Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
[ISN] Hackers are real-time. Are you?
From: InfoSec News (isnc4i.org)
Date: Tue Mar 01 2005 - 03:47:35 CST
By Phil Hollows
- From a Sarbanes-Oxley Section 404 perspective, any breach in IT
security represents a risk to an internal system - including those
covered by the standards implicit in section 404's mandates. Since IT
underlies the very business of recording and reporting all financial
activity, it follows that a lack of control over IT security would
imply a lack of control over the organization's financial reports, in
direct violation of SOX section 404.
Since any compromised IT system - or an unmanaged attack that could
create a compromise - can then be used to attack, compromise and
degrade the integrity of the IT systems supporting a covered firm's
financial systems, section 404 of Sarbanes-Oxley carries with it the
mandate to properly secure IT enterprise-wide (or, at least, to the
point where the CEO, CFO and independent auditors are comfortable with
the level of risk management applied to protecting corporate IT in
general and financial IT systems specifically). As a result of the
efforts of organizations such as the ISACA, COBIT and PCAOB,
frameworks and standards such as COSO have emerged that explicitly
address the role of IT security in complying with SOX compliance.
Taking Strategic Control of Security with SIM
Security information management (SIM) solutions are an emerging class
of products that enable compliance through provable, fast threat
detection, management, and containment. Affordable, easily managed
real-time security monitoring and correlation solutions offer a
compelling way for public companies to comply with the implicit IT
security mandates of SOX. Moreover, the reporting and full logging
storage capabilities of SIM products allow companies to prove that
security policies are being correctly followed - even providing an
integral framework to guide operators to respond to security threats
and incidents in a consistent, compliant manner. Finally, in addition
to enabling compliance with SOX regulation, SIM products can provide
very low maintenance security management framework to reduce the
workload placed on IT security in general, improve security operations
effectiveness, and enhance a company's ability to proactively mitigate
high-risk threats before they become successful exploits.
The strategic opportunity for IT in public companies is therefore to
think beyond the immediate compliance deadline and look to establish
controls that ease compliance with tighter regulations over time, as
well as ensuring that, if needed, the changes wrought to satisfy SOX
can stand up in court. Building a defensible position against a
class-action shareholder suit is one of the unfortunate situations
that IT organizations need to plan for as they move forward
implementing their compliance activities. As the financial scandals in
the early part of the decade showed, having an auditor sign off is no
guarantee that law suits can be avoided, and SOX section 302 makes it
clear that CEOs and CFOs are personally liable for any material
In terms of established OT compliance frameworks, although PCAOB's
Auditing Standard No. 2 does reference IT controls, it does not
specify the IT controls an organization should deploy in order to be
complaint with SOX. However, COSO specifically calls out IT security
monitoring as follows:
"Security monitoring - Building an effective IT security
infrastructure reduces the risk of unauthorized access. Improving
security can reduce the risk of processing unauthorized transactions
and generating inaccurate reports, and can ensure a reduction of the
unavailability of key systems if applications and IT infrastructure
components have been compromised."
The ITGI's IT Control Objectives document, which provides specific
recommendations based on COSO to guide compliance activities,
specifically identifies the need for a security monitoring control:
"IT security administration monitors and logs security activity, and
identified security violations are reported to senior management."
It's clear: to meet the SOX general IT security requirements,
organizations need to deploy multiple security point solutions such as
firewalls, intrusion detection systems (IDS), anti-virus systems and
others. That's a given.
But simply deploying point solutions on networks, servers or desktops
does not, by itself, satisfy the security monitoring requirement
implied in Section 404. A true monitoring solution must show that the
products deployed to protect a company's critical assets are, in fact,
working properly. The only way to be successful in meeting this
requirement is to collect, manage and save the relevant threat data
from the individual security point solutions.
SIM extends the real-time monitoring of events detected by network and
application security systems by enabling operators to detect and
manage threats to the integrity of the company's financial systems,
looking at alerts from across the entire enterprise. And SIM provides
real-time, actionable information, not monthly reports that end up in
an auditor's filing cabinet.
Correlation: Finding the Threat Needle in the Security Haystack
But identifying threats that can cause an incident from the data that
enterprise security systems report quickly creates a massive
challenge. With large populations of security solutions to monitor, IT
security professionals need to collect disparate information from
diverse sources, quickly assess its impact, and make timely decisions
before major damage is done. They also need a way keep all this
information in a convenient place for reporting purposes. But the data
volumes are colossal - many millions to billions of log entries are
recorded by an enterprise's systems every day. Threats need to be
identified from this massive data stream and dealt with, and the data
needs to be stored without requiring warehouses full of expensive
storage area networks. And then a determination needs to be quickly
made - is this threat real? How much risk does it represent? And how
should it be managed?
