A very interesting read. Have a look and assess where you are regarding your cyber defense capabilities.
HP Security Intelligence and Operations Consulting (SIOC) has assessed the capability and maturity of 69 discreet SOCs in 93 assessments since 2008. The maturity assessments include organizations in the public and private sectors, enterprises across all industry verticals, and managed security service providers. Geographically, these assessments include SOCs located in 13 countries. This is the largest available dataset from which to draw conclusions about the state of security operations across the globe.
In today’s Information Risk Management Frameworks continuous security Logging & Monitoring plays a critical role. These days nearly all critical business processes are supported by Information Technology (IT) and with that the dependency on system and services being properly managed and controlled has become mission critical.
Information Risk Management and with it the topic of Cyber Security has achieved mainstream recognition as a significant global economic risk. Even the 2013 World Economic Forum (WEF) listed Cyber attacks as a main risk / concern with a growing likelihood and large possible impact.
Every major industry standard (e.g. ISO or NIST) has a definition for logging & monitoring. Security logging and monitoring is a process which an organization must follow on a continuous basis. They need to capture, analyze and examine application and infrastructure logs, system events and status information in an automated and near real time fashion. It is the goal to detect and discover early indications for potential or actual unauthorized security related activities. The process must ensure that the collected log information can be utilized as evidence in case of legal or regulatory breaches and the utilized material must provide an effective and tamper proof audit trail.
Given the complexity and scale of today’s IT environments it becomes clear that the one fits all approach from the past can’t be utilized anymore. Information Technology has come a long way from providing IT services only in-house, towards outsourced services and nowadays industrialized cloud based IT services. With these changes the requirements for security logging & monitoring have changed dramatically.
A risk based security logging & monitoring approach is based on a clear differentiation between areas where preventive controls are in place already and where detection and aggregation of log information can deliver real added value. Such an approach does not require all infrastructure components, systems, applications, or services (cloud or in-house) to be monitored at all times and at every location. Based on the criticality of the systems for IT and the Business paired with the regulatory and policy requirements you determine which systems have to be included and which information will be monitored.
From your Compliance Monitoring (CM) efforts you know already how the system benchmark looks like against the documented and agreed baseline (e.g. standard build). From your Vulnerability Management (VM) service you have visibility into the actual health status of your assets. Based on that, your local system L&M coverage may only include privilege escalations, permission changes, kernel modifications and application changes focusing on highly privileged users and IT administrative accounts.
The way to go is to develop a ‘threat model’ that will guide you in determining what “Scenarios” you want to identify, and therefore what logs from what systems you require to identify those scenarios. Starting with the high level scenarios, you can easily see how it trickles down into some lower level technical scenarios, which then become your SIEM rules.
High level IT scenarios may include topics like this:
- Malware compromises a VIP workstation and steals credentials
- Malware compromises non-VIP workstation but uses it as an intermediate point to other targets
- System administrator (SA) plants a logic bomb on multiple servers
- Trader uses another person’s account or a generic application account to perform fraud
Using industrialized cloud services does not release you from running a continuous L&M approach. It is the responsibility of the cloud service provider to monitor it’s own logs but you have to make sure that you fully understand the cloud providers policies, procedures and incident alerting criteria. Your risk management monitoring & reporting will depend on information provided by the cloud provider. Aspects you may still want to monitor are for example interfaces between the cloud provider and your environment on both infrastructure and application level. Credentials used within the cloud are most probably the ones you use internally as well and you want to watch out for any kind of abuse and privilege escalation around them. Ideally the cloud provider would actually make some application-level logs available for you to monitor your own data / service usage.
A risk based L&M approach requires governance, structure, processes and automation. A list of top down building blocks / requirements for a risk based logging & monitoring approach could look like this:
- Security Policy requiring ongoing L&M
- Compliance mandates (e.g. SOX, PCI)
- L&M Core Control (What)
- L&M Procedural Controls (How)
- Architectural L&M design for build and / or buy
- Data retention policy
- Configuration Management / System Development Lifecycle
- Asset Management / Inventory Management
- L&M Standard IT
- Segregation of Duties (IT & Security but also Development & Testing)
- Threat & Malware Detection / Management
- Vulnerability Assessment & Management
- Compliance Monitoring
- L&M Standard Security
- Risk based L&M Approach
- Incident Response Procedures
- SOC operational procedures & processes
Some indicators for you to assess if your current logging & monitoring approach is still fit for its initially intended purpose are:
- Do you have a well documented L&M approach with clear processes & procedures for data review/analysis and escalation/incident response?
- Are you using cloud services and have not adjusted your L&M approach?
