Trusted technologies: Crucial, but insufficient

Eighty-percent of the evidence of security breaches is contained within the logs on our corporate networks.

Does this mean that trusted technologies have failed and are now obsolete? “Absolutely not,” says Murray Benadie. MD of Zenith Systems, the SIEM and log management specialist.

“Trusted technologies are critical in the fight against cyber crime; the problem is not with the technologies, but the way they operate in security silos, ie without comprehensive integration and interrogation of the various telemetries. Trusted defences such as firewalls, IDS/IPS and anti-virus (AV), etc, are critical and all play a significant role in combating the security threats we face on a daily basis, but the challenge is threefold.”

Vast quantities of logs and events traverse our corporate networks on a daily basis, so even if the majority of the evidence of breaches or reconnaissance in progress is contained within the logs, there is simply too much data for this to be interrogated manually.

An example of the potential volumes involves one of the largest QRadar implementations, which monitors 160 000 events per second (EPS), or 14 billion events per day. Quite clearly, if the evidence is contained within these 14 billion events, then it is impossible to interrogate these events manually.

Even with 'automated' log management, if the automation is not sufficiently intelligent, the suspected incidents that operators must investigate are overwhelming. Without the automated intelligence, data reduction is minimal and, as with most 'alarm systems', if it triggers too often, it is simply switched off.

So, in this instance, the databases, firewalls, AV, ID/IP, operating systems, etc, are doing their job, but the generated events are simply overwhelming.

The single biggest challenge with traditional technologies is that they operate in silos. For example, the AV is not related to the network traffic analysis and this in turn is not related to the IDS/IPS, which in turn is not related to the vulnerability assessment.

This lack of correlation means security threats are missed and the volumes of data that operators have to deal with are simply overwhelming. Intelligent integration and correlation of data from trusted traditional technologies ensures data reduction, enabling security staff to focus on a shortlist of highly prioritised offences that must be investigated.

An effective SIEM tool with the requisite intelligence and correlation will ensure that data reduction is achieved.

An example of this is Chevron, which uses QRadar to reduce more than two billion logs and events per day to 20 actionable offences. This data reduction achieved ensures that security operators are able to cope with the volume of data and are empowered to detect and deal with breaches, typically before they happen.

Those in the IT security industry are aiming at a moving target. Cyber crime is big business and is increasingly driven by organised crime and even nation states. Organised crime has the resources, expertise and business processes to challenge the security defences of any corporate or government institution anywhere in the world. The payoff for organised crime is substantial and provides them with the means to attract the best talent. Some of the figures paid to organised crime include $250 000 for a full internal competitor database, $25 per credit card account (minimum purchase 10 000 credit card numbers), $20 000 for rent of a medium sized botnet.

Essentially, security staff are dealing with professional cyber criminals - organisations that have time and money on their side (hence the emergence of low and slow attacks). As a result, IT security expertise is not growing anywhere near quickly enough to empower the security staff to interrogate and interpret the evidence that may be available to them from the traditional “trusted” technologies.

This view is substantiated by the recent IBM X-Force Mid-Year Trend and Risk Report, which highlights the rapidly changing security landscape.

“To combat an increase in high-profile attacks, growing mobile vulnerabilities and more sophisticated threats, firms must be equipped to quickly identify threats, detect insider fraud, predict business risk and address regulatory mandates.” Thus, without enough sufficiently skilled staff, the demands are endless.

Once again, an effective SIEM tool that has best practice, compliance and security rules embedded provides operators with the intelligent analyses of the evidence.

Trusted technologies are crucial; they are an integral part of the defence framework of any organisation, but embedded intelligence and analytics is the most significant tool (SIEM) to overlay the traditional trusted technologies and gain maximum value from these investments

Visit Zenith Systems at the ITWeb Security Summit, which will take place at the Sandton Convention Centre between 15 and 17 May, and will feature presentations relating to trust, and the need to reassess the standard approaches to IT security. This year's theme is: “Reinventing information security: When trusted technologies have failed”. For further information, click here.