This was originally published in October 2011 on q1labs.com (which has been integrated into ibm.com and securityintelligence.com).
This is part 4 of an ongoing series of posts that answer “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask.”
With a firm understanding of Security Intelligence (SI) in hand, let’s review the benefits organizations are gaining from their SI deployments. Here are several real-world examples:
Like it or not, regulatory compliance – for PCI DSS, HIPAA, NERC CIP, SOX and many others – is a major driver of IT security initiatives. Although compliance doesn’t guarantee a secure environment, compliance will always get attention and budget because of the potential penalties for failure. Complying with relevant mandates is just the start of enhancing one’s security posture, but it’s an important first step. Security Intelligence aids both regulatory and internal policy compliance by logging and proactively monitoring diverse information across the enterprise in real time, providing accountability, transparency and measurability. It delivers practical value through automated reporting and easy searching of logs, events, network flows and much more.
David Blackburn of California ISO, the electrical grid operator for 80 percent of California, noted in a recent webcast, “Compliance was the chief driver in our purchasing a SIEM [solution]. We have many tools that monitor and analyze, but there was no centralized logging capability that [could] analyze those logs and give us good information quickly.” Hear more about how California ISO uses Security Intelligence for NERC CIP compliance in this video.
Faster Detection and Remediation of Threats
In the multi-perimeter world, focusing solely on prevention is a noble but losing proposition. Boundaries are porous – think mobile computing, social media and cloud computing – and there’s a heightened risk of insider theft, leading to what Forrester calls a “zero-trust” environment. Security Intelligence solutions address this reality by helping businesses detect and remediate breaches faster. They have become adept at finding the needle in the haystack, by correlating massive data volumes in real time. This includes events from network & security devices, servers, applications, directory servers; network activity flows with Layer 7 visibility; asset information; configuration data; vulnerability information; and more. (If you think SIEM solutions have already been doing this for years, think again.) SI solutions also aid in remediation by identifying which assets and users were potentially affected by a compromise, and by capturing application content for forensic activities.
Adobe Systems senior network security manager Leon Fong discusses the benefits Adobe received from Security Intelligence in this video. He explains that QRadar detected threats other security products missed:
Within 2 months [of deploying the solution], the conficker worm starting hitting our network. I noticed that we were getting a lot of heavy TCP port 445 traffic being denied by our firewalls. The next day, the traffic grew 10-fold. I had to notify our antivirus team that this needed to be looked into. Soon after, McAfee sent a note of this worm being prevalent. In this case, the SIEM solution [QRadar] found the problem before McAfee was able to.
Reduction of Insider Fraud, Theft and Data Leakage
External attacks garner most of the headlines, but insider threats can be even more damaging – compromising invaluable intellectual property and even jeopardizing national security. We’re all familiar with WikiLeaks, but few organizations have come to grips with the true risk of insider threats. Would you know if an employee was sending key product plans to a competitor, anonymously publishing confidential information, or accessing financial information that could be used for insider trading? With Security Intelligence solutions, organizations can identify and mitigate those inside threats and many more, by detecting the following:
- Unauthorized application access or usage
- Data loss such as sensitive data being transmitted to unauthorized destinations
- VoIP toll fraud
- Application configuration issues such as privileged access exceptions
- Application performance issues such as loss of service or over-usage
A multi-billion-dollar branded consumer products firm recently used its SI solution to detect an attempted data exfiltration by a trusted employee for financial gain. The company’s executives suspected its intellectual property was being leaked but couldn’t identify the source. When they applied flow-based network activity monitoring to the situation, they were able to quickly track down the data leakage and stop the employee. With application content capture (via Deep Packet Inspection or DPI), they could even drill down and view the specific emails sent by the employee through his personal email account to the third party. This prevented the problem from snowballing and potentially causing millions of dollars in damage to the firm.
Pre-Exploit Risk Reduction
Sure, I just finished explaining how you can’t focus only on threat prevention in a multi-perimeter, zero-trust world. But that doesn’t mean you have to give up on prevention either. No one is ripping out all their firewalls or IDS/IPS products. Likewise, you shouldn’t overlook some of the more cutting edge approaches to pre-exploit risk reduction. Three ways SI solutions are helping customers prevent compromises today are by:
- Automatically monitoring device configurations (e.g., firewalls) and alerting on policy violations
- Prioritizing the multitude of vulnerabilities reported by vulnerability scanners
- Performing predictive threat modeling and simulation of network changes
These may sound familiar, but modern SI solutions surpass yesterday’s point products by applying greater intelligence to a broader set of inputs. Network activity flows, for example, provide a more complete view of the effectiveness of security device rules than configuration data by itself. As a colleague wrote, “[Configuration data alone can] miss situations where a configuration is thought to be adequate but for some reason still allows potentially risky network traffic to propagate.” Similarly, knowledge of network topologies can “minimize false positives common among vulnerability scanners and … [prioritize vulnerabilities] that can be easily exposed because of the way the network is configured.”
A major electric energy transmission company uses QRadar Risk Manager to perform centralized device configuration monitoring and auditing, thus reducing the risk of security breaches. Because the solution monitors multiple vendors’ security products and uses flow analytics (QRadar QFlow) to paint a rich picture of exposures, the company believes it has significantly strengthened its security and risk posture. The fact that its risk management capability is part of a broader Security Intelligence solution also reduces training and staffing requirements.
Simplified Operations and Reduction of Effort
Lastly, SI solutions are applying intelligent automation to simplify security operations and reduce the burden on security and network professionals. IANS published a study of the Return on Security (ROS) achieved by two large customers, and the findings were compelling. In addition to estimated risk reduction benefits of $13.5 million, the objective benefits (net of all solution costs) were estimated at $550,000. These stem from greater efficiencies and elimination of tedious manual tasks. Again, these were the benefits reported by the customers based on actual experience. The full report can be accessed here.
How do these benefits compare to what you’ve received from security solutions? We welcome comments about your own real-world experiences.