnerabilities need to be
mitigated first. Without knowing what risk a specific vulnerability poses for
the business, it is difficult, if not impossible, to prioritize mitigation
efforts.
Risk is influenced by three key
factors: compliance posture, threats and vulnerabilities, and business
criticality of the impacted asset. What organizations need is a context-aware,
risk-based view across the enterprise, combining threat intelligence,
vulnerability knowledge, compliance and business impact.
IRM systems enable big data
automation, which encompasses data gathering from networked machines,
third-party feeds and the platform’s assessment engine. They provide insight
into an organization’s state of compliance, security and ultimately risk
posture to achieve continuous compliance and continuous monitoring.
IRM systems also allow
organizations to assign policies, classifications and business criticality to
assets, propagating the attributes (e.g., risk) to all related assets, and then
enforcing the attributes in a dynamic data-driven environment. By correlating
these three key factors in a single data model, organizations can determine the
risk associated with particular assets and prioritize remediation actions based
on the actual risk.
Providing Continuous
Monitoring
Cyber threats are unpredictable
and cannot be scheduled like a compliance audit. Instead of a point-in-time
view of risk, continuous monitoring of both compliance and security posture is
required to increase situational awareness. Unfortunately, the majority of
organizations are still using a check-box mentality as part of a
compliance-driven approach to security. This method achieves point-in-time
compliance certification rather than improving security.
Applying continuous (security)
monitoring, implies an increased frequency of data assessments (e.g., on a
weekly basis) and requires security data automation by aggregating and
normalizing data from a variety of sources such as security information and
event management (SIEM), asset management, threat feeds, and vulnerability
scanners. IRM systems use big data automation and correlation to reduce costs
by unifying security management, streamlining processes, creating situational
awareness that exposes exploits and threats in a timely manner, and gathering
historic data which can assist in predictive security.
Making Big Data
Actionable
While security monitoring
generates big data, in its raw form it remains only a means to an end.
Ultimately, information security decision making should be based on
prioritized, actionable insight derived from this data. To achieve this, big
security data needs to be correlated with its business criticality or risk to
the organization. Once assets that require the highest priority for remediating
threats are identified, organizations must ensure a smooth handoff from
security operations to the IT department, which is responsible for mitigating
issues. Any latency in this process can lead to critical delays in
time-to-remediation, offering hackers an opportunity to exploit existing
vulnerabilities.
IRM systems offer a
closed-looped remediation solution via their own ticketing and exception
processes as well as through bi-directional integrations with ticketing and
patch management solutions. In addition, an IRM system’s workflow engine
enables organizations to collaborate across departments and business units,
increasing operational efficiency and shortening the time-to-remediation.
IRM systems can deliver
tremendous time and costs savings through increased accuracy, shorter
remediation cycles and better overall operational efficiency. Ultimately, they
can protect against and minimize the consequences of cyber-attacks and improve
the odds for the good guys in the cyber war.
No comments:
Post a Comment