Sensage Blogs

I just noticed an interesting article in Forbes written by Richard Stiennon…the article, entitled “In Cyber, Losers Ignore, Survivors React, and Winners Predict,” has a classic quote that underscores the need for objective data analysis when motivating executives to invest in security:

“Judging by the number of large enterprises that bring me in to speak to their boards and senior execs there is still a problem at the top of many organizations with recognition of the rise of threats. Even though these organizations have their own security experts they feel an outside expert can do a better job of justifying security investments and frankly, frightening their stakeholders into taking security seriously.”

(For the complete article, jump here: http://www.forbes.com/sites/richardstiennon/2012/02/12/in-cyber-losers-ignore-survivors-react-and-winners-predict/)

I’m sure Richard wouldn’t mind trading some of those consulting fees for actual industry progress on this front. Although we know it happens plenty, we should move past the practice of frightening stakeholders into taking security seriously. In our work with customers, we see an increase in the use of objective data analysis to “convince with credibility” rather than “frighten with FUD” when it comes to promoting good security practices in our organizations.

What do you see?

permalink

The recent news about Socialbot attacks confirm what most of us feared…that social networks are drunk with growth and not maintaining security practices commensurate with the attractiveness of their assets. At the heart of this threat, sadly, lies the human desire to trust – which has become “semi-automated” in social networks.

Social fabrics boil relationships down to simple transactions. By simply “liking” something, or “friending” someone, you create automated associations that lead to interactions – both good and bad. Social communities work on the notion of “automated trust,” and the paradigm that by taking those actions, you are prepared for all of the related consequences.  What’s more: in your social environment, your guard is down (for the most part). You trust that the information you are receiving is relevant and safe (sent by a friend, or because you “liked” something).

These trust mechanisms will make it very easy for the new frontier: mass-customized cyber-crime.

Social media vendors have enjoyed the ability to serve very indulgent communities with, only recently, the concern for increased controls and security.  It will be critical for these proprietors to take a continuous design improvement approach to their security practices. They will need to protect social networks with the same technology, people and process used by enterprises and government agencies, particularly large scale event collection, filtering and analysis.

It will also be their responsibility to educate users on the increasingly granular controls that are available, and enforce safe techniques in their community. I am speculating that the average participant does not fully understand or leverage the granular controls available in many online services. It’s important to determine what trust-level users want to exhibit and then recognize, outside of that sphere they create, everything else they share is available to the public.

We will be hearing more about Socialbots in 2012…

permalink

Is this realistic guidance or just the illusion of concern?

The US Securities and Exchange Commission just announced an order for organizations to disclose even “potential” data breaches.

We have always known that a large percentage of breaches are NOT disclosed. A letter sent to to the US Securities and Exchange Commission by several US Senators in May, 2011, cites a study by Hiscox showing 38% of Fortune 500 companies made a significant oversight - failing to report a breach of some sort.

We believe the number is much higher - and there are several reasons for this:

• In many cases, an organization is not even aware of a breach until they are contacted by a 3rd party
• In some cases, the organization impacted can’t track back how the information was placed at risk, or the events that took place which caused the breach
• Overall, the language governing breach notification requirements is vague - so it leaves the decision to each organization to interpret/decipher

That’s what makes the SEC order to now require companies to disclose even “potential” breaches even more interesting. It intends to hold organizations accountable, not just when a breach occurs, but even in cases where one is suspected. This will be tricky. If a large percentage of organizations don’t disclose SUCCESSFUL breaches, does the expansion to require the reporting of breaches that may have happened, seem possible?

It requires the SEC to provide very specific guidance and stronger definition of breach reporting requirements, several layers deeper than it has been defined in the past. Here are just a few of the challenges they will need to address:

• What is the definition of a breach? Is it when information is taken, or is it the nature of the information?
• How does one recognize a potential loss? As we have seen in several recent cases, a server may have been accessed by unauthorized users, but no data was stolen. Does that still count?
• What, if any, checks and balances can be put in place with external organizations to identify unreported risks? Will those external organizations perform solid diligence before raising a red flag? Will they report the potential breach to the impacted organization first or directly to a governing body?
• What guidelines will be used to ensure companies are adequately assessing and mitigating these risks?
• How will the increased reporting be resourced? Who takes the hit for false alarms?
• What are the penalties if a “potential” risk is not reported, but discovered through other means?

