What's Happening in Information Security

I’ve been following Robert McMillan’s coverage in Computerworld of Google’s disclosure that Google and a number of other companies including Adobe Systems were the target of cyberattacks potentially ordered by the Chinese Government. The Chinese cybercriminals were trying to steal the email records of political dissidents. This highly visible cybercrime underscores the importance and difficulty of protecting information assets and implementing threat detection systems.

The attacks came within hours of Google hosting a closed-door symposium on circumventing censorship. Soon the company's enterprise security management team realized that it was dealing with more than just a few hacked workstations. McMillan reports that Google suggests that the attacks were a  “state-sponsored corporate espionage campaign that compromised more than 30 technology, financial and media companies, most of them global Fortune 500 enterprises.”

Hillary Clinton, speaking as the US Secretary of State, said that coordinated hacking campaigns like this “raise serious concerns” and that "The ability to operate with confidence in cyberspace is critical in a modern society and economy."

Sources familiar with the situation say that the attacks exploited an unpatched bug in widely used software and were able to gain footholds in these companies and siphon out valuable intellectual property.

Disturbing to me is that the goal of the attackers, according to Google’s Drummond, was accessing the Gmail accounts of Chinese human rights activists. China is a powerful global economy with a culture and value system very different from our western culture. Without criticizing the way the Chinese government harasses segments of their population or chooses to restrict and limit their rights, this is a good example of how their behavior is impacting my rights. I’m a google mail user in my off hours and the fact that an attack, potentially ordered by the Chinese government, puts my privacy at risk is troubling.

What do you think? Is it possible to determine the absolute source of attacks in order to prevent cyber attacks from Chinese cyber criminals in the future?

For those of you that get up everyday thinking about enterprise security management systems and the challenge of protecting information assets you can imagine the pressure that Howard Schmidt must be feeling. Warren Axelrod wraps up the series on Howard Schmidt in the final post of the series. 

From the desk of Warren Axelrod:  Howard Schmidt has had the experience of evangelizing The National Strategy to Secure Cyberspace, which was published in February 2003. I attended one of the many town hall meetings that he conducted. It was a brave attempt, but the Bush Administration did not give the strategy the support needed to effect the changes outlined in the report. I believe that this lesson may well have been learned and hope that this time around there will be support from the top.

From my personal experience of the past 15 years, during which I testified before Congress on cyber security, co-founded the Financial Services Information Sharing and Analysis Center (FS-ISAC), participated in the development of the FSSCC (Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security) Research Agenda for the Banking and Finance Sector, and have been active in a number of public-private-academic initiatives, the task is much greater than merely developing a plan and trying to persuade various players to collaborate in effecting that plan.

With some 85 percent of the critical infrastructure claimed to be in private hands, we need to effect programs in which the private sector will do their full share in protecting the infrastructure. Moral suasion will only go so far. It needs resources and commitment to get it done. Yes, we need to rebuild much of the decaying physical infrastructure, but we should be spending much more of the government’s “Stimulus Package” on the cyber side. This will also create jobs, as Andy Kessler so well points out in his Op-Ed piece, with the title “Put Down That Shovel,” which appeared in the December 26-27, 2009 issue of The Wall Street Journal. Mr. Kessler suggests increasing the reach of the country’s wireless networks, laying more fiber cables, and the like. He does not mention cyber security efforts that would provide the protection and resiliency that we need to continue to prosper in a virtual world. But I would certainly add it to the list … at the top!

My hopes and expectations are that Howard Schmidt understands all of these issues and, through his experience (both positive and negative), knows how to get things done. He needs President Obama’s direct, active and strong support to implement measures that may well be unpopular and will certainly be costly. But we can no longer afford to be reactive, because we know for sure that the hackers are already working on the next version of attack.

Howard has a difficult and arduous set of tasks ahead of him. He brings to it both successful and failed attempts to get the job done. He has surely learned from these and understands what does and does not work. It is so important that he gets total support from every involved constituency and that he is given the opportunity to pull it all together and make it happen. We all owe him this … and we owe it to ourselves. 

What do you want to tell Howard Schmidt - comment here.

