[ISN] Hackers are real-time. Are you?

InfoSec News isn at c4i.org
Tue Mar 1 04:47:35 EST 2005


http://www.s-ox.com/Feature/detail.cfm?ArticleID=623

By Phil Hollows
2005-02-28

- From a Sarbanes-Oxley Section 404 perspective, any breach in IT
security represents a risk to an internal system - including those
covered by the standards implicit in section 404's mandates. Since IT
underlies the very business of recording and reporting all financial
activity, it follows that a lack of control over IT security would
imply a lack of control over the organization's financial reports, in
direct violation of SOX section 404.

Since any compromised IT system - or an unmanaged attack that could 
create a compromise - can then be used to attack, compromise and 
degrade the integrity of the IT systems supporting a covered firm's 
financial systems, section 404 of Sarbanes-Oxley carries with it the 
mandate to properly secure IT enterprise-wide (or, at least, to the 
point where the CEO, CFO and independent auditors are comfortable with 
the level of risk management applied to protecting corporate IT in 
general and financial IT systems specifically). As a result of the 
efforts of organizations such as the ISACA, COBIT and PCAOB, 
frameworks and standards such as COSO have emerged that explicitly 
address the role of IT security in complying with SOX compliance. 

Taking Strategic Control of Security with SIM 

Security information management (SIM) solutions are an emerging class 
of products that enable compliance through provable, fast threat 
detection, management, and containment. Affordable, easily managed 
real-time security monitoring and correlation solutions offer a 
compelling way for public companies to comply with the implicit IT 
security mandates of SOX. Moreover, the reporting and full logging 
storage capabilities of SIM products allow companies to prove that 
security policies are being correctly followed - even providing an 
integral framework to guide operators to respond to security threats 
and incidents in a consistent, compliant manner. Finally, in addition 
to enabling compliance with SOX regulation, SIM products can provide 
very low maintenance security management framework to reduce the 
workload placed on IT security in general, improve security operations 
effectiveness, and enhance a company's ability to proactively mitigate 
high-risk threats before they become successful exploits. 

The strategic opportunity for IT in public companies is therefore to 
think beyond the immediate compliance deadline and look to establish 
controls that ease compliance with tighter regulations over time, as 
well as ensuring that, if needed, the changes wrought to satisfy SOX 
can stand up in court. Building a defensible position against a 
class-action shareholder suit is one of the unfortunate situations 
that IT organizations need to plan for as they move forward 
implementing their compliance activities. As the financial scandals in 
the early part of the decade showed, having an auditor sign off is no 
guarantee that law suits can be avoided, and SOX section 302 makes it 
clear that CEOs and CFOs are personally liable for any material 
misrepresentations. 

Monitoring Security 

In terms of established OT compliance frameworks, although PCAOB's 
Auditing Standard No. 2 does reference IT controls, it does not 
specify the IT controls an organization should deploy in order to be 
complaint with SOX. However, COSO specifically calls out IT security 
monitoring as follows: 

"Security monitoring - Building an effective IT security
infrastructure reduces the risk of unauthorized access. Improving
security can reduce the risk of processing unauthorized transactions
and generating inaccurate reports, and can ensure a reduction of the
unavailability of key systems if applications and IT infrastructure
components have been compromised."

The ITGI's IT Control Objectives document, which provides specific 
recommendations based on COSO to guide compliance activities, 
specifically identifies the need for a security monitoring control: 

"IT security administration monitors and logs security activity, and 
identified security violations are reported to senior management."

It's clear: to meet the SOX general IT security requirements, 
organizations need to deploy multiple security point solutions such as 
firewalls, intrusion detection systems (IDS), anti-virus systems and 
others. That's a given. 

But simply deploying point solutions on networks, servers or desktops 
does not, by itself, satisfy the security monitoring requirement 
implied in Section 404. A true monitoring solution must show that the 
products deployed to protect a company's critical assets are, in fact, 
working properly. The only way to be successful in meeting this 
requirement is to collect, manage and save the relevant threat data 
from the individual security point solutions. 

SIM extends the real-time monitoring of events detected by network and 
application security systems by enabling operators to detect and 
manage threats to the integrity of the company's financial systems, 
looking at alerts from across the entire enterprise. And SIM provides 
real-time, actionable information, not monthly reports that end up in 
an auditor's filing cabinet. 

Correlation: Finding the Threat Needle in the Security Haystack 

But identifying threats that can cause an incident from the data that 
enterprise security systems report quickly creates a massive 
challenge. With large populations of security solutions to monitor, IT 
security professionals need to collect disparate information from 
diverse sources, quickly assess its impact, and make timely decisions 
before major damage is done. They also need a way keep all this 
information in a convenient place for reporting purposes. But the data 
volumes are colossal - many millions to billions of log entries are 
recorded by an enterprise's systems every day. Threats need to be 
identified from this massive data stream and dealt with, and the data 
needs to be stored without requiring warehouses full of expensive 
storage area networks. And then a determination needs to be quickly 
made - is this threat real? How much risk does it represent? And how 
should it be managed? 

