Contact Us
Why Asset-Based Security Makes Sense
by Steven Drew, EVP of Client Services, SecureWorks
On November 22, 2005, the SANS Institute released its annual report of the top 20 vulnerabilities of the year (http://www.sans.org/top20/). As has been noted elsewhere in the security industry, the 2005 SANS Top 20 report once again noted a significant shift in attack patterns as more and more applications are being chosen as attack vectors, as opposed to operating systems and internet services. Adding to the fire is the shift from widespread, indiscriminant attacks like Slammer or Blaster to profit-motivated "targeted attacks," which has been well documented by Joe Stewart, SecureWorks' Senior Security Researcher. Combine the two and it's pretty easy to see that the threat landscape is rapidly evolving to include almost any attack vector, allowing attackers to evade some of the most advanced security technologies and threaten your critical assets. Because of this, it has never been more important to make your assets the focal point of your security program than it is now.
If you're familiar with our newsletter, you'll recall that the recurring theme of this column is the need for enterprises to approach security strategically. The key component of any strategic security program is its overall focus on the enterprise's critical assets. Processes, procedures and tactical operations must be driven by strategic goals based on your critical assets to ensure that the security program is in step with the enterprise's business needs. As a result of this alignment with business needs, a strategic security program will enable business and provide tangible metrics to demonstrate its effectiveness.
In an asset-based security program, the information gained by each operational process is tied to the relevant assets. By focusing on the critical assets that your security program is in place to protect, you put in place an underlying foundation that individual security processes can link into. In doing so, you allow these individual processes to integrate with each other with assets being the "common ground" among them. Think of your assets as being the "glue" that holds together a strategic security program, allowing the information gained by one individual process to be readily utilized to by the other processes. And by enabling the flow of information between security processes that are typically isolated "information silos," you set in place the mechanism that drives continuous improvement across your entire security program.
So how does this strategic asset-based approach keep attackers away from your intellectual property? Tactically speaking, asset-based security allows you to better manage operational workflow by pointing out which security efforts would reduce the most risk. It differentiates assets based on their criticality to your business, allowing for you to make faster and better decisions in response to threats. For example, say an attacker wants to gain access to your primary research and development database server. A few days before, several vulnerabilities were publicly disclosed detailing exploitable flaws in your databases. During peak business hours, your IDS detects many possible incidents including a buffer overflow attack directed at your R&D database server. Because your security program is integrated around your assets, the R&D database server is immediately recognized as a highly critical asset that, according to the newly disclosed vulnerability data and ongoing vulnerability scans, is vulnerable to the buffer overflow attack detected by your IDS. The incident stands out from the rest of the alerts and is escalated as the highest priority and your security team reallocates their resources to mitigate the threat immediately, maintaining the integrity of your intellectual property.
Strategically speaking, an asset-based security program keeps intruders out by ensuring that all individual security processes are focused on what matters most to your business-the risk faced by your critical assets. This allows you to quantify the deliverables each individual process using a uniform standard without comparing apples to oranges. As a result, you can accurately measure and evaluate your security program using a metric that is universally understood and directly aligned with your company's business needs. And, because accurate measurement is the foundation for continuous improvement, you now have the groundwork in place to drive change as the security of your critical assets demands it.
Implementing a strategic, asset-based security program is absolutely vital to protecting your critical assets from attacks now and in the future. Regardless of what the preferred method of attack will be in the future, the target will still remain the same. For a savvy attacker, a newly discovered exploit isn't the prize; it's only a means to an end. The information security landscape is dynamic in nature and attack vectors will continue to shift as the landscape evolves. During all of this, the one aspect that is guaranteed to remain constant is the attacker's focus on profiting from your assets. Approach your security program tactically without focusing on the assets it is meant to protect and you might as well let attackers drive, because they're going to choose which direction you'll be heading in anyway. Approach your security program strategically by focusing on your assets so that security decisions are driven by real business risk, and you will be able to efficiently address threats regardless of how they evolve.
