Contact Us
Service vs. Software: The ASP Decision
by Steven Drew, EVP of Client Services, SecureWorks
In today's security environment, being able to aggregate, correlate, and analyze security data from a multitude of devices is an absolute necessity to ensure business continuity. It is also an absolute necessity to be able to report that data for audit and compliance purposes. Security devices, especially those deployed on the network perimeter, can generate thousands events per day. As a result, many security teams find their resources stretched to the breaking point as they try to compile accurate reports to prove compliance while simultaneously monitoring their security devices for malicious activity.
To adequately deal with this problem, Security Information and Event Management (SIEM) software was developed. This technology performs the task of aggregating, correlating, and analyzing data from security devices and critical information assets, allowing security teams to better allocate their resources and focus on the strategic initiatives that improve security posture. While this software provides extremely high value to the enterprise, it also comes with a high cost in terms of capital and human resource investment.
Fortunately there is a new option for enterprises now considering investing in SIEM technology: SIEM as a service. SecureWorks was the first to market with this service in July, but since then others have followed. SIEM service is also gaining recognition from industry analysts, having been recognized by the Gartner Group in a recent report. The value these services deliver to enterprises is the ability to gain the benefits of SIEM, without the high capital and resource investment. In other words, they enable enterprise security teams to be SIEM users versus SIEM managers.
At the center of SIEM service is the key features you would find in the software: asset classification, event aggregation, correlation, analysis and reporting. The difference lies in how the solution is implemented. For the service, providers typically deploy an appliance that is then integrate by their engineers with critical assets to aggregate, correlate, filter and transmit events of interest back to their Secure Operations Centers where these providers house their own SIEM platforms to conduct further automated analysis. All reporting, asset classification, response workflow and other functionality is provided to clients through a secure, web-based interface. This eliminates the need to implement complex software and expensive hardware, which typically takes anywhere from 1 to 6 months to become fully operational. In fact, SIEM service implementations are usually performed within a few days, enabling enterprises to realize the benefits immediately.
In the end, there are many different business needs driving SIEM investment. For some enterprises, software may be the best choice. However, for most organizations who want to reap the benefits of SIEM but cannot afford the overhead that comes with it, SIEM service offers them a great new option. Either way it is hard to argue the benefits of implementing SIEM in your enterprise.
Internet Threat Update
Provided by SecureWorks' Security Research Team
After a year's hiatus, it seems worms are back on the radar. The August Microsoft patches led to exploits being developed for the PnP service exposed in Windows networking. These exploits were incorporated into existing worms within days, showing that the window of safety for patching is ever-shrinking. All-in-all, however, the organizations effected are mostly ones with large rollouts of unpatched Windows 2000 machines.
Clearly any cost justification associated with not upgrading to Windows XP SP2 and Server 2003 must be offset by the impact of these threats. The fact is, most new exploits (and therefore worms) simply don't work on XP SP2 and 2003 SP1 due to additional protections introduced by Microsoft. Companies reluctant to upgrade for cost or stability reasons must deploy additional measures to ensure they are not caught off-guard by future exploits and worms.
Aside from scanning worms, we are still seeing a steady increase in worms that use social engineering to spread. Why social engineering? Because it still works - guaranteed. Any medium that end-users use to communicate can expect to have worms targeting them. Email, IM and IRC are all ripe for exposing users to unnecessary malware and hacking threats.
In the case of email, you can't really eliminate the conduit altogether, but you can certainly shore up the weaknesses by a strong content-scanning policy including anti-virus (scanners from multiple vendors are a good idea) and quarantine of suspicious attachment types. There is still some administrative expertise needed - consider outsourcing your email scanning to experts if the situation warrants.
In the case of IM and IRC, corporate users simply should not be allowed to take the risk of attaching to a public network. In the cases where IM might be justified for internal workgroups, a private IM server can be deployed, isolating those users from external threats.
In addition, companies should be aware of an increasing amount of targeted trojans directed at industry as well as government and military installations. Intellectual property theft is being carried out by malware right now - but it can be stopped by proper planning, policies and defenses. (For more on this, see the MyFip research at www.secureworks.com/research/threats/myfip)
The key thing that presents itself in all of the above scenarios is defense-in-depth. There is no longer a perimeter, you must consider that with today's protocols there are hundreds of ways for something to pierce the firewall. Having several layers of defense from the firewall to the workstation or server gives a much better chance of detecting and stopping these threats. In the end, the products you choose don't make as much difference as where and how they are deployed, and how you are watching and responding to alerts from these products.
SOC War Story: Industrial Espionage
Business Problem
With recent Industrial Espionage reports popping up all over the media, security professionals are becoming increasingly aware that the most sinister threats to their enterprises are not coming from those who want to wreak havoc, gain notoriety or impress their fellow "script-kiddies." Instead, most security professionals are coming to the realization that the most menacing and insidious threats are from those who want to break in, do whatever it is they broke in to do, and sneak back out unnoticed. Whether it is the work of a disgruntled employee seeking revenge, an unscrupulous competitor looking for a competitive edge or an organized crime ring from China trying to capitalize on your organization's intellectual property, industrial espionage can cripple a business before management even realizes what happened.
At 1:37 AM on a Monday morning, our SANS GIAC certified Security Analysts were alerted to suspicious activity on a manufacturing client's internal network, including an IDS reporting the attempt of an internal host to get a file called "passwd" from an internal FTP server. This particular segment of the client's internal network served as a virtual repository for highly sensitive information including schematics, research materials and other information critical to the development and production of their products. After investigating the situation, SecureWorks' Security Analysts discovered custom-designed malware created to harvest password files from any FTP servers it could find on the local network. Once harvested, the passwords could then be used to steal, delete, or otherwise tamper with the corporation's private research, causing irreparable damage.
Solution
Our Client uses Managed Intrusion Detection, Security Monitoring and SIM Service to ensure that their critical research remains confidential and stays out of unauthorized hands. To detect and prevent malicious activity, the Client installed an IDS system co-managed by SecureWorks that monitored internal network traffic. They also combined that with monitoring of the firewalls and SIEM to identify any strange exceptions occurring on critical servers and security devices in their internal network. As a result, the attempt to retrieve a "passwd" file was quickly identified and investigated to determine its root cause.
After investigating the possible threat, SecureWorks' security experts quickly determined that it was indeed hostile activity and escalated the incident to the Client's internal security team. Relying on SecureWorks for guidance, the Client's security team was able to isolate the compromised host and remediate the threat before the malware could access sensitive material. After the incident, SecureWorks' Security Analysts continued monitoring the Client's devices to ensure that the Industrial Espionage threat was completely eradicated. By being vigilant and responsive, SecureWorks ensured that the Client's valuable research was protected from all threats, including those coming from the inside.