Worse yet, as we all know, IT security challenges are growing 
enormously as an increasing number of diverse security products are 
deployed to combat increasing number of threats, exploits and hackers. 
As technologies such as the 802.11 series of wireless protocols emerge 
that render notions like the secure perimeter increasingly irrelevant 
and porous, the number of security systems that need to be deployed 
and monitored will only continue to grow, day in and day out. 

For each class of security system, organizations are faced with many 
choices of firewalls (network, application and protocol-based), 
intrusion detection and prevention systems (IDS and IPS), anti-virus 
(AV) systems, virtual private networks (VPN), host-based protection 
and a range of dedicated network security appliances. Indeed, 
monitoring network systems, such as routers and switches, for suspect 
activity is now a fact of life since these, too, have known 
vulnerabilities that can be exploited. Every organization's security 
strategy will involve some combination of these techniques, depending 
on their strategic goals and acceptable degree of risk. 

Real-time security event correlation is the key to making this 
mountain of data manageable again. A typical SIM system will: 

* Collect log file and event data from multiple security, network and 
  server sources. 

* Normalize and correlate these event in real-time to identify threats 
  before they become security breaches. 

* Prioritize threats according to risk-based event weighting, target 
  vulnerability, asset value and historical activity. 

* Maintain a threat database, including a taxonomy of known threats, 
  vulnerabilities and exploits. 

* Provide extensive threat, attack and forensic reporting and analysis 
  capabilities. 

* Enable automated and guided operator actions for consistent incident 
  responses. 

The goal of a SIM, when considering existing costs and workloads of 
compliance implementation teams, must be to deliver these capabilities 
in as minimally invasive a way as possible, and as a result of the 
correlation, ultimately reduce the time and resources spent in 
incident response. Is this practical? In a recent eWeek article, one 
SIM user, Adam Hansen, of law firm Sonnenschein, Nath and Rosenthal, 
described firm's his experience recently after deploying a SIM. His 
SIM monitors 9 million daily security events and accurately identifies 
20 or 30 events of interest. From there, the firm's administrators 
need to investigate only one to three events a day. "We reduced our 
incident response time from 24 hours to minutes," said Hansen. "We 
deal with an event as soon as it happens rather than look at a log." 
Hansen's experience is not unique. According to ComputerWorld, Scitum 
SA, an MSSP, recently reported an event reduction factor of 10,000 
after deploying a SIM in their security operations center. 

Monitoring and Vulnerability Management - A Comprehensive Risk 
Management Strategy 

These examples are impressive feats, to be sure. But does that mean 
SIM is right for all organizations? Managers might think they don't 
need SIM, particularly when investing in a comprehensive, and 
undoubtedly expensive, set of vulnerability management products and 
processes. 

An ounce of prevention is worth a pound of cure, it's true. Many 
security systems and technologies have been deployed to prevent 
intruders from accessing high value systems. First came firewalls - 
then the mail worms, the web buffer overflows, and the RPC exploits 
marched right through the open ports to wreak havoc on their targets 
on the inside. IDS arrived, but didn't actually stop anything. Then 
IPS, and next, who knows? If there's a lesson to be learned, it is 
that no matter what technology is deployed, it will have a flaw, a way 
to be defeated, or will be so untrusted (e.g. too many false 
positives) to be functionally useful. 

Enter vulnerability management solutions. The premise is simple and 
seductive. If there are no vulnerabilities to exploit, there is no 
risk. Identify and mitigate the open vulnerabilities and risk is 
eliminated - there's nothing to compromise. The good guys win. Right? 

Not exactly 

IT security managers should be engaged in actively managing system 
vulnerabilities and nobody should counsel otherwise. However, they 
should do so rationally, methodically, and with understanding of the 
risks and rewards at each step. 

What is absolutely not true, however, is that every system can be 
patched perfectly - at least, not in a timely, cost-effective manner. 
An organization simply cannot patch against social engineering (i.e. 
persuading a human to do something for you that you can't, like 
resetting an administrative password). It cannot patch against a 
careless or corrupted employee placing a wireless access point inside 
your network, completely bypassing your perimeter defenses. It cannot 
patch a system against weak physical security. It cannot patch against 
someone emailing a customer list to a competitor. It cannot patch 
systems its unaware of, such as embedded databases or web servers. For 
example, if an organization's engineering group uses a product like 
Ghost to re-image test machines, any patches it applies could be here 
today and gone tomorrow. 

It's clear: Even with an extensive and comprehensive vulnerability and 
patch management program in place, it remains vital to monitor 
security systems. Remember, from the bad guys' perspective, there's 
always a workaround. There's always a signature that the system 
doesn't know about. There's always a new user the anomaly detector 
hasn't discovered. There's always a careless default installation or a 
system that hasn't been gotten round to yet. There's always a 
thoughtless user to social engineer through. There's always someone to 
corrupt, a system to bypass, a new trick to employ. 

So, one of the biggest mental hurdles to overcome when thinking about 
risk mitigation and prevention planning is accepting the fact that it 
is impossible to get 100% of vulnerabilities removed using a patching 
approach. 

