By: Bob Tarzey, Service Director, Quocirca
Published: 15th July 2013
Copyright Quocirca © 2013
Some things only appear suspicious when looked at in a broader context. An accountant may regularly access financial data when working at their organisation’s headquarters in London; it may also be usual for them to access the same data on occasions when visiting regional offices in other cities. What would not make sense would be for the accountant to download data in New York when the company’s physical security system shows them to be in London and already accessing other systems from there.
Spotting suspicious activity in such a way is the concept behind context aware security. It involves reviewing a single event alongside other events currently taking place as well against historical log data and relevant information from a range of other sources. This involves real time access to extensive volumes of data and the ability to process it in real time. Some call putting in place context aware security a big data challenge; i.e. you need the ability to process and gain useful insight from large volumes of data.
There is nothing new about storing and processing log data. Vendors of log management software have been around for years, often given away by their names, for example LogRhythm and LogLogic (the latter acquired by TIBCO in 2012). The drivers for investing in log management were principally to do with compliance, allowing IT staff to produce audits of who has been doing what on their organisation’s IT systems by collecting and analysing data from the log files of servers, network devices, security systems etc.
Log management vendors have evolved their offerings over the last decade to provide a broader capability to view log data against other events happening on and around their systems. This led to the term SIEM (security information event management), first used by Gartner around 2005. SIEM tools combine log data with other information, for example about users and their rights, third party feeds (about vulnerabilities, malware, news, weather etc.), locational data (using IP addresses, mobile device tracking) and new regulatory requirements. They use all of this to provide enriched reports for both compliance reporting and security review.
As SIEM has become a mainstream offering, many of the big IT security vendors have entered the market via acquisitions, the most notable being; HP/ArcSight (2010), IBM/Q1 Labs (2011), McAfee/Nitro Security (2011), EMC-RSA/Netwitness (2011). LogRhythm is now considered to be a SIEM vendor; others include Red Lambda, Trustwave and Sensage. Splunk is often included in list of SIEM vendors, but its focus is even broader, using IT operational intelligence for providing commercial as well as security insight (an area Quocirca will be publishing new research into later in 2013).
However, to go further still and provide the promise of context aware security in real time requires SIEM tools to be souped-up so that they can do their analysis at speed and thus provide real time protection. Quocirca termed this advanced cyber-security intelligence (ASI) in a July 2012 report, another term used by some is next-generation SIEM (NG-SIEM).
Whatever term you prefer, any vendor claiming to offer a broad context aware security capability should have tools that can do all of the following:
NG-SIEM is not the only way to provide more context aware security. Some vendors have added specific capability to provide context around their various security products. For example Kaspersky Lab’s System Watcher combines information from its firewall, behaviour analyser and cloud-based reputation server to provide a broader overall risk assessment of suspected malware.
Other tools provide very specific context awareness. For example Finsphere uses mobile phone numbers as an additional means of user authentication. The vendor compares this with information about the users location to make sure a given login makes sense (similar to the example used at the start of this article). To achieve the high speed processing necessary to achieve this in real time, Finsphere has just signed a deal with Violin Memory.
Context aware security is not a replacement for existing point security technologies such as anti-virus, firewalls and intrusion prevention systems (IPS), but a supplement to them. It provides insight that can identify a malicious attack or undesirable user behaviour (an even greater risk that needs to be mitigated).
Here are some examples of where ASI may succeed where point security products may fail:
For businesses, there will no end to the struggle to get the upper hand over cyber-criminals, hacktivists and, indeed, their own users. For governments, the situation is arguably even worse, as cyber-space becomes the 5th theatre for warfare (after land, sea, air and space) and terrorists see cyber-space as a way to go after critical infrastructure. All have to keep upping the ante, to avoid falling too far behind, or perhaps even get ahead, turning cyber security into an offensive rather than defensive act.
So much criminal activity and political activism has now been displaced from the physical world to cyber-space, or at least extended to cover both, that IT security teams are now in the front line when it comes to ensuring that the businesses they serve can continue to function and that their continued good reputations are preserved. To this end they must be enabled with the tools that provide broader context for the activity on the systems they manage in order to protect their business from problems tomorrow that no one can envisage today.
 Quocirca’s report Advanced Cyber Security Intelligence is freely available here http://ecrm.logrhythm.com/WebQuocircaAdvancedCyberSecurity7-2012.html
We automatically stop accepting comments 180 days after a post is published. If you would like to know more about this subject, please contact us and we'll try to help.
Published by: electronicdawn Ltd.