May 2016

INSIDE

SSS

Surviving Without a
Security Incident and Event
Management Product
Page 2

Four Reasons Why Security

Analytics Projects Fail
Page 5

An Action Plan for

a More Analytics-Driven,
Intelligent SOC

Moving From Logging,

to Learning, toWinning
1603308

Page 9

SPONSORED BY

Surviving Without a
Security Incident

and Event Management Product

You cant protect your organization effectively without one.

he breadth and diversity of a modern IT infrastructure

presents a huge attack surface for security teams to defend.
Given the constant stream of data breaches, most IT departments
are clearly struggling to protect systems and data against
well-funded and determined attackers. In addition, an overreliance
on outdated security practices and technologies is leaving many security operations centers (SOCs) struggling in the war against cybercrime. To thrive
or even survive in this threat landscape, organizations need to look beyond
prevention technologies.
2

SSS UBM Tech

April 2016

Patching is a good example of an essential

security control thats only partially effective.
Because of the sheer number of patches that
need to be installed across different devices and
applications, there will always be a vulnerability
somewhere that can be exploited. According to
Hewlett Packard Enterprises annual Cyber Risk
Report, the No. 1 most exploited vulnerability in
2015 was first discovered more than five years
ago. It was also the most exploited vulnerability in
2014, despite having been patched twice by the
vendor. Technologies such as firewalls, anti-virus,
and email filters are never going to be 100% effective at preventing the exploitation of unpatched
vulnerabilities because cybercriminals are creating
new malware and attack techniques faster than
endpoint security solutions can be updated
there were more than 10,000 new threats discovered every day last year on the Android platform.
Basing a security strategy solely on perimeter
and prevention technologies, which recognize
only known attacks, when operating systems and
applications are so vulnerable and humans so
susceptible to scams and phishing campaigns, is
3

SSS UBM

why hackers still routinely compromise even the

mostly heavily fortified networks.
Logging Doesnt Equal Security
Major compliance regulations such as HIPAA,
SOX, and PCI and standards such as ISO/IEC
27002, require information about access and
actions of users to be logged, but unless this
data is proactively used, it does little to improve

security. Many organizations treat their event

log data like a planes black box flight data, using it only for post-incident analysis to investigate a security breach. This may be why Trustwaves 2015 Global Security Report found that
81% of compromised victims did not detect a
breach themselves. A targeted attack is not a
one-off strike but an ongoing process, and log
data must be constantly analyzed if its meant
May 2016

to provide security when perimeter and apWithout a security incident and event manageto an organization to be found and prioritized
plication defenses fail. This requires using more ment (SIEM) product capable of collecting, agwith greater accuracy.
than just a basic log management system.
gregating, correlating, analyzing and prioritizing
Unfortunately, when the technique of big
large amounts of data at scale, theres no chance data security analytics was introduced, it arrived
Alert Overload
of discovering whether an organization is being
amidst a lot of hype about its ability to stop atTodays threat actors are agile and will quickly
attacked or has been compromised until its
tacks before they even started. This led some to
adapt their tactics to avoid detection by simple
too late. A SIEM can pull security telemetry tobelieve that it was a simple process of funneling
threshold limits and poorly tuned rules. These
gether in one place so that a much broader set of as much log data as possible into a data reposisimple rules may catch the inept intruder but
data can be correlated and analyzed, bringing sit- tory and waiting for the game-changing insights
can actually hamper security teams by overloaduational awareness to security events. This makes to materialize. But a SIEM is not a plug-and-play
ing them with alarms for indicators that are more anomaly-detection techniques more effective,
technology, and using security analytics requires
nuisance than directed threat. A Ponemon Instienabling the events that pose the greatest harm more than just the power to crunch numbers
tute report, The Cost of Malware Containment,
sponsored by Damballa, January 2015, estimated
Your hardworking, junior database administrator usually gets to work
that the average enterprise could get 17,000
about 8:30 a.m., swiping his ID card to pass through the turnstiles in the
malware alerts a week, creating a situation where
main foyer. By lunchtime, hes normally generated about four reports
covering the previous days sales activities. Today, hes logged onto
many alerts are overlooked or ignored. The Target
the network and has run queries against the database for six reports.
breach is a good example of this problem. Its ArcA threshold alert is triggered and put on the to-do list; surely, hes just
working hard.
Sight SIEM solution actually did find the threat and
produced an alert, but the security team didnt act
Without automatic, real-time correlation of events collected from across
the IT environment, it will be too late by the time anyone realizes that
on it because it was just one of too many.
What About Security Analytics?
Analysis turns log data into threat intelligence.
4

SSS UBM

your administrator hasnt passed through the main foyer today and
therefore the queries against the database are suspicious and potentially
harmful. For a real-life example, we need look no further than Anthems
failure to analyze and cross-reference its database traffic. This allowed the
attackers to remain unnoticed for many months, even though they were
submitting database queries remotely to obtain the personally identifiable
information (PII) records.