It can't be done. It won't ever be done. Plan for it. 

Ultimately, this is how SIM complements vulnerability management. 
Section 404 requires monitoring security. Prudent risk management also 
says companies shouldn't put all their security eggs in the 
vulnerability management basket. A mature, compliant IT security 
organization will deliver strong mitigation and monitoring solutions, 
and also have a well-defined (and practice, practice, practice!) 
containment and incident response strategy - requiring all three legs 
of the stool. 

SIM: Automating Real-Time Risk Analysis for Compliance 

Risk - whether its acceptance, mitigation or transference - is at the 
heart of IT security planning and monitoring. The analysis of an 
attack event from a single device is relatively meaningless. There is 
no context within which to judge its relevance and importance. By 
using SIM to evaluate individual events in the context of the 
real-time enterprise threatscape, it is possible to assign risk values 
using the SIM to each individual event. 

Implementing a security monitoring solution without being able to 
manage log collection from different sources, quickly triage events 
using a risk-based approach, and implement response times risks 
failure - unless a SIM solution is in place. A good, risk-based 
approach will enable the SIM to determine the following criteria, and 
adjust the risk weight appropriately, for each event detected, and 
then intelligently alert based on defined risk profile. The following 
sample factors show how the view of an event's risk changes based on 
its context: 

* The source of an attack: Inside or outside? A new guy or a 
  competitor? 

* The target: A print server or the database holding customers' social 
  security numbers? 

* The exploit being used: A simple probe, or something that gives the 
  hacker complete control? 

* The vulnerability of the target: Is the system vulnerable? And how 
  old is the scan? 

* The user: Is someone pretending to be an administrator? 

* Activity: Have we seen this before? Is it a persistent pattern, or 
  an apparent one-off? 

All of this analysis needs to happen in real-time so that 
organizations can anticipate and manage a breach immediately. Running 
a retrospective report is too little too late, and by no means a 
"monitoring solution." If so, an organization has already been 
compromised. Game over. 

Going Beyond Compliance to Better Security 

The ability of a SIM to accurately identify threats can yield enormous 
savings in terms of operational efficiency. But the potential benefits 
don't stop there. The ability of a SIM to be able to respond 
automatically to an attack can make all the difference between simply 
detecting a threat and actually containing it. Foiling worm attacks is 
a great example of how automated remediation using a SIM can help 
minimize the speed and scope of an infection - in effect, helping to 
automate a containment strategy. 

In order to apply process controls, for example, a SIM can be forced 
to take an automated action if, and only if, a threat that passes the 
filter criteria has reached the critical state. Its users can create 
many different automated responses, each with their own unique 
combinations of filters and actions. Automated responses to known 
classes of security intrusion attempts demonstrated clear, consistent 
and controlled risk-oriented policies towards IT security and threat 
management - a core item in SOX compliance evaluation. 

Organizations can also link SIMs to internal knowledge bases, resource 
links and procedure manuals based on alert and event data correlated 
by the SIM, create well defined management options for users, and 
display them as options for operators to take. As a result, 
organizations gain consistent response to threats from operators, 
using the SIM to help define, manage and ensure consistent containment 
processes. 

Real-time risk management using SIM takes the vulnerability and risk 
approach and applies it to IT network and security infrastructure in 
real-time. It properly takes into account the source of an attack in 
the modified risk equation, enabling much more effective internal 
management of launched attacks. SIM also builds off currently deployed 
heterogeneous security and vulnerability infrastructures, making 
systems significantly more effective than as standalone, isolated 
point solutions. SIM gives each system an enterprise-wide management 
context through the correlation process. 

This is all possible because SIM is a security management application, 
not a security technology. It doesn't try to sniff packets on the 
wires or attempt to verify whether machines are patched or not. What 
it does do is bring data together through a real-time correlation 
process that considers all these factors, as collected by all the 
relevant underlying technology products, to help manage the data 
gathered from them, and automate the threat analysis and 
prioritization processes. 

SIM for SOX! 

SIM and its functions are the keys to an organization's ability to 
prove that its network security products and practices are in 
compliance. SIM enables demonstrable compliance by implementing 
several mechanisms on any monitored sensor, device or application, 
including real-time log monitoring, prioritized threat alarms and 
escalations, audit trail and configuration versioning, threat, event 
and forensic reporting, and standardized threat and incident 
responses. It proves that the alarms are on, and someone is listening. 

SIM affords organizations strategic opportunity by enhancing security 
operations efficiency, ensuring consistent threat response and 
centralized full log management, archiving and analysis. But for SIM 
to be most strategic, it should scale beyond the short-term audit 
process to handle growth, mergers and acquisitions - without adding 
significant structural costs and extra workload to already stretched 
security functions. 

In a nutshell, if implemented well, SIM both ensures compliance with 
SOX section 404 and affords organizations additional compelling 
business benefits. 

-=-

Phil Hollows, Vice President of Security Products, OpenService 
http://www.open.com 

Phil has more than 17 years of experience in product marketing, 
product management, development leadership and consulting. 





More information about the ISN mailing list