From the desk of Warren Axelrod:  Perhaps the real problem with advocating cyber security measures is that fear of a cyber event is much less horrific in people’s minds than a physical terrorist attack in which individuals are injured or killed. It is extremely difficult to convince policy makers and those controlling the purse strings that the economic impact of a major cyber attack might be far greater than for a physical attack, and understandably so. In this regard, the new national cyber security coordinator has his work cut out for him.

I think that it is very important to recognize that Mr. Schmidt’s position is that of a coordinator, not a “czar.” That is to say, he is tasked with bringing all the various pockets of expertise and capability together to address the challenge of protecting the Nation’s critical cyber infrastructure. The expectation of previous incumbents in the so-called cyber security czar role was to have the power and the resources to effect progress in the back-sliding effort of the United States in protecting its cyber environment. However, the resources lie elsewhere, as was graphically depicted in Rod Beckstrom’s leaked letter of resignation, which you can read at http://epic.org/linkedfiles/ncsc_directors_resignation1.pdf 

In short, Mr. Beckstrom expressed disappointment that he was unable to assemble a large enough group to achieve what he believed he had been expected to accomplish.

Given that the now-defined role of Cyber Security Coordinator is one of bringing together all the various interests and capabilities within and between government and the private sector, I happen to believe that Howard Schmidt is particularly well qualified for the job.

More than anyone else whom I know, Howard has experience in many segments of the public and private sectors in many roles and with varied responsibilities. His résumé is outstanding in this regard. Not only has he actually worked in the private sector, for Microsoft and eBay, but he has experienced first-hand a White House role (along with Richard Clarke). In addition, he has served the information security profession well as a leader of organizations such as the ISSA and ISF. There is no question in my mind as to his outstanding commitment to the information security profession and the protection of the Nation’s cyber infrastructure.

Imagine a systematic way of securing the enterprise or protecting information assets. Could it be that enterprise security will always be reactive? Is it far fetched to think that proactive practices to protect information assets might be the norm in the future?  Warren Axelrod shares some insights on cybersecurity, Obama's new cyber chief - Howard Schmidt and his hopes for Schmidt, and the impact he can have on security programs across the board. This is the first of a two part feature from the desk of Warren Axelrod: 

If the recent airplane terrorist incident is any indication, we continue to forge ahead with our security programs, in both physical and cyber worlds, with our eyes and minds concentrating on the rear view mirror. Consequently I was pleased to see that the December 29, 2009 New York Times featured an Op-Ed article, “After Eight Years, Terrorists Still Fly,” by Clark Kent Ervin (any relation to Superman?). As Mr. Ervin, who was Inspector General for both the Departments of State and Homeland Security, aptly states with respect to airline terrorism:

“We always seem to be at least one step behind the terrorists. They find one security gap … and we close that one, and then wait for them to exploit another. Why not identify all the vulnerabilities and then address each one before the terrorists strike again?”

This is at least equally the case with cyber security. My co-editors, Jennifer Bayuk and Dan Schutzer, and I drew attention to this in our book, Enterprise Information Security and Privacy (Artech House, 2009). The book is featured in the Intellitactics podcast “Busting Security Myths” available at www.intellitactics.com/int/research/podcasts.asp. My favorite quote, which was used in the book, is by Marshall McLuhan, who said:

“Our Age of Anxiety is, in great part, the result of trying to do today’s job with yesterdays tools and yesterday’s concepts.”

So what does this all have to do with Howard Schmidt?

Howard was appointed to the role of Cyber Security Coordinator by the Obama Administration on December 22, 2009, following a prolonged search beginning on May 29, 2009. On that day President Obama announced the position in a much-heralded speech on cyber security. While I don’t have any inside information on this, I would guess that some of the delay resulted from having to decide whether the cyber security position should report to the National Economic Council (NEC) as well as to the National Security Council (NSC).

I was pleased to see that the eventual position does not matrix report to White House economic advisor Larry Summers, head of the NEC, since I (as someone with a Masters degree in economics) question whether many economists really understand information technology and security issues. However, it should be noted that, in a December 21, 2009 article in The Huffington Post, with the title “Howard A. Schmidt Tapped To Be Obama’s Cybersecurity Czar,” Lolita C. Baldor reports that “Schmidt will … closely support the National Economic Council on cyber issues.” The article also points out that Larry Summers reportedly preferred candidate Schmidt.