Four Reasons
Why Security Analytics
Products Fail
A SIEM and a SOC arent enough.

ny organization trying to protect its IT infrastructures without

some form of security incident and event management
(SIEM) product is the next data breach waiting to happen.
However, organizations with a SIEM often fail to make the
most of it because they dont utilize the power of security
analytics to transform their security efforts. Based on insights into various
failed or struggling projects, four major pitfalls need to be avoided to make
sure the investment, time spent, and effort yield real results.

SSS UBM

April 2016

Reason 1:
Thinking big data solves the problem
Big data is no longer just hype. Industries,
particularly financial services, have greatly
benefited from it, but one shouldnt make
the mistake of assuming more data and more
technology will defeat todays cybercriminals.
Without proper planning, big data analytics
can create a false sense of security and possibly even hinder security operations. Its fine

Why Security Analytics

Projects Fail
No executive sponsorship
Poorly defined or vague objectives
Lack of specialists
Out-of-date threat models
Little customization to specific
environment

Wrong choice of analytics tools

Data not fully explored
No metrics to measure whats working
Strategies are slow to evolve and adapt

to use default vendor detection profiles as a

starting point, but without customization
they will address only a basic set of use cases.
Project schedules and budgets need to take
this into account, as well as the fact that
everyone will be on a steep learning curve.
Even solutions that use proprietary algorithms
or threat intelligence sources require
dedicated data scientists to ask the right
questions and recognize the patterns that
point to a potential threat. Finally, without
executive sponsorship, internal politics can
restrict access to important data sets that are
necessary for creating a truly holistic view of
the IT environment.

of incidents. Without the correct team structure

and training, most adversaries will have an overwhelming advantage. Theyll have a more advanced set of skills, greater motivation and sense
of purpose, and even likely know more about the
environment theyre attacking than the people
trying to defend it do. Poor communication, collaboration, and interaction can also quickly frustrate any new project, particularly if the security
analytics tools arent up to the job. A solution that
can prioritize alerts is essential so people know
which threats need their attention first.
Some products dont provide enough indepth visibility or cant handle the needed
scope and scale of data collection and realtime processing requirements. Organizations
often fail to choose the most appropriate
A poor combination of people and technology
security analytics technology because they
A handful of people cant be expected to have leave the evaluation and selection entirely up
all the skills needed to run a successful analytto the IT team. This decision needs input from
ics program, and most security operations cen- the entire SOC: security specialists, network
ters (SOCs) are understaffed compared to the
architect specialists, data scientists, forensics,
continued professionalization of the attacker
and so on, to select a product that can meet
community theyre up against and the quantity everyones needs.

Reason 2:

May 2016

The longer your enemy stays hidden, the more damage it does.

YEARS

The median number of

days an organization was
compromised in 2015
before the organization
discovered the breach
(or was notified about
the breach) was 146. 1
1

In one extreme case,

Mandiant said, a client that
it had worked with in 2014
had unknowingly been
breached for more than
eight years.1

The total financial losses

caused by the Carbanak
cybergang could be as a
high as $1bn. Each bank
robbery took two to four
months, from infecting the
first computer to cashing the
money out.2

The design of the pointof-sale malware ModPOS

focused on avoiding
detection, which allowed
it to remain undetected for
at least 18 months, stealing
millions of credit card
details.3

The Darkhotel espionage

campaign used the Wi-Fi
in luxury hotels to steal
data from guests for
several years before being
discovered.4

Between Thanksgiving and

Christmas of 2013, hackers
potentially gained access
to some 40 million Target
customer credit cards.
Target estimates it has
already paid $252 million
to manage the breach.5

5.6 million peoples

fingerprints were
compromised in the United
States Office of Personnel
Management breach. Its
believed the breach occurred
in December 2014 but was
not spotted until April 2015.6

M-Trends 2016, Mandiant, a FireEye Company; 2 Carbanak APT, The Great Bank Robbery report, Kaspersky Lab, February 2015; 3ModPOS Malware Disclosure Report, iSIGHT Partners, November 2015; 4Kaspersky Lab, November 2014; 5Kaspersky Lab, November 2014;
Frequently Asked Questions: OPM Data Breach report, Department of the Navy, December 2015

