Editor’s note: In A Circular Problem in Current Information Security Principles, we highlighted one of the challenges in our knowledge domain that contributes to the ineffectiveness of today’s information security practices. In this third installment, we review the issues and dilemmas that are common in our practice environment.
One of the challenges information security management teams face is justifying their value proposition to the business to ensure that security requirements receive adequate resource allocations. The paradox here is that if security management within an organization is effective, the results typically show no observable outcome (i.e., no security incident). Interestingly, even if a security incident is not present, it does not necessarily mean that good security management practices are in place. They might be missing because of a security detection mechanism flaw, or simply because the attacker has no interest in carrying out an attack during that time period.
On the other hand, when a security breach occurs, the security manager is often questioned for failure to anticipate and prevent the incident. Security managers therefore often fall back on past or external incidents as a form of justification. Business managers frown on these explanations because they normally do not believe they are no better than their peers or competitors in the industry. Read More »
Tags: incident response, information security, Risk Management, security
Malware can find its way into the most unexpected of places. Certainly, no website can be assumed to be always completely free of malware. Typically, there are many ways that websites can be compromised to serve malware:
Read More »
Tags: cloud security, incident response, IPS, malware, security, TRAC
Cisco’s network is a massively complex environment that requires extensive monitoring and remediation. In today’s world of advanced threats and attacks, the company that possesses and positions its tools to preemptively identify and mitigate threats is the one left standing when the dust settles.
Cisco leverages its Computer Security Incident Response Team (CSIRT), a global organization comprised of information security professionals, to monitor, investigate, and respond to cyber security incidents 24×7. The Cisco CSIRT team forms part of the investigative branch of Cisco’s Information Security organization, protecting Cisco from security threats and the loss of its intellectual assets.
With a variety of security tools, CSIRT is able to detect and analyze malicious traffic throughout the network, including virus propagation, targeted attacks, and commonplace exploits. Because CSIRT continually identifies new security threats, the team needs some historical look-back at what occurred on the network. They also need a solution that can dissect the finer details of security incidents while facing the ever-present restrictions with data storage. StealthWatch, a NetFlow monitoring solution from Cisco partner Lancope, contains unique storage, interactivity, and parsing capabilities, to provide a more concise set of data for analysis.
Read More »
Tags: CSIRT, cybersercurity, incident response, Lancope
Security intelligence, threat intelligence, cyber threat intelligence, or “intel” for short is a popular topic these days in the Infosec world. It seems everyone has a feed of “bad” IP addresses and hostnames they want to sell you, or share. This is an encouraging trend in that it indicates the security industry is attempting to work together to defend against known and upcoming threats. Many services like Team Cymru, ShadowServer, ThreatExpert, Clean MX, and Malware Domain List offer lists of known command and control servers, dangerous URIs, or lists of hosts in your ASN that have been checking-in with known malicious hosts. This is essentially outsourced or assisted incident detection. You can leverage these feeds to let you know what problems you already have on your network, and to prepare for future incidents. This can be very helpful, especially for organizations with no computer security incident response teams (CSIRT) or an under-resourced security or IT operations group.
There are also commercial feeds which range anywhere from basic notifications to full-blown managed security solution. Government agencies and industry specific organizations also provide feeds targeted towards specific actors and threats. Many security information and event management systems (SIEMs) offer built-in feed subscriptions available only to their platform. The field of threat intelligence services is an ever-growing one, offering options from open source and free, to commercial and classified. Full disclosure: Cisco is also in the threat intelligence business
However the intent of this article is not to convince you that one feed is better than another, or to help you select the right feed for your organization. There are too many factors to consider, and the primary intention of this post is to make you ask yourself, “I have a threat intelligence feed, now what?” Read More »
Tags: cisco sio, CSIRT, csirt-playbook, cybersecurity, incident response, infosec, operational security, security, security intel
CSIRT, I have a project for you. We have a big network and we’re definitely getting hacked constantly. Your group needs to develop and implement security monitoring to get our malware and hacking problem under control.
If you’ve been a security engineer for more than a few years, no doubt you’ve received a directive similar to this. If you’re anything like me, your mind probably races a mile a minute thinking of all of the cool detection techniques you’re going to develop and all of the awesome things you’re going to find.
I know, I’ll take the set of all hosts in our web proxy logs doing periodic POSTs and intersect that with…
You shouldn’t leap before you look into a project like this. Read More »
Tags: CSIRT, csirt-playbook, incident response, infosec, logging, logs, playbook, security, SIEM