Worse yet, as we all know, IT security challenges are growing
enormously as an increasing number of diverse security products are
deployed to combat increasing number of threats, exploits and hackers.
As technologies such as the 802.11 series of wireless protocols emerge
that render notions like the secure perimeter increasingly irrelevant
and porous, the number of security systems that need to be deployed
and monitored will only continue to grow, day in and day out.
For each class of security system, organizations are faced with many
choices of firewalls (network, application and protocol-based),
intrusion detection and prevention systems (IDS and IPS), anti-virus
(AV) systems, virtual private networks (VPN), host-based protection
and a range of dedicated network security appliances. Indeed,
monitoring network systems, such as routers and switches, for suspect
activity is now a fact of life since these, too, have known
vulnerabilities that can be exploited. Every organization's security
strategy will involve some combination of these techniques, depending
on their strategic goals and acceptable degree of risk.
Real-time security event correlation is the key to making this
mountain of data manageable again. A typical SIM system will:
* Collect log file and event data from multiple security, network and
* Normalize and correlate these event in real-time to identify threats
before they become security breaches.
* Prioritize threats according to risk-based event weighting, target
vulnerability, asset value and historical activity.
* Maintain a threat database, including a taxonomy of known threats,
vulnerabilities and exploits.
* Provide extensive threat, attack and forensic reporting and analysis
* Enable automated and guided operator actions for consistent incident
The goal of a SIM, when considering existing costs and workloads of
compliance implementation teams, must be to deliver these capabilities
in as minimally invasive a way as possible, and as a result of the
correlation, ultimately reduce the time and resources spent in
incident response. Is this practical? In a recent eWeek article, one
SIM user, Adam Hansen, of law firm Sonnenschein, Nath and Rosenthal,
described firm's his experience recently after deploying a SIM. His
SIM monitors 9 million daily security events and accurately identifies
20 or 30 events of interest. From there, the firm's administrators
need to investigate only one to three events a day. "We reduced our
incident response time from 24 hours to minutes," said Hansen. "We
deal with an event as soon as it happens rather than look at a log."
Hansen's experience is not unique. According to ComputerWorld, Scitum
SA, an MSSP, recently reported an event reduction factor of 10,000
after deploying a SIM in their security operations center.
Monitoring and Vulnerability Management - A Comprehensive Risk
These examples are impressive feats, to be sure. But does that mean
SIM is right for all organizations? Managers might think they don't
need SIM, particularly when investing in a comprehensive, and
undoubtedly expensive, set of vulnerability management products and
An ounce of prevention is worth a pound of cure, it's true. Many
security systems and technologies have been deployed to prevent
intruders from accessing high value systems. First came firewalls -
then the mail worms, the web buffer overflows, and the RPC exploits
marched right through the open ports to wreak havoc on their targets
on the inside. IDS arrived, but didn't actually stop anything. Then
IPS, and next, who knows? If there's a lesson to be learned, it is
that no matter what technology is deployed, it will have a flaw, a way
to be defeated, or will be so untrusted (e.g. too many false
positives) to be functionally useful.
Enter vulnerability management solutions. The premise is simple and
seductive. If there are no vulnerabilities to exploit, there is no
risk. Identify and mitigate the open vulnerabilities and risk is
eliminated - there's nothing to compromise. The good guys win. Right?
IT security managers should be engaged in actively managing system
vulnerabilities and nobody should counsel otherwise. However, they
should do so rationally, methodically, and with understanding of the
risks and rewards at each step.
What is absolutely not true, however, is that every system can be
patched perfectly - at least, not in a timely, cost-effective manner.
An organization simply cannot patch against social engineering (i.e.
persuading a human to do something for you that you can't, like
resetting an administrative password). It cannot patch against a
careless or corrupted employee placing a wireless access point inside
your network, completely bypassing your perimeter defenses. It cannot
patch a system against weak physical security. It cannot patch against
someone emailing a customer list to a competitor. It cannot patch
systems its unaware of, such as embedded databases or web servers. For
example, if an organization's engineering group uses a product like
Ghost to re-image test machines, any patches it applies could be here
today and gone tomorrow.
It's clear: Even with an extensive and comprehensive vulnerability and
patch management program in place, it remains vital to monitor
security systems. Remember, from the bad guys' perspective, there's
always a workaround. There's always a signature that the system
doesn't know about. There's always a new user the anomaly detector
hasn't discovered. There's always a careless default installation or a
system that hasn't been gotten round to yet. There's always a
thoughtless user to social engineer through. There's always someone to
corrupt, a system to bypass, a new trick to employ.
So, one of the biggest mental hurdles to overcome when thinking about
risk mitigation and prevention planning is accepting the fact that it
is impossible to get 100% of vulnerabilities removed using a patching
It can't be done. It won't ever be done. Plan for it.