- Your current L&M solution becomes more and more expensive and the capacity & cost requirements are going through the roof (cost effectiveness)
- IT delivers both IT and Security operations at the same time (segregation of duties)
- Your current L&M approach focuses on compliance only and does not deliver actual / perceived value
- A big portion of your approach relies on manual tasks and is not near real time
- Your L&M approach focus on infrastructure only leaving applications fully out of scope
Feel free to reach out to me if you want to discuss the shown concept.
With all the laws and regulations in place today why should I bother about strategic security planning? Being compliant with them must be enough, right? Many organizations today are still running their security shops in “New York cab mode”. They spend most of their time in responding and reacting to “things” bumping into their way. As we all know, there are many things coming up on a daily base from left and right and especial from the top of the house. The New York cab driver does exactly the same.
Others are asking consulting firms to come in from time to time to check the status quo. As a result they get a remediation list, containing required security projects, which they call then their security strategy. They may close existing holes and remediate some older security risks but the security organization overall remains incident driven and does not operate in a proactive business focused fashion.
Things are changing these days and senior security managers begin to see the value of using established strategic planning principles to guide their efforts. Goal is to apply a formalized process for setting strategic goals based on existing risk information and business objectives. With such a plan in place you will have defined objectives you can measure and report on. You are in control and not every incident impacts your overall situation.
Recently a lot has been published about proper Information Risk Management, how to write policies and other aspects of security governance. What’s about a proper strategic plan for preventive and detective IT Security controls?
Lets have a look at a car. If we take the compliance driven approach and design a car based on them today, it would have at least the following safety components installed:
- Lights & signaling equipment, preventive components
- Brakes, steering and suspension, preventive components
- Seatbelts, preventive component
- Crumple zones, preventive component
- Mirrors, detective component
- Speedometer, detective component
- Maybe anti-intrusion bars and pedestrian protection system
This car would function and I could use it legally on the road. We have both preventive and detective components on board and riding it may be very funny. But would the majority buy it as their family car? Most probably not!
Let’s include the expert advice next. A proper analysis of our safety situation would show that compared to other car manufacturers our design misses the following important safety components:
- Airbags, preventive components
- Anti-lock breaking system (ABS), preventive component
- Traction control system, preventive components
- Emergency break assist, preventive components
- Adaptive headlamps, preventive components
- Cargo barriers, preventive components
Wow, now we have a much better and safer car at hand, right? We can travel faster and we are still safe. With the remediation plan in place we must be now on the road to success. Why are the customers still not super enthusiastic about our model?
Ok, ok. Let’s develop a strategic plan to design our car, which fulfills the requirements, our customers are looking for these days. It also needs to comply with all laws and regulations and addresses all currently known safety risks. After analyzing the situation together with a proactive approach allowing our company to outperform the market, we have these additional safety components on board:
- Automatic breaking, preventive component
- Infrared night vision, detective component
- Reverse backup sensors and backup camera, detective component
- Adaptive cruise control, preventive components
- Lane departure warning system, preventive components
- Tire pressure monitoring, detective component
- Precrash system, detective component
As a result we will come up with a car our customers are interested in or even dreams about. Within the IT Security world the business is our customer. You all know that they are normally very demanding, asking for a lot willing to pay as little as possible. We are very similar when we are about to buy a new family car.
I am absolutely clear that it is now always that black and white. If your organization does now have higher security demands, as it is not handling any kind of confidential information, the first approach may work for you. To stay with the car example, the car below has not a single safety component from option two or three and even the components from approach one are not fully covered, but it is a fantastic car if handle by a very skilled person who is able to control and handle it the right way.
We in IT Security can learn something from the car industry. Each modern car has a security concept in place balancing between prevention and detection. Logging and monitoring in our IT Security world for example is a typical detective control helping us to compensate. If we have not implemented a layer of preventative controls at the first place, it is unlikely that we will derive much benefit from our IT Security logging and monitoring program.
We can differentiate our L&M approach to focus on three layers:
- Compliance monitoring: See how our preventative controls are being enforced (prevention is better than cure)At our car we monitor for example if our breaks are functioning correctly
- Black list monitoring: Unauthorized activities e.g. Password cracking, intrusion, unauthorized changes, malware, data ex-filtration attempts etc. – this delivers proactive approach to stopping attacks both internal and external while in progressWe monitor for example the traction of our wheels to ensure a safe ride
- Anomaly monitoring: Authorized activities but may indicate a threat scenario in progress e.g. Any statistical anomalies such excessive number of servers not sending security events, large number of wrong passwords etc.We monitor for example the tire pressure of our wheels
The more we focus on our strategic approach, the higher the probability that we will deliver real business value. The more we are in control of the overall situation and the existing information risks the better. Early prevention is the key, as we don’t have to fix problems and handle incidents later on. At the same time it is a big chance for the IT Security organization to earn business credibility.
