By Nilesh Patel
IBM Security Specialist
Identity and Access Management and Security Intelligence
A few weeks ago I was playing a car racing game with some remote friends on our game console over the Internet connection, and we were all really enjoying the game. At one point, I was about to cross the finish line to win that all decisive last race, when the game console network connection was lost. Our home Internet connection was still up and running, so I contacted the help desk of the game console provider. I was very upset when I learned that the network had been compromised on their side, and was shut down as a precaution.
Being a technical person, a few unanswered questions were popping up in my head, including:
- Who compromised the network?
- What was the reason behind the network shutdown?
- Has any of my personal subscription data fallen into the wrong hands?
- Can this happen again?
After a few days I read some news on my iPad regarding the network shutdown at the game solution provider. It was acknowledged that the shutdown was a direct response to stop an ongoing breach inside the provider's network, and that it potentially initiated from the workstation of one of their system administrators. Attackers had infiltrated the network by introducing malware through a fishing email. From my understanding prevention is better than a cure, but where have been the prevention controls, and was shutting down the network really a solution? This incident severely affected the provider's business. At the time of the outage the customers couldn't buy any new games or play online for a prolonged period of time. But the more serious impact became apparent weeks later when business did not return to normal due to a loss in confidence about the ability to keep customers' data safe and secure.
A variety of security controls can potentially help organizations mitigate this kind of risk rather than shutting down the whole network.
- Intrusion Detection System
- Intrusion Prevention System
- Vulnerability scanners
Most of these security controls are deployed and correctly configured at almost every organization today, but still these controls alone are NOT able to protect you from the bad guys. As a security specialist, I always emphasize the facts that although the security experts are becoming smarter day by day, so are the bad guys. But it's not all about being smart - another difference you can notice in the attack patterns today is the shift from a "target of opportunity" towards a "target of choice", where the bad guys are continuously, and even more important, patiently planning and executing advanced persistent threats (APTs).
All of the individual security controls that I mentioned above are very good at what they are supposed to do. But if attackers manage to take over the identity of legitimate privileged users, these tools cannot help in understanding the bigger contextualized picture of an advanced persistent threat.
The individual security controls are producing far too much "noise" for any human (or superhuman) administrator to simply see patterns for those APTs. It is time that organizations go about making sense of the security data collection jungle using security intelligence systems, just as they are already employing the help of business intelligence systems to improve their business processes and, ultimately, their revenue streams.
Organizations need to collect security data generated from distributed security controls, like network devices, servers, and applications, to gain complete visibility of their IT infrastructure. In the next step they need to apply specially tuned security analytic algorithms to gain insight into the collected data from an overall security and behavioral perspective.
I recently had the opportunity to research the field around security intelligence in my IBM Redbooks residency program in Austin, TX. The outcome is this publicly available IBM Redguide for Business Leaders "Realizing an Efficient Enterprise Security Intelligence Using IBM Security Intelligence Solutions".
How are you making sense of all the collected security control data records in your organization? Are you already employing a security intelligence solution? If not, this IBM Redguide may be an excellent start to understand the foundation that can help you battle the advanced persistent threats that are out there.
Likes before 03/04/2016 - 1
Views before 03/04/2016 - 2351