While we don’t know exactly what the relationship will be, I believe that it is appropriate that the role supports the NEC but is not guided by it. We shall have to wait to see what happens in this regard.

What do you think Howard Schmidt's top priority should be? Check back tomorrow for more on cybersecurity, Schmidt and more.

From everyone at Intellitactics, the SIEM Solutions company,  I'd like to wish you a Happy New Year!

In my family, we have a tradition I'd like to share with you. We're Italian so it includes eating of course, but more important on New Year's Eve we write ourselves a note about the one thing we want to change or that we regret or that we're sorry for from the current year and we ceremoniously throw the notes into the fireplace. We watch all the regret, sorrow and procrastination go up in smoke.

This leaves us with a lightness of being and hope for what the new year may bring. We fill our hearts with second chances and forgiveness. We all sleep well.

Finally we each put a dime on a window sill to bring us prosperity in the new year. So put out your dimes and please accept our warm wishes for a good night's sleep and a little extra cash coming your way to smooth out the rough spots.

As you celebrate the promise of the new year or you celebrate the close of a tough year, be safe. Somewhere, one of us will be toasting you - interested friends, loyal enterprise security management software customers! To life!

 

If you're a parent, you may have used the "Santa's watching" threat to control the excess energy of the children in your home. We used elaborate ploys to distract ours when they were young. These were effective before and after the holiday - remember Santa can come and take back what he brought if they don't persist their good behavior:) This is threat management at its best!

Here are a few of the techniques that worked:

1. Compliance reporting - emphasis on user and resource access reporting
2. SEM - real time data collection, security event console, event correlation and analysis and incident management support
3. Deployment and support simplicity - scalability and deployment flexibility
4. User and resouce access analysis - moving from activity monitoring to exception analysis required for fraud detection and breach discovery
5. And of course, log management

Control 8:  Controlled Use of Administrative Priveleges

How can this control be implemented, automated, and its effectiveness measured?

Previously, we shared how attackers exploit the lack of this control. Following is a very detailed list of processes and suggestions for monitoring and measuring this control to improve security effectiveness and efficiency. Intellitactics SIEM solutions offer many opportunities to prevent misuse of administrative priveleges.

For example: List of accounts with super user privileges is an important data source for the Intellitactics SIEM. This data is regularly correlated with other data/logs to enable management of privileged users. Many of the manual tasks suggested here can be automated using the Intellitactics SIEM. By automating the tasks, they can be monitored, reported and anomalies or deviations to policy can generate alerts or notifications to users and/or their managers. Summaries become reports that can be scheduled and distributed using the SIEM.

1.     Organizations should inventory all administrative passwords and validate that each person with administrative privileges on desktops, laptops, and servers is authorized by

 a senior executive and that his/her administrative password has at least 12 semi-random  characters, consistent with the Federal Desktop Core Configuration (FDCC) standard.

2.      Before deploying any new devices in a networked environment, organizations should change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to a difficult-to-guess value.

3.     Organizations should configure all administrative-level accounts to require regular password changes on a 30-, 60-, or 90-day interval. This activity can be monitored by Intellitactics; additionally, physical security badge swipes or biometrics can be correlated with password use to determine if the owner is physically on premise for example.

4.     Organizations should ensure all service accounts have long and difficult-to-guess passwords that are changed on a periodic basis as is done for traditional user and administrator passwords.

5.     Passwords for all systems should be stored in a hashed or encrypted format. Furthermore, files containing these encrypted or hashed passwords required for systems to   authenticate users should be readable only with super-user privileges.

6.     Organizations should ensure that administrator accounts are used only for system administration activities, and not for reading e-mail, composing documents, or surfing the Internet.

7.     Through policy and user awareness, organizations should require that administrators establish unique, different passwords for their administrator accounts and their non-administrative accounts. On systems with unsalted passwords, such as Windows machines, this approach can be verified in a password audit by comparing the password hashes of each account used by a single person.