“Lets make it happen”
The news are full these days about PRISM and how the US National Security Agency (NSA) collects data about everyone all over the world. Everyone involved tries to cover what is going on denying any kind of contribution. Politicians are using the opportunity trying to take political advantage and the regular citizen is shocked about the amount of news everywhere. This must be a new disaster! Really???
Since generations counter intelligence services are in use. The group which knows more wins the battle. In business, you don’t get what you deserve, you get what you negotiate. The more information you have, the better your position is to negotiate. That’s how easy it is.
Data collection happens everywhere, really everywhere. At home your partner may check your text messages and mails to find out what is going on. Your local retail store collects data about what you buy, where and when you buy and how you pay it. Your bank and the providers are collecting information about your behavior on-line and where you pay with your credit cards. All of us are giving such information away in one or the other way. We are using our frequent flyer cards, we collect points and bonuses online for another gift and our kids are joining all kind of online questionnaires in the hope to get a better resource for their online game. We use social media services and show family and friends where we are and what we do. Depending on the country we are in the acceptance level for such things vary but the services are used everywhere. Some of the activities are backed up by laws other not.
The same is going on at our workplace. The IT department screens the internet traffic and all data in motion. It creates a journal and index about every mail send. Data in rest scanners are looking for key words and not seldom the management knows who is looking for a new job online. To get the best information possible, some countries are supporting their multi nationals even with counter intelligence information about their competitors. Local security agencies are even demonstrating to in-house security groups how to take over data and voice streams from mobile devices and use the data for their own advantage. To make sure that everything is ok, companies are issuing company policies which every employee accepts by joining the firm.
All national security agencies which have access to the proper resources are running counter intelligence services. The country laws are providing the legal framework for it and all politicians should be aware if they did their homework properly before. Have you ever thought about why countries are running super big events where all politicians or industry leaders come to a single place? It’s not because they have endless amount of resources. How much better can it get to collect important, firsthand information?
Sharing of information is all over the place. Counter intelligence information sharing works the same way like normal gossiping. People who have the hottest and most accurate information early on, are looked for people which everyone wants to talk to. The better information you have the more you get involved into the information exchange. Hacker communities are working exactly the same way based on trust.
It is surprising to read about state level politicians and their view of the situation these days. They created the legal framework and decide about the resources such agencies have at hand. If their local national agency is not part of the exchange club they better focus on fixing that issue quickly.
As usual the topic is once again overly hyped by the media and it would be very nice to get back to a more fact based discussion. Counter intelligence is not necessarily a good thing but it is a fact and it is backed up by country laws. There are many ways to better protect us and our information. Let’s use what is out there and technical possible today. By doing this we will make a big step forward. Many people are still communicating in clear text every day and access protection is also still not very high on everyone’s agenda.
It would be certainly excessive to state that IT specialists are superfluous in the future enterprise. However, it is indisputable that with the progressive industrialization efforts the future internal IT departments will look fundamentally different.
Considerations to the future of corporate IT organization, requires us to look back first and learn from history. In the past the energy sector went through a very similar transformation. Bigger companies had their own power plant (water wheel) covering their own needs (1:1 relationship) at the beginning. With the rising demand the sector started to industrialize and created central services based on steam power stations (1:many relationship). The services developed further and became more efficient. Based on the dependencies the regulators kicked in and created rules & standards. Nowadays the sector is heavily distributed and privatized and electricity is commodity. The same will happen with IT.
Today’s internal IT organization will go through drastic changes and experience a radical transformation as well. External IT service partner will provide in future the majority of all commodity IT services. This will include also such awkward topics like IT Security. The future internal IT shop will form itself around service managers and the CIO will have no more technology responsibility. Only business areas with special demands will have local IT technology specialists, which design the necessary solutions together with the service provider.
Hence, internal IT teams will be in future considerably smaller and the job profiles for the concerning employees will differ strongly from the ones in place today. On the way there, many open questions with regard to responsibility, security and compliance need to be answered. However, these will be soon addressed by applying harmonized rules & standards. The standards will describe the “What needs to be done” and it is up to the companies to define exactly “How” they want to do it.
Through bundling of the different services at the external suppliers the number of internal IT jobs will decrease strongly. The majority of IT commodity services will be delivered from developing countries with a low budget workforce. IT employees within the developed countries must have a very good professional qualification and experience in future to make good money in IT. The ongoing cost pressure and focus on efficiency gain in high cost locations will increase the pressure even more and accelerate the described industrialization process.
The global IT workforce and their distribution will definitively look very much different in 2023 compared to the one we have today. It will take some more time to figure out how fast all that will take place but it will happen. Hopefully then enterprise companies, service providers, IT employees, universities and the culture is ready to handle it.
