Some things only appear suspicious when looked at in a broader context. An accountant may regularly access financial data when working at their organisation’s headquarters in London; it may also be usual for them to access the same data on occasions when visiting regional offices in other cities. What would not make sense would be for the accountant to download data in New York when the company’s physical security system shows them to be in London and already accessing other systems from there.
Spotting suspicious activity in such a way is the concept behind context aware security. It involves reviewing a single event alongside other events currently taking place as well against historical log data and relevant information from a range of other sources. This involves real time access to extensive volumes of data and the ability to process it in real time. Some call putting in place context aware security a big data challenge; i.e. you need the ability to process and gain useful insight from large volumes of data.
There is nothing new about storing and processing log data. Vendors of log management software have been around for years, often given away by their names, for example LogRhythm and LogLogic (the latter acquired by TIBCO in 2012). The drivers for investing in log management were principally to do with compliance, allowing IT staff to produce audits of who has been doing what on their organisation’s IT systems by collecting and analysing data from the log files of servers, network devices, security systems etc.
Log management vendors have evolved their offerings over the last decade to provide a broader capability to view log data against other events happening on and around their systems. This led to the term SIEM (security information event management), first used by Gartner around 2005. SIEM tools combine log data with other information, for example about users and their rights, third party feeds (about vulnerabilities, malware, news, weather etc.), locational data (using IP addresses, mobile device tracking) and new regulatory requirements. They use all of this to provide enriched reports for both compliance reporting and security review.
As SIEM has become a mainstream offering, many of the big IT security vendors have entered the market via acquisitions, the most notable being; HP/ArcSight (2010), IBM/Q1 Labs (2011), McAfee/Nitro Security (2011), EMC-RSA/Netwitness (2011). LogRhythm is now considered to be a SIEM vendor; others include Red Lambda, Trustwave and Sensage. Splunk is often included in list of SIEM vendors, but its focus is even broader, using IT operational intelligence for providing commercial as well as security insight (an area Quocirca will be publishing new research into later in 2013).
However, to go further still and provide the promise of context aware security in real time requires SIEM tools to be souped-up so that they can do their analysis at speed and thus provide real time protection. Quocirca termed this advanced cyber-security intelligence (ASI) in a July 2012 report, another term used by some is next-generation SIEM (NG-SIEM).
Whatever term you prefer, any vendor claiming to offer a broad context aware security capability should have tools that can do all of the following:
- Process and analyse large volumes of data in real time
- Have an advanced correlation engine to process and compare information from disparate sources
- Be able to enforce advanced rules that link disparate events and prescribe what should happen if there is an anomaly
- Include a range of out-of-the-box rules as well as allowing customers to write their own
- Have the intelligence and insight to act and prevent security breaches as they happen
- Have the capability to adapt to events and improve future responses
- Gather data from external feeds
- Have the capacity for the long term storage of IT intelligence data in a central repository
- Provide an intuitive interface and dashboard for ease of use by all security staff
NG-SIEM is not the only way to provide more context aware security. Some vendors have added specific capability to provide context around their various security products. For example Kaspersky Lab’s System Watcher combines information from its firewall, behaviour analyser and cloud-based reputation server to provide a broader overall risk assessment of suspected malware.
Other tools provide very specific context awareness. For example Finsphere uses mobile phone numbers as an additional means of user authentication. The vendor compares this with information about the users location to make sure a given login makes sense (similar to the example used at the start of this article). To achieve the high speed processing necessary to achieve this in real time, Finsphere has just signed a deal with Violin Memory.
Context aware security is not a replacement for existing point security technologies such as anti-virus, firewalls and intrusion prevention systems (IPS), but a supplement to them. It provides insight that can identify a malicious attack or undesirable user behaviour (an even greater risk that needs to be mitigated).
Here are some examples of where ASI may succeed where point security products may fail:
- Detecting zero day attacks: signature-based anti-virus software cannot detect newly constructed malware, which is often used during targeted attacks. Correlating server access logs to identify that the same server is being used to contact many other servers and user end-points on the same private network and is sending messages home to an unusual IP address would give an early warning that something is amiss.
- Detecting hacking/preventing data theft: An intrusion prevention system (IPS) may prevent multiple failed attempts to access a server from a particular IP address, but may not see that data is already being copied from that server due to a single successful penetration from the same IP address. Correlating log and event files could identify that two such events are related and lead to the prevention of a data theft. Target attacks often have this sort of profile.
- Non-compliant movement of data: it might be usual for an employee to access customer information; it may also be usual for them to download it to a file for reporting reasons. However, for them to copy the data to a non-compliant location, for example a cloud storage resource in a certain country, should raise an alarm. This requires rules that understand user access rights and current compliance requirements and the ability to correlate these in real time with attempts to copy data and the location of the target storage service.
- Absence of an event: SCADA systems are often controlled using human machine interfaces (HMI); this requires someone to be present, which, with a physical security measures in place, should be preceded by a record of the employee involved having used an ID badge to enter the premises in question. So, if an action is logged on an HMI system at a remote location that is not preceded by a valid record of physical entry, then either someone has gained unauthorised access or the HMI has been hacked remotely. An advanced correlation rule that looks for the presence of the badge reader log within a specified time prior to an HMI access request enables such a breach to be detected.
- Anomalous sys-admin activity: if a system administrator account has been compromised there may be an attempt to create a new account for future use. Correlating this activity with a change control system will identify that the creation of such accounts has not been authorised.
- Unexpected access routes: some databases are only normally accessed via certain applications, for example credit card data is written by an e-commerce application and only read by the accounts application; access attempts via other routes should raise an alarm if the tools are in place to correlate such events and observe that a rule about the normal access route is being broken.
For businesses, there will no end to the struggle to get the upper hand over cyber-criminals, hacktivists and, indeed, their own users. For governments, the situation is arguably even worse, as cyber-space becomes the 5th theatre for warfare (after land, sea, air and space) and terrorists see cyber-space as a way to go after critical infrastructure. All have to keep upping the ante, to avoid falling too far behind, or perhaps even get ahead, turning cyber security into an offensive rather than defensive act.
So much criminal activity and political activism has now been displaced from the physical world to cyber-space, or at least extended to cover both, that IT security teams are now in the front line when it comes to ensuring that the businesses they serve can continue to function and that their continued good reputations are preserved. To this end they must be enabled with the tools that provide broader context for the activity on the systems they manage in order to protect their business from problems tomorrow that no one can envisage today.
 Quocirca’s report Advanced Cyber Security Intelligence is freely available here http://ecrm.logrhythm.com/WebQuocircaAdvancedCyberSecurity7-2012.html