8.     Organizations should configure operating systems so that passwords cannot be reused within a certain time frame, such as six months. This task can be automated using the Intellitactics SIEM solution. Users trying to reuse passwords are immediately identified and alerts or notifications can be sent to the user and their manager notifying them of the policy violation.

9.      Vis/Attrib: Organizations should implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior (e.g. system reconfigurations during night shift).  Enabled by Intellitactics SIEM

10. Vis/Attrib: Organizations should configure systems to issue a log entry and alert when an account is added to or removed from a domain administrators group.  Enabled by Intellitactics SIEM

1.     Config/Hygiene: All administrative access, including domain administrative access, should utilize two-factor authentication.

2.     Config/Hygiene: Remote access directly to a machine should be blocked for administrator-level accounts. Instead, administrators should be required to access a system remotely using a fully logged and non-administrative account. Then, once logged in to the machine without admin privileges, the administrator should then transition to administrative privileges using tools such as sudo on Linux/UNIX, run-as on Windows, and other similar facilities for other types of systems.

3.     Config/Hygiene: Organizations should conduct targeted spear-phishing tests against both administrative personnel and non-administrative users to measure the quality of their defense against social engineering.

4.     Advanced: Organizations should segregate administrator accounts based on defined roles within the organization. For example, “Workstation admin” accounts should only be allowed administrative access of workstations, laptops, etc.

Associated NIST SP 800-53 Rev 3 Priority 1 Controls: AC-6 (2, 5), AC-17 (3), AC-19, AU-22(4)

Procedures and tools for implementing this control:

Other Guidance: Built-in operating system features can extract lists of accounts with super user privileges, both locally on individual systems and on overall domain controllers. To verify that users with high privileged accounts do not use such accounts for day-to-day web surfing and e-mail reading, security personnel could periodically gather a list of running processes in an attempt to determine whether any browsers or e-mail readers are running with high privileges. Such information gathering can be scripted, with short shell scripts searching for a dozen or more different browsers, e-mail readers, and document editing programs running with high privileges on machines. Some legitimate system administration activity may require the execution of such programs over the short term, but long-term or frequent use of such programs with administrative privileges could indicate that an administrator is not adhering to this control.

Additionally, to prevent administrators from accessing the web using their administrator accounts, administrative accounts can be configured to use a web proxy of 127.0.0.1 in some operating systems that allow user-level configuration of web proxy settings. Furthermore, in some environments, administrator accounts do not require the ability to receive e-mail. These accounts can be created without an e-mail box on the system. To enforce the requirement for password length of 12 or more characters, built-in operating system features for minimum password length can be configured, which prevent users from choosing short passwords. To enforce password complexity (requiring passwords to be a string of pseudo-random characters), built-in operating system settings or third-party password complexity enforcement tools can be applied.

For more on SANS visit www.sans.org or schedule some time to talk with a Solutions Architect to learn how a SIEM sollution can make a difference for your team.

Critical Control 8: Controlled Use of Administrative Privileges

A central tenet of the US Comprehensive National Cybersecurity Initiative (CNCI) is that “offense must inform defense.” This means that actual attacks that have compromised system provide the essential foundation on which to construct effective defenses. The US ICE Act of 2009 (the new FISMA) makes this tenet central to their cyber defense initiative. Because federal agencies don’t have unlimited money, they hope to meet the ICE requirements by establishing a baseline of information security measures and controls that can be continuously monitored through automated mechanisms. This is where an effective implementation of a SIEM solution makes all the difference.

The reporting function of the Intellitactics SIEM solutions provides a report tree that is aligned to best practice controls - just like the ones suggested by the US ICE Act 2009. Effective and efficient security requires automated monitoring of critical controls. High speed searching of billions of logs is an entertaining way to view all the logs you've collected but a SIEM solution offers actionable reports and supports real time management of security events. 

How do attackers exploit the lack of this control?