Es wäre heute sicher übertrieben zu behaupten, dass die Letzten das Licht ausmachen und IT-Spezialisten im Unternehmen überflüssig sind. Unbestritten ist aber, dass mit der fortschreitenden Industrialisierung der IT künftig interne IT-Abteilungen grundsätzlich anders aussehen werden.
Stellt man Überlegungen zur Zukunft der Unternehmens-IT an, drängt sich der Vergleich mit dem internen Fuhrpark vor 20 Jahren geradezu auf. Damals war es undenkbar, die Firmenwägen von externen Dienstleistern pflegen zu lassen. Man hatte eigenen Werkstätten, eigene KfZ-Spezialisten und der Fahrer vom Chef war natürlich ein lang gedienter festangestellter Mitarbeiter. Heute bezieht diesen Service jede Organisation ganz selbstverständlich von einem externen Dienstleister und bestreitet es nur noch das Service-Management selbst.
Das gleiche wird mit der internen IT-Abteilung passieren. In den nächsten Jahren werden wir eine radikale Transformation erleben. Externe IT-Dienstleister erbringen künftig die Mehrheit aller IT-Services. Darunter auch solch heikle Themen wie IT Sicherheit. In den internen Organisationen werden die Service Manager den neuen Kern bilden. Der CIO von morgen wird keinerlei Technologieverantwortung mehr haben. Nur für Businessbereiche mit speziellen Anforderungen wird es noch IT-Spezialisten mit Technikwissen geben, die gemeinsam mit dem Dienstleister die notwendigen Lösungen entwerfen.
Daher werden in Zukunft unternehmenseigene IT-Mannschaften erheblich kleiner ausfallen und die Anforderungsprofile an die betreffenden Mitarbeiter stark von den heute gängigen abweichen. Auf dem Weg dorthin gibt es noch jede Menge offener Fragen bezüglich Verantwortlichkeit, Sicherheit und Compliance. Diese werden aber schon bald durch das Anwenden internationaler Standards adressiert werden. Die Standards beschreiben dabei das was genau gemacht werden muss und es liegt bei den Firmen zu definieren wie sie es genau umsetzten wollen.
Durch das Bündeln der Dienstleistungen durch die externen Anbieter wird die Anzahl der Arbeitsplätze im IT-Umfeld stark zurückgehen. Die Basisdienste erbringen dann Fachleute in Niedriglohnländern, was in den Industrienationen die Nachfrage nach Mitarbeitern senkt. Diese müssen dann aber hoch qualifiziert sein. Der noch immer anhaltende Kostendruck wird diesen Vorgang weiter beschleunigen.
Die IT-Arbeitswelt 2023 sieht definitiv anders aus als die heutige. Es bleibt abzuwarten, wie schnell sich die Firmen, die Mitarbeiter, die Universitäten und die Kultur darauf einstellen.
Within the past two weeks, we have seen the issuance of two significant governmental initiatives addressing the risks of cyber attacks of various types on government and industry (and specifically financial services) infrastructure and systems. Please read below the high level summary:
The first initiative is the February 7 draft EU Directive on cyber security!
Assuming approval by the EU Parliament, it defines a mandatory obligation on the part of, among others, banking businesses, to report, and share information on, cyber attacks and security breaches. This reporting, yet to be fully-defined, will involve the European Network and Information Security Agency (ENISA), as well as authorities in member states. Cooperation with the US and other countries outside the EU is anticipated, including use of the existing EU –US Working Group on Cyber Security and Cyber Crime.
The goal is cyber-resilience and creation of an international cyber space policy. It will involve an obligation on businesses to take “appropriate technical and organizational measures to manage the risks posed”. The cyber security directive does not appear to distinguish between breaches resulting from criminal attacks and those involving unintentional data loss.
The directive must be further implemented through national member state legislation. It is intended to complement the recent draft EU Data Protection Regulation which already heightens standards for data privacy measures and creates greatly-increased data breach penalties. (Combined reporting under both EU directives may eventuate.)
The second initiative is the President’s February 12 Executive Order on Improving Critical Infrastructure Cyber security!
This order creates a two-pronged program involving:
a) voluntary information sharing between government and industry (financial services is identified as a “critical infrastructure” (CI) industry) of cyber threats and incidents
b) the creation of a cyber security framework by the National Institute of Standards and Technology (NISTA).
This latter will involve extensive consultation with industry and particularly CI industries. At the same time, specific agencies will review their existing cyber security-related regulations for adequacy and report on this. This latter will include identification of areas in which the regulators determine that they lack adequate authority.
Both documents are rather lengthy and this summary is only a cursory overview. They both will involve future development of details as to implementation and standards. However, the basic elements and objectives of these measures should remain.