A couple weeks ago, we spoke about the mobility journey and the phases that organizations take as they embrace the widely accepted mode of mobility—Beyond BYOD to Workspace Mobility (device-focus, application-focus and experience-focus). Whatever phase your organization is in, security is a top priority. These phases can help determine your secure mobility approach but your risk aversion level will also define it. Whatever your risk tolerance, the mobile threat landscape is extremely active and clever—do not underestimate it.

The dynamic nature of mobile threats does not stop by simply entering from your mobile device but it can further propagate and manifest across the network, wired devices, virtual, cloud and data center environments. So your secure mobility approach must be non-stop, continuous and pervasive—end to end. To hinder the chance of threat damage or inappropriate access whether intentional or not, one must offer comprehensive secure mobile access controls at the access layer across each phase of an attack, before, during and after.

Read More »

Tags: ATP, Black Hat, data protection, enforcement, MDM, secure mobility, SIEM, threats

Are you a security professional or IT professional just resolving the security issues with BYOD (bring-your-own-device)? Watch out, BYOD was a precursor or warm up exercise to the tsunami just hitting your shores now.

The SANS Institute just completed a survey on the security viewpoints on IoT, predominantly with security and IT professionals.

78% of respondents were unsure of the capabilities for basic visibility and management of Things they will need to secure or lack the capability to secure them.

It seems that, like BYOD, IoT is driven with minimal IT consultation. And it happens with security as an afterthought, with 46% who do not have a policy to drive the visibility and management of IoT devices.

The top security controls used today for securing IoT were 68% authentication/authorization, 65% system monitoring, and 49% segmentation. That translates into Cisco Secure Access solutions that offer superior visibility, robust intelligent platform of critical context, and highly effective unified secure access control. More importantly, this will also help the 74% that rely on manual processes for discovery and inventory of connected device (from previous SANS research).

Over half (67%) are using SIEM (security information and event management) to monitor and collect data to secure IoT. Cisco ISE (Identity Services Engine) integrates with SIEM to bring together a network-wide view of security events supplemented with relevant identity and device context. This provides security analysts the context they need to quickly assess the significance of security events. More details on the ISE and SIEM integration may be found in this new white paper: Cisco ISE Plus SIEM and Threat Defense: Strengthen Security with Context

The research rightfully points out that, of the many categories of Things, the newest category of single-purpose devices typically connected by wireless (and more likely embedded) software will be the most problematic for security. Due to this difficulty, the SANS community (61%) would like the Thing manufacturers to take more responsibility for providing security. While this is a reasonable request, the question is whether they have the expertise to do this when their focus is on the exciting new IoT market opportunities. Weigh in and tell us your outlook on securing this next wave of Things connecting to your network!

The paper on the SANS survey results is in the SANS reading room.

Tags: access, byod, control, IoT, ISE, NAC, SANS, security, SIEM

Most recently ESG/Vormetric came out with a threat report that highlighted the increase in insider threats & the significance to augment perimeter and host-based security. The rationale behind the increase was that more people are accessing the network, increase cloud and network traffic are making it difficult to isolate the problem.

Almost 50% of the organizations believe they are vulnerable to insider attacks and have or plan to invest dollars.

This is alarming!

The top methods noted for these insider threat vulnerabilities were abuse of access by privileged users, contractors, and other employees. Security professionals are finding it quite difficult to monitor the users, traffic, ports, etc to identify and mitigate insider threats. They must glean this information from multiple sources and many times need to translate the data. For example, “whose IP address is this and why is Mary from finance, who is supposed to be on vacation, downloading data from the payroll server?” This process slows the resolution time. The criticality of this type of contextual information is enormous to remediate quickly.

Security needs to be pervasive and consistent to manage these inside threats—so how does one do this? Integrate security into your infrastructure (wireless, wired, VPN)! Once security is woven into your infrastructure it provides the visibility and clarity to respond in a timely manner with a high degree of efficacy and is not dependent on distinct and isolated ingress points.

Read More »

Tags: insider threats, Lancope, network traffic, secure access, security, SIEM, vulnerabilities, webinar

CSIRT, I have a project for you. We have a big network and we’re definitely getting hacked constantly. Your group needs to develop and implement security monitoring to get our malware and hacking problem under control.

If you’ve been a security engineer for more than a few years, no doubt you’ve received a directive similar to this. If you’re anything like me, your mind probably races a mile a minute thinking of all of the cool detection techniques you’re going to develop and all of the awesome things you’re going to find.

I know, I’ll take the set of all hosts in our web proxy logs doing periodic POSTs and intersect that with…

STOP!

You shouldn’t leap before you look into a project like this. Read More »

Tags: CSIRT, csirt-playbook, incident response, infosec, logging, logs, playbook, security, SIEM

The Great Correlate Debate

SIEMs have been pitched in the past as “correlation engines” and their special algorithms can take in volumes of logs and filter everything down to just the good stuff. In its most basic form, correlation is a mathematical, statistical, or logical relationship between a set of different events. Correlation is incredibly important, and is a very powerful method for confirming details of a security incident. Correlation helps shake out circumstantial evidence, which is completely fair to use in the incident response game. Noticing one alarm from one host can certainly be compelling evidence, but in many cases it’s not sufficient. Let’s say my web proxy logs indicate a host on the network was a possible victim of a drive-by download attack. The SIEM could notify the analysts team that this issue occurred, but what do we really know at this point? That some host may have downloaded a complete file from a bad host – that’s it. We don’t know if it has been unpacked, executed, etc. and have no idea if the threat is still relevant. If the antivirus deleted or otherwise quarantined the file, do we still have anything to worry about? If the proxy blocked the file from downloading, what does that mean for this incident?

This is the problem that correlation can solve. If after the malware file downloaded we see port scanning behavior, large outbound netflow to unusual servers, repeated connections to PHP scripts hosted in sketchy places, or other suspicious activity from the same host, we can create an incident for the host based on our additional details. The order is important as well. Since most attacks follow the same pattern (bait, redirect, exploit, additional malware delivery, check-in), we tie these steps together with security alarms and timestamps. If we see the events happening in the proper order we can be assured an incident has occurred.

Read More »

Tags: CSIRT, csirt-playbook, incident response, infosec, logging, logs, NCSAM, ncsam-2013, playbook, security, SIEM