According to some Blue Team personnel as well as investigators of large-scale Personally Identifiable Information (PII) breaches, the misuse of administrator privileges is the number one method for attackers to spread inside a target enterprise. Two very common attacker techniques take advantage of uncontrolled administrative privileges:

In the first, a workstation user is fooled into opening a malicious email attachment, downloading and opening a file from a malicious web site, or simply surfing to a website hosting attacker content that can automatically exploit browsers. The file or exploit contains executable code that runs on the victim’s machine either automatically or by tricking the user into executing the attacker’s content. If the victim user’s account has administrative privileges, the attacker can take over the victim’s machine completely and install keystroke loggers, sniffers, and remote control software to find administrator passwords and other sensitive data.

The second common technique used by attackers is elevation of privileges by guessing or cracking a password for an administrative user to gain access to a target machine. If administrative privileges are loosely and widely distributed, the attacker has a much easier time gaining full control of systems, because there are many more accounts that can act as avenues for the attacker to compromise administrative privileges. One of the most common of these attacks involves the domain administration privileges in large Windows environments, giving the attacker significant control over large numbers of machines and access to the data they contain.

It's time for the 2010 Annual Log Management Survey conducted by SANS, your trusted source for information security training and certification.
 

This is one great deal. You take the survey - it only takes 15 minutes.
Provide your contact information - it isn't required - but if you provide it you have a chance to win a $250 American Express Gift Card.
And even if you provide your contact information, SANS won't be sharing it with the sponsors - and we know this because we're a sponsor. 

In April, you'll be the first to get the survey results in a paper written by the SANS Analysts.
Your contact information is private -Check the SANS privacy policy and you'll see this is true.

So why do we sponsor this survey? We want to learn more about what you're doing with logs. Simple as that. We've all come a long way in the last five years. Most people know that there's a whole lot more to security information and event management (SIEM) than collecting and storing logs. But log management is an important part of the process, even required by regulatory standards. This survey will reflect the current thinking on log management and how you've moved ahead or how you are planning to move ahead.

So, give a shout out for log management! Tell SANS what you think, what you're doing and everyone will benefit. And while you're taking the survey, if you think you wish your outcomes were better, you might be inclined to check out Intellitactics security informaiton and event management solutions - that all provide logging. In fact there's one right sized solution for your organization! 

TAKE the SURVEY, be counted. You'll be able to use the log survey report to show your boss what a great job you're doing!

 

Simply identifying and responding to attacks may no longer be adequate to protect information assets. Superior to after-the-fact forensic analysis, real time monitoring is trumped by actually predicting attacks. We think that predictive capabilities might be part of the future of SIEM (security information and event management) solutions. We asked Warren Axelrod – an industry speaker and author – what his experience has been with predicting attacks.

From the desk of Warren Axelrod: Awhile ago I read a whitepaper, “Defense in Depth Strategy Optimizes Security”. It was  published by Intel and written by one of their employees at the time, Matthew Rosenquist. Mr. Rosenquist describes the multi-layer approach that Intel takes to security and includes prediction. He states that “prediction capabilities include analyzing emerging threats as well as classifying likely threat agents and their methods.” Whether this capability ever becomes commercially available, I believe that attempting to predict attacks will give us an advantage over the bad guys.

I recall a presentation several years ago by Ed Amoroso, CSO at AT&T, in which Ed demonstrated how creators of viruses regularly test out their “products” in advance of a major launch. After all, isn’t that the usual way new products are launched? Ed showed that, for a particular virus attacking through a specific port, you might see sporadic increased activity against the port weeks or even months ahead of the attack. If you collect the data as AT&T does, you can look back to see how this activity might have occurred, but it takes more expertise to anticipate an attack and protect against it going forward. I believe that AT&T has used such a capability to protect clients and themselves from impending attacks.

In my own experience, I discovered some relatively low level securities account hijacking and pump-and-dump activity months in advance of a major attack of this nature. For those not in financial services, a pump-and-dump exploit is one in which fraudsters buy a substantial inventory of low-priced, thinly-traded “penny stocks.” They then increase the price of the stock through some illegal manipulative activity or other, at which point they divest themselves of their stock holdings at a large profit. While I saw the pattern early, management wasn’t ready to accept this as a red flag for this type of attack on a large scale. Unfortunately, tens of millions of dollars were subsequently lost to this scheme.

