20 February 2011

New Vision: Security Operations Center and CIU...

The key Operational Risk Management news from this years RSA Conference is now coming in, yet there are inside sources who still need to be interviewed. What did they think was the most brilliant presentation or idea(s) presented?

This particular release caught some eyes as it addresses much of the thinking on the latest evolution of the Security Operations Center (SOC):

New Vision for Security Operations: Six Core Elements
The vision includes six core elements and prescriptive guidance for how to incorporate these elements into existing security operations. These elements include:
  • Risk planning: The new SOC will take a more information-centric approach to security risk planning and invest in understanding which organizational assets are highly valuable and essential to protect. With priorities based on GRC policies, security teams need to conduct risk assessments that focus on the “crown jewels” of the enterprise.
  • Attack modeling: Understanding attack modeling in a complex environment requires determining which systems, people and processes have access to valuable information. Once the threat surface is modeled, organizations can then determine potential attack vectors and examine defense steps to isolate compromised access points efficiently and quickly. RSA® Laboratories has developed theoretical models based on known APT techniques and employed game theory principles to identify the most efficient means of severing an attack path and optimize defense costs.
  • Virtualized environments: Virtualization will be a core capability of tomorrow's SOC – delivering a range of security benefits. For example, organizations can "sandbox" e-mail, attachments and URLs suspected of harboring malware. Anything suspicious can be launched in an isolated hypervisor and the virtual machine can be cut off from the rest of the system.
  • Self- learning, predictive analysis: To remain relevant in tomorrow's IT environment, a SOC will need to truly integrate compliance monitoring and risk management. The system should continually monitor the environment to identify typical states which can then be applied to identify problematic patterns early. Statistic-based predictive modeling will be able to help correlate various alerts. Developing such a system will require real-time behavior analysis innovations, although some of these elements are available today.
  • Automated, risk-based decision systems: A key differentiator of a more intelligent SOC will be its ability to assess risks instantly and vary responses accordingly. Similar to risk-based authentication, the SOC will employ predictive analytics to find high-risk events and then automatically initiate remediation activities. The prospect of dynamic typography is one of the most exciting areas of this type of systems automation for the cloud. To implement an APT, an attacker must understand network mapping and be able to model it. In response to this, organizations can remap their entire network infrastructure to disrupt an attacker’s reconnaissance efforts. This is akin to physically rearranging a city at frequent intervals – and the entire process can be automated so that links between systems stay intact and dependencies are handled without human intervention.
  • Continual improvement through forensic analyses and community learning:Although forensic analysis can be resource-intensive, it is an imperative element of a SOC and key to mitigating the impact of subsequent attacks. Virtualized environments can provide snapshots of the IT environment at the time of the security event providing useful information if detection of the attack was delayed. Having a way to share information about attack patterns will be the future of the SOC. This concept should be embraced in order to exchange threat information within respective industries and better predict the path of the APT and thereby determine countermeasures.

The evolution of the SOC in your enterprise may start in some unconventional places. Who is it in your organization that is responsible for the loss of corporate assets? Who in your company is the one who determines what items are counted as losses to the bottom line? Who does the enterprise look to when the crisis hits and people are looking for answers in minutes, not hours, or days? Who picks up the phone to answer the call from the FBI Field Office?

These may not be the people you think of in the CIO's office or IT department. These people however need to be part of the combined Security Operations Center solution in the company. The Advanced Persistent Threat (APT) now represents the intersection of prudent strategy from the business leadership, the accounting or finance leadership and the risk management leadership. If the CIO is looked upon as the key executive running a "Utility" inside the enterprise, think again.

This blog has discussed the "Corporate Intelligence Unit" this past April 2010 :

Beyond the utilization of threat assessment or management teams, enterprises are going to the next level in creating a "Corporate Intelligence Unit" (CIU). The CIU is providing the "Strategic Insight" framework and assisting the organization in "Achieving a Defensible Standard of Care."

The framework elements that encompass policy, legal, privacy, governance, litigation, security, incidents and safety surround the CIU with effective processes and procedures that provides a push / pull of information flow. Application of the correct tools, software systems and controls adds to the overall milestone of what many corporate risk managers already understand.

The best way in most cases to defend against an insider attack and prevent an insider incident is to continuously help identify the source of the incident, the person(s) responsible and to correlate information on other peers that may have been impacted by the same incident or modus operandi of the subject. "Connecting The Dots" with others in the same company or with industry sector partners increases the overall resilience factor and hardens the vulnerabilities that are all too often being exploited for months if not years.

In retrospect, you can be more effective investigating and collecting evidence in your company to gain a "DecisionAdvantage". To pursue civil or criminal recovery of losses from these insider incidents, you may not go to law enforcement, but it's likely they will come to you once they get a whistle blower report, catch the attacker and/or they have the evidence that you were a victim.

How your organization pulls together the right people to staff and operate your "CIU" is going to depend on your culture, funding and current state of the threat. The shareholders and stakeholders will be asking you about those losses in the Annual Report attributed to fees being paid to thousands if not millions of customers and members for such services as credit report monitoring and ID Theft service alerts.

Here is another thought. A thorough review of the current funding, staffing and strategy of a SOC or CIU in the enterprise may even become another criteria for whether you should engage as a customer or investor.

HBGary announced that it had information about the Anonymous hackers collective. Anonymous supporters hacked into HBGary's network in order to learn what information had been gathered during the investigation. Over 60,000 business emails were extracted and the company's website was defaced. HBGary's leader also had his Twitter account hacked and his personal information exposed. Anonymous supporters claim the attack was to prevent HBGary from selling trivial information to the FBI. The hackers published a 23-page document online and claimed that it was the information HBGary was going to sell. HBGary's email database was also published. Sensitive information about customers may have been exposed.


Information Source:

Databreaches.net


No comments:

Post a Comment