Internet Threat Update
Provided by SecureWorks' Security Research Team
A Sobering Look at Email Viruses
The biggest virus outbreak of the year so far seems to be the latest in a string of viruses known as "Sober". This virus has been in the wild for two years now, with over 25 known variants. The last variant has had a great deal of success - primarily due to the social engineering tactics it employs.
You've probably seen or heard about the messages claiming to be from the FBI or the CIA, warning the user that they have been visiting illegal websites, and asking them to answer some attached questions. Of course, the attached file is actually the Sober executable, and when the user runs it, they will infect themselves and begin blasting email to every address found on their hard drive.
Sober isn't an overly sophisticated virus - it's written in Microsoft Visual Basic (making it much larger than most email viruses) and doesn't use exploits to automatically execute. Yet it has been remarkably successful so far. The author has also been very elusive - because it doesn't appear as though there is a profit motive behind Sober, so there is no money trail for law enforcement to follow. It appears the only purpose of the whole scheme is to propagate German-language nationalist propaganda from time to time.
The thing we wonder about here in the SecureWorks' security research team is why, in this day and age, do people still use and send executable attachments, and why are they allowed through so many mail gateways? This simple step would stop every variant of Sober known so far and most every other virus/trojan that is spread via email. Far too many organizations and individuals are still relying on anti-virus scanning to protect them from zero-day threats - this is clearly no longer a realistic strategy.
If your email security strategy includes a single virus scanner and no other protection, such as attachment stripping or content filtering, you are at terrible risk from every new piece of malware that is developed. And it's not just nuisance viruses anymore - there is now malware that is solely designed to steal intellectual property from companies. The threat from such attacks can be far greater than a simple virus outbreak, but it is hardly being addressed in most companies. If you've experienced any infections at your company from this latest Sober outbreak, it should be a wake-up call: it's time to rethink your email security implementation.
SOC War Story: Asset-Driven Prioritization
Business Problem
When a new threat or vulnerability is identified, assessing the risk posed to your business and prioritizing your activities accordingly can mean the difference between business as usual and an outright catastrophe. Unfortunately, accurately assessing the real risk to your business is much easier said than done. To accurately assess the risk of any threat, you must also accurately assess two factors: the severity of the threat and the criticality of the assets threatened. If either of these is missing from the equation, the resulting "risk" information is inaccurate and can lead to poor security decisions, which in turn leads to wasted resources and increased security costs.
In October, Oracle released a critical patch that addressed more than 80 vulnerabilities for multiple products, ranging from their database systems to their back-office applications. For those enterprises with extensive Oracle infrastructure, patching all of the affected systems within a reasonable amount of time was out of the question. One of our clients, a large financial institution, relied heavily on Oracle products in almost every segment of their business. With the integrity of their business critical assets on the line, the financial institution needed a solid game plan that would quickly and effectively reduce the most risk to their business.
Solution
The financial institution relies on SecureWorks' Security Monitoring, Security Information Management (SIM) Managed Service, Managed Vulnerability Scanning and Threat Intelligence. When Oracle released the patch, making known more than 80 vulnerabilities in their various products, SecureWorks' security research team immediately began analyzing each vulnerability and assessing the severity each posed to the systems they affected. Shortly after the announcement, the vulnerability intelligence was mapped to the financial institution's assets within the Sherlock Security Management Platform. By comparing the severity of the vulnerabilities with the client-assigned criticality of their affected assets, Sherlock quickly prioritized the vulnerabilities according to the assets that were in the most need of patching due to the risk they were facing.
Using Sherlock, the financial institution was able to easily establish a prioritized workflow to patch their assets in accordance with real business risk. After testing the patch, their security team immediately began working to implement it on the systems facing the most risk of exploitation. Continuous vulnerability scans ensured that patches were properly administered and Sherlock's trending reports reinforced the security team's efforts, demonstrating that their work was paying strong dividends over time. By relying on SecureWorks' services, the financial institution was able to drive down the real business risk faced by their assets in the most effective and efficient manner possible.