These two examples convinced me that it is indeed possible to predict an attack if you’re able to connect the dots fast enough. Maybe Intellitactics is considering giving their SIEM customers the tools to predict impending attacks.

SANS, the global training and certification organization for security professionals has published an excellent resource: 20 Critical Security Controls (Version 2.3). At Intellitactics we love this document and approach. Since 2007, we’ve been showing customers how using a baseline of controls can reduce the cost of compliance with regulatory standards. Many of our customers manage to more than one standard. Federal government customers comply with stringent FISMA and NIST standards as well as HIPAA and PCI-DSS. Many are adopting critical controls to strengthen defenses against cyber warfare. We’ve borrowed from the SANS document to show by example how an automated SIEM solution, like the ones from Intellitactics, enable you to enforce these critical controls.  

Previously, we looked at Control 6 in detail. Today: How can this control be implemented, automated, and its effectiveness measured?

1.     Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression (CEE) initiative. If systems cannot generate logs in a standardized format, deploy log normalization tools to convert logs into a standardized format.

Intellitactics SIEM solutions are infused with the intelligence to accurately collect the logs that are required for each device type of data source being monitored. The SIEM solutions are aware of what logs are required for reports, both operational and compliance, correlation, advanced correlation, analytics and incident investigation. The collection of logs can also be customized for each device or data source during a service engagement; support for devices or data sources, not currently supported by Intellitactics is also available.

2.     Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals.

Intellitactics SIEM solutions are designed with adequate storage to accommodate the storage requirements prescribed by the standards. Our SIEM solutions also work with additional external storage. Both SAFE appliances and ISM, the software SIEM, connect to SAN devices is this is the preferred method for storage and archival.

3.     System administrators and security personnel should devise profiles of common events from given systems, so that they can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with insignificant alerts.

The advantage of Intellitactics SIEM solutions over simple logging tools is that a large percentage of this type of tuning is provided automatically by ISM and SAFE. The administrators use an interface to adapt the system to agency or regulatory policy. There are dozens of packaged correlations that reduce false positives.

4.     All remote access to an internal network, whether through VPN, dial-up, or other mechanism, should be logged verbosely.

Intellitactics SIEM solutions offer both the performance and capacity for handling these data sources without impact to the analytic or reporting capabilities of the SIEM.

5.     Operating systems should be configured to log access control events associated with a user attempting to access a resource (e.g., a file or directory) without the appropriate permissions.

This capability is used by most of the Intellitactics SIEM customers.

6.     Security personnel and/or system administrators should run bi-weekly reports that identify anomalies in logs. They should then actively review the anomalies, documenting their findings.

This task is routinely set up in the reporting function of our SIEM solutions. Likewise, immediate notification or alerting on anomalies is simple to deploy.

7.     Vis/Attrib: Each agency network should include at least two synchronized time sources, from which all servers and network equipment retrieve time information on a regular basis, so that timestamps in logs are consistent. Accommodated by the SIEM solution.

8.     Vis/Attrib: Network boundary devices, including firewalls, network-based IPSs, and inbound and outbound proxies should be configured to log verbosely all traffic (both allowed and blocked) arriving at the device. Accommodated by the SIEM solution.

9.     Vis/Attrib: For all servers, organizations should ensure logs are written to write-only devices or to dedicated logging servers running on separate machines from hosts generating the event logs, lowering the chance that an attacker can manipulate logs stored locally on compromised machines. Accommodated by the SIEM solution.

10. Config/Hygiene: Organizations should periodically test the audit analysis process by creating controlled, benign events in logs and monitoring devices and measuring the amount of time that passes before the events are discovered and action is taken.

Ensure that a trusted person is in place to coordinate activities between the incident response team and the personnel conducting such tests. This test for the health and maintenance of the SIEM is included with the solutions.

10. Advanced: Organizations should deploy a Security Event/Information Management (SEIM) system tool for log aggregation and consolidation from multiple machines and for log correlation and analysis. Deploy and monitor standard government scripts for analysis of the logs, as well as using customized local scripts. Furthermore, event logs should be correlated with information from vulnerability scans to fulfill two goals. First, personnel should verify that the activity of the regular vulnerability scanning tools themselves is logged. And, secondly, personnel should be able to correlate attack detection events with earlier vulnerability scanning results to determine whether the given exploit was used against a known-vulnerable target.

