Enterprise Visibility & Security AnalyticsRocky DeStefano, VP of Strategy & TechnologyEnterprise VisibilityContextSpeedFlexibilityExpertiseSystems, Networks, Applications, Account Information. Asset, Threat, Vulnerability, Function, Owner, CriticalityAdversaries adjust in seconds, Enterprises weeks/monthsAuthority to change tools, tactics, visibility and to instrument as needed. Security Analysis, System/Network/Memory Forensics, Malware Reversing, Enterprise Architecture. ProcessStandardized, communicated, trained and robust enough to flex when necessary.Creating and Maintaining a Defensible EnterpriseREFERENCE: VISIBLERISK.COM/BLOG
Enterprise Visibility: All the Data All the TimeThe idea that I try to get across is that certain tools like Log Management/SIEM are good but not nearly enough when you are building a true Enterprise Visibility capability within your organization. Ill dig into this much deeper in the next post, but in the end you need the ability to see everything, Logs (Operating Systems, Application, Network, Security), Forensic Data (Host, Network and Memory) and User information as well as all the context residing throughout your enterprise.Context: Oh wait THAT user/system/data was compromised?!?!?!?!Vulnerability Scan information and Asset Information are fairly common (and very important) examples but not nearly the end of the resources required to be successful. Having ALL of the information available, immediately, is required. Obviously this information may be key to understanding technical aspects and increasing efficiency but in many cases it is the key to unlocking the actual impact to the organization. Often times the context is the sole piece of information necessary to understand the Risk the organization actually faces. Speed: Time to Identification/RemediationThere are three measurements that matter to me. 1. What is the impact, 3. How fast can we detect and 3. How fast can we respond. Everything else is in the way. Your team needs tools, processes, expertise and authority to analyze and act. Without context and data available youre spending precious time gathering it so it can be analyzed. Without expertise your wasting time asking others and without the authority to get all of that ahead of time youre just on the JV team. If the time it takes your adversary to get into your network and extract data is measured in seconds to minutes and your change control window is measured in weeks who wins?Flexibility: Adapt and OvercomeChange happens. Eventually. This view must be annihilated if you want to succeed. You may need to dig into data you are uncomfortable with or enter conversations above your pay grade to find what you need. Obstacles are simple delay mechanisms, crush them and if you cannot break them then go around them. Yep Im telling you it is ok to break the rules. If you need to move or adjust your tools to gain better perspective of an active incident DO IT. Certainly if you can bake that into the process ahead of time it makes it easier, but even if you cant make the change, beg for forgiveness and then update the policy afterward. Along the same lines if your security team is solely alert driven you are doomed to fail. Find new ways to conduct analysis with the data you have available or can get. (more on this topic soon). You should be updating your tools, processes, expertise on an hourly, or at least daily basis.Expertise: Singer, Songwriter, Choreographer, Lawyer, Doctor, Firefighter, Astronaut, Meter Maid, Special Agent, Fashion Designer and ClownWe must have expertise in so many areas, Security Analysis, Incident Response, Forensics, Malware Reversing, Threat Intelligence, Security Architecture and in soft skills like Advising, Coaching and Mentoring. Plus you have to do it on a training budget of $1500/yr. Great people want to work on great teams. Invest in your team (time, energy and dollars). Process: Standardized yet FlexibleOur goal is to create a fast, flexible set of processes and information that experts can manage and bring down the time to identify and remediate incidents. We should be able to execute a game plan without having to write the play book each time. Everyone involved should know the plan, authority and responsibilities established and trained against. The norm in response should not be based on Herculean efforts. That said your plan needs to allow for anaudible. A good plan will have everyones buy-in and trust.Summary:I believe these stated goals are realistically attainable and at the same time I fully understand that all of these require significant investment across the board. The reality of our situation is pretty simple, our adversaries have changed the game. Unless you dont mind all of your information exposed, indexed and simply common knowledge by the rest of the world you had better figure out how to start to move past your checklists and trust in outdated methodologies and move towards allowing your people to do their jobs to the best of their ability. The high-level steps identified in this post go a long way towards positioning your team in that direction. Its a compass not a GPS.
2LoggingNetworkOperating SystemApplicationForensicsNetworkEnd PointMemoryContextual InformationAsset InformationBusiness FunctionVulnerabilityCriticalityCorrelationsPersonalityUserAdminsServiceAccountsIntelligenceBehaviors
Complete Enterprise Visibility
Our goal is to create a structure where information is available, people are enabled and identification is more accurate and response times are faster.
The good news is that not ALL of your previous security investments are completely useless. You can usually make the best of those tools (unless its AV, cant help you there). Sure the tools provided by companies like ArcSight, Splunk, NitroSecurity, AlienVault, NetWitness,Mandiant are all awesome at what they do, but without a truly complete set of information were still completely lost when it comes to dealing with todays adversaries.
In order to be effective in your detection and response program you must be able to apply a microscope, magnifying glass, telescope and binoculars against the data within your enterprise at will. In order to do that you have to have the right tools and the right data. In my mind incomplete data is roughly equivalent to no data and in some cases may actually be even worse. (More on that topic in the next post - Perspective).There is a real need for a more holistic approach incorporating all data across the enterprise and using tools like Log Management, SIEM, Full Packet Capture and Forensic Tools. The illustration above broadly describes what VisibleRisk means by Enterprise Visibility. Context is our foundation and tools feed information from the perspective of the Host, Application, Network as well as the User and Forensic Data so that the Analyst has all of the information available at any given time and there is no time lost seeking it out. The Analyst can be flexible and Hunt and create their own indicators. The goals of this Enterprise Visibility program are summed up in three simple points.1. Understanding Impact2. Reducing time to Identification3. Reducing time to Remediation.Without all of the relevant information your time to identify the incident, understand the impact to your business and respond is unnecessarily increased. Affirmative or Negative, each data point helps complete the picture so that your not filling in the gaps with guesses and responding inappropriately. The faster the data is available the faster it can be analyzed and escalated and eventually the root cause can beremedied. Every impediment to getting this information should be seen as a obstacle to the three stated goals and removed immediately.Moving beyond what should already be accomplished the next steps once you have true Enterprise Visibility are around actually digging into the data beyond what is alerted to seek out new detection techniques and implement those indicators across the data set to look for more advanced attacks. Your team should be spending the majority of their time doing this sort of analysis, not looking for data that already exists. In reality it is very few and far between that we find teams outside of the DIB or Financial Sector that are doing this on a consistent basis. That is simply unacceptable and a waste of resources across the board. 3
Click SecuritySecurity Intelligence Maturity ModelThank you