Network Security: Fear and Loathing on the Yellow Brick Road
Lions and tigers and bears, oh my! These days, the path to network security seems littered with cyber perils. On a weekly if not daily basis, we hear reports of external cyber beasts, criminals and mischievous insiders who succeed in breaching the defenses of enterprises and public institutions with relative impunity. The pouncers are capitalizing on the asymmetrical advantage in technical know-how and are persevering against lightly defended targets, carrying off secrets and treasures back to their dark castles.
For Hackers, Just Follow the Yellow Brick Road
None of this was lost in the messages presented at the recent RSA Security conference, where many of the discussions centered on the need to empower security teams with intelligence in order to stay ahead ofcyber attacks. It’s a constant race against the clock at every stage of the cyber threat life cycle, from identification of the vulnerability to detection of the exploit to development of a remediation plan. Today, understaffed network security teams find themselves racing from one challenge to the next often in an inefficient, ad hoc fashion.
What’s more, attacker innovation and an abundance of exploit kits have led to new technologies and behaviors, increasing the sophistication and complexity with which security teams must contend. Many simply wait until the seriousness of the threat reaches critical levels before they secure specialized skills — often externally sourced — to perform network forensics investigations to uncover the root cause of a castle breach and toss a bucket of water onto the evil cyber attack to melt it into submission.
IT’s Ruby Slippers
Senior management now understands that investments must be made in network security; however, they should be made with an eye toward transforming the current operational limitations. Consider some lessons recently gleaned from practitioners applying their finite resources with greater efficacy to defend their organizations and critical data:
- Attain Visibility: Assessing the organization’s current security posture requires the assembly of available security data ranging from log events and netflows to even full-packet capture resources.
- Focus and Prioritize: Network security data collected in its raw form can easily overwhelm an IT security team using disparate analysis tools. Big data is great when you’re not the one responsible for determining the “so what” at the end of the day — kind of like the man behind the curtain. The automated and intelligent analysis of log events correlated with netflow information removes much of the noise in the system and helps security teams focus on high-probability incidents.
- Get Clarity: Once risky or suspicious behaviors have been identified — for example, a QRadar offense record — security teams should perform guided investigations to identify and separate true malicious activity from false positive results. The ability to retrieve full packet capture information is like gazing into a crystal ball to see what’s transpired.
- Empower: Effective security teams must integrally weave the forensics investigation into their security intelligence operations. Ideally, security analysts can rely upon intuition rather than technical training to deduce the root cause of a castle breach.
These principles guided the design and development of QRadar Incident Forensics. It was added to theQRadar Security Intelligence platform to extend and complement an organization’s network security operations. It removes the skills barrier that has historically prevented the wider utilization of forensics among security teams. Furthermore, given the integration with the broader QRadar solution, security teams can attain greater efficacy and efficiency to help them find their way back over the rainbow to where things are as safe as they’re supposed to be.
No comments:
Post a Comment