These capabilities are largely automated and the intelligence for this type of correlation is included with the SIEM; this advanced capability can be deployed by any size organization regardless of the maturity or size of the security team.

Associated NIST SP 800-53 Rev 3 Priority 1 Controls:

AC-17 (1), AC-19, AU-2 (4), AU-3 (1,2), AU-4, AU-5, AU-6 (a, 1, 5), AU-8, AU-9 (1, 2), AU-12 (2), SI-4 (8)

SANS, the global training and certification organization for security professionals, has published an excellent resource: 20 Critical Security Controls (Version 2.3) in cooperation with CSI. SANS suggests that these Critical Controls should be subject to automated collection, measurement and validation. While this document was created for federal agencies working to comply with NIST practices and FISMA standards, these controls are prescribed by the ISO controls. We’ve borrowed from the SANS document to provide context to discuss the value you get from an automated SIEM solution, like the ones from Intellitactics.

Today we’re introducing and looking at Control 6 in more detail.

CONTROL 6: Maintenance, Monitoring and Analysis of Audit Logs

From SANS: How do attackers exploit the lack of this control?

Deficiencies in security logging and analysis allow attackers to hide their location, malicious software used for remote control, and activities on victim machines. Even if the victims know that their systems were compromised, without protected and complete logging records, the victim is blind to the details of the attack and to the subsequent actions taken by the attackers.

Many organizations keep audit records for compliance purposes but attackers rely on the fact that such organizations rarely look at the audit logs so they do not know that their systems have been compromised. Because of poor or non-existent log analysis processes, attackers sometimes control victim machines for months or years without anyone in the target organization knowing, even though the evidence of the attack has been recorded in unexamined log files.

This is the most fundamental uses of Intellitactics SIEM solutions, Security Manager and Intellitactics SAFE (appliance): automating the collection and review of audit logs. The logging is done continuously and the raw logs and parsed logs or events are not only stored as prescribed but are easily accessible and retrieved. The interfaces are designed to minimize clicks and increase productivity.

The SIEM solution automatically correlates events looking for logs that indicate suspicious or out of scope behavior. The advantage of an automated SIEM over manual log review is that the SIEM generates an alert or notification, so the security administrator can quickly begin investigation, further searching of logs or visual analysis of an evolving attack involving a specific source or target. Intellitactics SIEM solutions enable consistent logging and automated examination of log files to uncover control violations or attacks in progress.

Tomorrow: How can this control be implemented, automated, and its effectiveness measured?

Now that you've enlisted in the army sworn to protecting informaiton assets, you find yourself engaged in warfare against wiley cyber criminals that spend their time preying on the unprepared and the known vulnerabilities of systems and applications. Protecing information assets involves many best practices. In this follow up to his piece earlier in the week on cyberwarfare, Warren Axelrod provides an unorthodox practice improving preparedness. While it might be "out there" it sounds like fun!

From the desk of Warren Axelrod:
Here’s a suggestion: Why not sponsor some brainstorming sessions in which those who really understand the subject systems and processes try to imagine what an attacker might possibly do to breach the system, foil security. It’s a tough assignment.

Here are a couple of guidelines that might help:

·          Research what has happened to others and make sure that you monitor for such behavior and implement defenses against anticipated attacks

·          Extrapolate incidents from other environments, particularly in the physical world. Read some spy novels, crime stories and science fiction. See movies and videos such as “Live Free or Die Hard.” Some experts have called the latter far-fetched, and many of the exploits may indeed be over the top (such as Bruce Willis’s encounter with a jet fighter). But some of the fictional hacks contain elements of the possible. Collect those and insert them into your what-if scenarios.

Some have said that a good enterprise security management professional should think like a criminal. I think that’s a little extreme – there are plenty of real-life events retold by the media and plenty more that flow from the fertile imaginations of writers and filmmakers. Research is the key to preparedness. It’s more rewarding than trying to emulate the warped mind of the unknown attacker.