This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
If this year’s attacks on Adobe, LexisNexis, NASDAQ, US Airways, and dozens of other large and technologically sophisticated US enterprises didn’t provide sufficient evidence that we are losing the cyber security war, the ongoing breaches by Anonymous make it undeniable. Why are the world’s most IT savvy companies unable to keep attackers out of their networks?
Several factors are tipping the scales in favor of cyber criminals. These include lack of (threat) information sharing; insufficient automation of threat and vulnerability remediation; the absence of correlation between compliance, security and risk posture; the need to perform continuous security monitoring; and the ability to process huge volumes of data in order to detect and mitigate cyber-attacks in a timely manner.
Fortunately, a new breed of security technology called Integrated Risk Management (IRM) platforms has emerged which can make threats and vulnerabilities visible and actionable, while enabling organizations to prioritize and address high risk security exposures before breaches occur.
Let’s take a look at how IRM systems can level the playing field in the cyber security war.
Contextualization of Threat Intelligence
The sharing of sensitive threat information is essential to preventing a widespread attack across different verticals and industries. Cyber criminals are coordinating their efforts and are well versed in sharing vulnerabilities and attack methodologies, so to counter them governments and private industry must work hand-in-hand to quickly distribute information about threats.
While initiatives to introduce a Cyber Information Sharing law have failed, information sharing communities such as the Financial Services Information Sharing and Analysis Center (FS ISAC) and Red Sky Alliance are offering threat feeds that organizations can leverage to contextualize the threat information within their own enterprise architecture.
IRM systems are capable of consuming threat intelligence data feeds and cross-correlating those with organizational attributes such as control and configuration settings, asset criticality, vulnerabilities, patch status, etc. This enables otherwise labor-intensive work to be avoided and common attack patterns to be detected and analyzed automatically, which dramatically reduces the risk of exposure.
Automating Threat and Vulnerability Remediation
Most organizations rely on multiple, best-of-breed, silo-based tools (e.g., fraud and data loss prevention, vulnerability management or SIEM) to produce the security data necessary to detect or prevent cyber-attacks. This model generates a high volume, high velocity stream of complex data that must be analyzed, normalized, and prioritized.
Unlike adaptive authentication, which is being used to automate behavioral pattern analysis for fraud prevention in the payments industry, many commonly used security tools lack the capability to provide self-analysis. IRM platforms can piece together data from different sources, connect the dots, and detect suspicious patterns that would indicate a cyber-attack or data breach, instead of requiring security operations staff to do so manually.
Relying on manual processes to comb through mountains of logs is one of the main reasons that critical issues are not being addressed in a timely fashion. According to the Verizon 2013 Data Breach Investigations Report, 69% of breaches were discovered by a third party and not through internal resources. To make matters worse, 66% of the breaches took months or even years to discover. IRM can shorten the window attackers have to exploit a software or network configuration flaw.
Adding the Notion of Risk in Security
The majority of existing security products lack the ability to assign risk-based prioritization. They produce a wealth of logs, but do not indicate which vulnerabilities need to be mitigated first. Without knowing what risk a specific vulnerability poses for the business, it is difficult, if not impossible, to prioritize mitigation efforts.
Risk is influenced by three key factors: compliance posture, threats and vulnerabilities, and business criticality of the impacted asset. What organizations need is a context-aware, risk-based view across the enterprise, combining threat intelligence, vulnerability knowledge, compliance and business impact.
IRM systems enable big data automation, which encompasses data gathering from networked machines, third-party feeds and the platform’s assessment engine. They provide insight into an organization’s state of compliance, security and ultimately risk posture to achieve continuous compliance and continuous monitoring.
IRM systems also allow organizations to assign policies, classifications and business criticality to assets, propagating the attributes (e.g., risk) to all related assets, and then enforcing the attributes in a dynamic data-driven environment. By correlating these three key factors in a single data model, organizations can determine the risk associated with particular assets and prioritize remediation actions based on the actual risk.
Providing Continuous Monitoring
Cyber threats are unpredictable and cannot be scheduled like a compliance audit. Instead of a point-in-time view of risk, continuous monitoring of both compliance and security posture is required to increase situational awareness. Unfortunately, the majority of organizations are still using a check-box mentality as part of a compliance-driven approach to security. This method achieves point-in-time compliance certification rather than improving security.
Applying continuous (security) monitoring, implies an increased frequency of data assessments (e.g., on a weekly basis) and requires security data automation by aggregating and normalizing data from a variety of sources such as security information and event management (SIEM), asset management, threat feeds, and vulnerability scanners. IRM systems use big data automation and correlation to reduce costs by unifying security management, streamlining processes, creating situational awareness that exposes exploits and threats in a timely manner, and gathering historic data which can assist in predictive security.
Making Big Data Actionable
While security monitoring generates big data, in its raw form it remains only a means to an end. Ultimately, information security decision making should be based on prioritized, actionable insight derived from this data. To achieve this, big security data needs to be correlated with its business criticality or risk to the organization. Once assets that require the highest priority for remediating threats are identified, organizations must ensure a smooth handoff from security operations to the IT department, which is responsible for mitigating issues. Any latency in this process can lead to critical delays in time-to-remediation, offering hackers an opportunity to exploit existing vulnerabilities.
IRM systems offer a closed-looped remediation solution via their own ticketing and exception processes as well as through bi-directional integrations with ticketing and patch management solutions. In addition, an IRM system’s workflow engine enables organizations to collaborate across departments and business units, increasing operational efficiency and shortening the time-to-remediation.
IRM systems can deliver tremendous time and costs savings through increased accuracy, shorter remediation cycles and better overall operational efficiency. Ultimately, they can protect against and minimize the consequences of cyber-attacks and improve the odds for the good guys in the cyber war.
George is VP of Worldwide Marketing and Products at integrated risk management software vendor Agiliance.