Again, a very interesting move - and one that needs to be taken seriously by proactive security practitioners who don’t want to be whiplashed by false alarms and panic. Collecting, storing and analyzing massive amounts of data one piece of the equation. The other is implementing a methodical approach to security event management. Here are just a few things to consider:

• Implement a combination of real time and long-range security information and event management - neither of these alone will catch every potential risk
• Collect data consistently - across the entire threat landscape. Focusing on just the network or endpoint will not be useful since breaches today impact multiple vectors
• Correlate/analyze that data methodically. Stove-piped analysis will not catch clever insiders or external attackers. Set thresholds, then look for variances and outliers
• Do all of the things you are already doing, in the way of security monitoring - just track it all so you can prove a non-event later

These are just a few of the points to think about…and again, I don’t think of this SEC guidance as game-changing. It just puts additional tension on already resource-constrained security teams to be more diligent in security event management. Read a few more best practices you should consider to make this easier…

permalink

Real Progress Being Made…With Big Data Challenges Ahead

President Obama issued an executive order which establishes an Insider Threat Task Force to prevent potentially damaging and embarrassing exposure of government secrets or classified information, such as those made public by WikiLeaks. In my opinion, this is a huge step in the right direction – providing both a framework for building out agency programs and specifics for cross-agency, centralized guidance and assessment of progress being made to address this threat.

Key takeaways:

1) Major responsibility lies with agencies, who will have build and maintain a solid program for protecting against Insider threats…of course, within the boundaries of the usual data policies and privacy regulations. Two major requirements include:

• The identification of a senior official who is accountable for the program and compliance
• That agencies complete self-assessments to ensure compliance

2) An Insider Threat Task Force will be put in place to identify necessary and standard technologies required to achieve progress in detecting Insider Threats

3) A Steering Committee will be put in place for information sharing and safeguarding

4) The DOD and NSA are named as the key executive agents for the Executive Order – providing oversight, developing processes for auditing progress, and establishing policies for compliance

This is all encouraging – but let’s peel back the technology involved in situational awareness and the detection of an insider attack. In order to watch where people are going, what information they are accessing and what they are doing with it, you have to collect lots of data. For a single government agency, this is no small task. Thousands of government personnel with incredibly complex access rules/permissions based on the missions or programs they are on.

What makes matters even more complex is that typical insider attacks occur over extended periods of time: whether it is because the insider moves slowly to avoid detection all along, or because they stumble on an opportunity and gain confidence to capitalize on it over time. In order to effectively detect these long-lead attacks, data has to be collected and retained for longer periods of time.

How can security teams identify which user profiles and activities, buried in this vast landscape of event data, are worth noting, isolating and investigating?

Two things are clear:

• A combination of both real-time incident alerting AND longer-range forensic technologies are required
• An open approach to sharing security intelligence will accelerate learnings across the board

Both of these validate the Sensage architecture and approach. Our event data warehouse was built to deal with massive data collection and processing requirements, and our open access to the data allows for sophisticated and rapid analysis of suspicious events.

Sensage is already providing key technologies to government agencies and contractors, and this Executive Order should catalyze further focus on this critical problem. Be sure to check out SensageTV for my current perspective, and look for more as we watch this important new development!

permalink

This week saw acquisitions of two traditional SIEM vendors (Q1Labs and Nitro) by IBM and McAfee. I have been fielding questions from the press about what this means to the SIEM business. Oddly, I have not had to answer questions from our customers or partners. Why? Because Sensage is so highly differentiated, even though we are all lumped into the same space, that comparing the technology that was acquired to the solutions we deliver, is an unnecessary exercise. But…since someone might want to hear my perspective, here goes:

Both acquisitions present a vision for integration with the parent’s other assets, similar to HP’s acquisition of ArcSight. If they are to succeed -  they will need to account for not just the near-term business opportunity in the mainstream market. They will need to consider emerging customer requirements for more open security intelligence, not more closed - but allegedly integrated - security architectures.

Both acquisitions also refer to the need for scalability in the SIEM category, and yet neither of these acquired vendors can handle “big data” for security event storage, management, correlation and analysis. Our customers - large enterprises, Telcos and government agencies - are finding that truly solving this problem requires highly specialized database technology on the back end and powerful yet flexible analysis tools on the front end. That’s what I mean by Advanced SIEM, and really, Sensage is the only solution built for those emerging requirements.

Finally, traditional, mainstream SIEM technologies, including real-time monitoring and log management, are table-stakes…a commoditized solution that most large security teams already have in place. In order to stay ahead of these complex threats we are seeing, a new set of SIEM use-cases are in play, that simply can’t be addressed with those legacy products. In fact, Sensage gets called on often to sit side-by-side with another SIEM, doing big data collection/retention and long-range, sophisticated forensics that can’t be done with the customer’s existing deployment.

It’s going to be an exciting time, as we watch how this much-needed consolidation will simplify the SIEM landscape. It certainly provides Sensage the opportunity to continue dominating the advanced SIEM quadrant while the other vendors sort out their roadmaps. Stay tuned…

permalink