Ultimately, this is how SIM complements vulnerability management.
Section 404 requires monitoring security. Prudent risk management also
says companies shouldn't put all their security eggs in the
vulnerability management basket. A mature, compliant IT security
organization will deliver strong mitigation and monitoring solutions,
and also have a well-defined (and practice, practice, practice!)
containment and incident response strategy - requiring all three legs
of the stool.
SIM: Automating Real-Time Risk Analysis for Compliance
Risk - whether its acceptance, mitigation or transference - is at the
heart of IT security planning and monitoring. The analysis of an
attack event from a single device is relatively meaningless. There is
no context within which to judge its relevance and importance. By
using SIM to evaluate individual events in the context of the
real-time enterprise threatscape, it is possible to assign risk values
using the SIM to each individual event.
Implementing a security monitoring solution without being able to
manage log collection from different sources, quickly triage events
using a risk-based approach, and implement response times risks
failure - unless a SIM solution is in place. A good, risk-based
approach will enable the SIM to determine the following criteria, and
adjust the risk weight appropriately, for each event detected, and
then intelligently alert based on defined risk profile. The following
sample factors show how the view of an event's risk changes based on
* The source of an attack: Inside or outside? A new guy or a
* The target: A print server or the database holding customers' social
* The exploit being used: A simple probe, or something that gives the
hacker complete control?
* The vulnerability of the target: Is the system vulnerable? And how
old is the scan?
* The user: Is someone pretending to be an administrator?
* Activity: Have we seen this before? Is it a persistent pattern, or
an apparent one-off?
All of this analysis needs to happen in real-time so that
organizations can anticipate and manage a breach immediately. Running
a retrospective report is too little too late, and by no means a
"monitoring solution." If so, an organization has already been
compromised. Game over.
Going Beyond Compliance to Better Security
The ability of a SIM to accurately identify threats can yield enormous
savings in terms of operational efficiency. But the potential benefits
don't stop there. The ability of a SIM to be able to respond
automatically to an attack can make all the difference between simply
detecting a threat and actually containing it. Foiling worm attacks is
a great example of how automated remediation using a SIM can help
minimize the speed and scope of an infection - in effect, helping to
automate a containment strategy.
In order to apply process controls, for example, a SIM can be forced
to take an automated action if, and only if, a threat that passes the
filter criteria has reached the critical state. Its users can create
many different automated responses, each with their own unique
combinations of filters and actions. Automated responses to known
classes of security intrusion attempts demonstrated clear, consistent
and controlled risk-oriented policies towards IT security and threat
management - a core item in SOX compliance evaluation.
Organizations can also link SIMs to internal knowledge bases, resource
links and procedure manuals based on alert and event data correlated
by the SIM, create well defined management options for users, and
display them as options for operators to take. As a result,
organizations gain consistent response to threats from operators,
using the SIM to help define, manage and ensure consistent containment
Real-time risk management using SIM takes the vulnerability and risk
approach and applies it to IT network and security infrastructure in
real-time. It properly takes into account the source of an attack in
the modified risk equation, enabling much more effective internal
management of launched attacks. SIM also builds off currently deployed
heterogeneous security and vulnerability infrastructures, making
systems significantly more effective than as standalone, isolated
point solutions. SIM gives each system an enterprise-wide management
context through the correlation process.
This is all possible because SIM is a security management application,
not a security technology. It doesn't try to sniff packets on the
wires or attempt to verify whether machines are patched or not. What
it does do is bring data together through a real-time correlation
process that considers all these factors, as collected by all the
relevant underlying technology products, to help manage the data
gathered from them, and automate the threat analysis and
SIM for SOX!
SIM and its functions are the keys to an organization's ability to
prove that its network security products and practices are in
compliance. SIM enables demonstrable compliance by implementing
several mechanisms on any monitored sensor, device or application,
including real-time log monitoring, prioritized threat alarms and
escalations, audit trail and configuration versioning, threat, event
and forensic reporting, and standardized threat and incident
responses. It proves that the alarms are on, and someone is listening.
SIM affords organizations strategic opportunity by enhancing security
operations efficiency, ensuring consistent threat response and
centralized full log management, archiving and analysis. But for SIM
to be most strategic, it should scale beyond the short-term audit
process to handle growth, mergers and acquisitions - without adding
significant structural costs and extra workload to already stretched
In a nutshell, if implemented well, SIM both ensures compliance with
SOX section 404 and affords organizations additional compelling
Phil Hollows, Vice President of Security Products, OpenService
Phil has more than 17 years of experience in product marketing,
product management, development leadership and consulting.
Bellua Cyber Security Asia 2005 -