Seems like security incidents are occurring more often with mild to
significant impact on consumers and various organizations, e.g. JP
Morgan Chase, Target, Sony, etc.
Referring to the Verizon Data
Breach Report year after year confirms that incident response times to
such incidents are increasing, rather than decreasing, with root cause
identification of the problems not occurring for months after the
security incident in many cases - this can cause a pessimistic view
among many security teams, however, there are a lot of good things
happening in the security space that I want to share with you.
Many
organizations have readily invested in various effective security
technologies and personnel training to help improve security posture and
minimize risk accordingly. A critical component to the incident
response problem is the time associated with weeding through all the
false alarms generated by various security devices, e.g. firewalls,
intrusion prevention systems, security reporting agents, etc. The
problem is further exacerbated by the growing speeds of networks and
network virtualization, many security tools simply can't process data
fast enough on 10G, 40G, or 100G network environments or simple lack
visibility.
The good news is that solutions are available to help
maintain visibility in such high-speed networks. Such solutions can
also correlate network transactions with security alarms to help
identify problems faster and decrease incident response times. The key
is to integrate loss-less network recording systems with existing
security tools using feature-rich application programming interfaces
(APIs). The APIs help with automating security related tasks.
Security
automation is key to decreasing incident response time. Imagine being
able to automate the retrieval and correlation of network transactions
to any security log event aggregated into a SIEM, or mapping packet data
to any IPS alarm, or pinpointing application threads that trigger a
specific application performance alarm - this is all possible now with
high-speed loss-less recording systems and API integration with SIEMs,
Firewalls, IPS devices, and Application Performance Monitoring (APM)
systems. Yes, I am assuming your organization invested in these
solutions...
As a side note, Real-time NetFlow generation on
dedicated appliances is proving to be a good solution where full
recording options are not available due to privacy policy conflicts,
these solutions can provide much better network visibility than legacy
NetFlow implementations that rely on network sampling, especially over
40G and 100G network environments. NetFlow is coming back in a strong
way to provide security teams much needed visibility, NetFlow isn't just
for Network Operations anymore.
The bottom line is this,
mainstream security products are becoming more open to integration with
3rd party solutions and high-speed network recording system are becoming
more affordable. As a result, the security automation described above
will become more prevalent among security operation teams as time goes
on and this is a very good thing in my humble opinion.
The
security industry as a whole is improving, there is much more
collaboration going on now than ever before, and I am seeing some
significant improvements being made among hardware and software vendors
that make me feel very optimistic about our capabilities to decrease our
incident response time moving forward. If your interested in seeing
some of the concepts discussed here in action, drop me a note, I would
be glad to setup a conference call and provide you a live
demonstration...
Stay well,
Boni Bruno
Tuesday, October 7, 2014
Subscribe to:
Posts (Atom)