Reason 3:
Looking the wrong way
Security analytics is about searching through
gigabytes of noise to find the critical 1% of
activities that threaten your organization. An
essential exercise to figure out where to concentrate efforts is threat modeling based on
business drivers. With the ever-changing nature of both cyberwarfare and network infra7

SSS UBM

structures, this exercise should be carried out

on a regular basis to keep research focused in
the right direction, yet it rarely is. SOCs begin
missing, or are unaware of, the indicators of
compromise and data points of real importance, leaving attackers with far too much time
to operate unobserved. Without clearly defined
objectives, those involved in security analytics
will also invariably find themselves beneath a

pile of inappropriate requests or misdirected

tasks, further limiting the effectiveness and
maturity of the operation.

Reason 4:
Your maturity model doesnt match the threats
Traditional security controls such as firewalls,
AV, secure Web gateways, and IDS/IPS are no
longer sufficient to protect against advanced
May 2016

persistent threat (ATP)-type attacks. John W.

Pirc, co-author of Blackhatonomics, calls these
products Tier 1, and although they are still needed, he argues that Tier 2 technologies such as
data loss prevention (DLP), network and desktop
forensics, and behavior-based event analysis are
essential to combating cybercrime. However, organizations tend to deploy Tier 2 defenses only
after a breach has occurred, not before.
Defensive strategies need to be continually
reviewed and upgraded to defeat those who are
working harder and smarter, and are leveraging new technologies such as cloud computing
more effectively to compromise your systems.
Visas fraud detection system is a good example
of the need to continually question whether
existing security strategies are still effective and
efficient at detecting targeted threat activity.
Visa now looks at up to 500 unique risk attributes of a card transaction to check for fraud.
This compares to the 40 it could handle before
it upgraded its fraud detection system in 2013.
Security decisions are no longer based on average fraud rates for merchant categories, but are
8

SSS UBM

now based on individual merchant terminals.

Detection rates have increased, but the fact that
card fraud still occurs shows just how important
it is to constantly keep improving.
Never has the ISO/IEC 27001 approach to sustainable security and continuous improvement
of Plan-Do-Check-Act been more pertinent.
Sadly, the check and act steps are often neglected. For example, when did you last ask the
following questions:
Are our logs rolled over too quickly?
Are they all usable and accessible by our SIEM?

Are our network topology and data flow

diagrams complete and accurate?

 hat are the gaps between time to detect,

W
time to confirm, and time to respond, and
are the gaps being reduced?

If youre not sure of or happy with the answers, your security analytics project is nowhere near close to delivering improved
threat-detection capabilities. Remember, you
have to work harder than your enemies if you
want to beat them.p

An Action Plan for a More

Analytics-Driven Intelligent SOC
To counter todays and tomorrows threats, you need to find both the known and unknown.

our security operations center

(SOC) needs to work smarter than
your opponents. It has to produce
better intelligence gathered from
analysis that probes for a deeper
understanding of what is happening on the
network. Advanced persistent threats (APTs),
for example, operate in a low-and-slow mode,
and to detect them, analysts need to query
correlated current and historical network activity.

SSS UBM

May 2016

Gartner positions HPE ArcSight as a leader in security information and event

management for its ability to execute and completeness of vision. ArcSight is
a comprehensive threat detection, response, and compliance management
platform that helps security analysts and security operations center (SOC)
teams respond faster to true threats. ArcSight detects and points analysts
to the real threats, in real time: Threats are automatically prioritized and
identified, to avoid the excessive costs, complexity and extra work associated
with chasing down false positives. Unlike other products that require custom
scripting and custom development, and additional hardware expenditures,
ArcSight cost-effectively accelerates a smooth workflow from real-time
correlation to threat investigation to advanced threat hunting. ArcSight
powers the analytics-driven intelligent SOC.

10

SSS UBM

A Solid Foundation
For security analytics to truly turn the tables on
your attackers, its important to establish the
right environment for your SOC. There needs to
be a clear mandate and defined scope, metrics
to measure success, and C-level sponsorship.
To improve the accuracy of threat identification
and gain insights into business risks, the net
has to be cast wider and deeper. Information
has to be pulled into a security-oriented SIEM
from every possible data set: mobile, Web, social media, closed-circuit television (CCTV), and
so on. This links security devices and controls
so they have to be defeated as a whole, rather
than serially. Threat intelligence feeds can help,
but the intel needs to be relevant and up-todate; otherwise, it just becomes a distraction.
A SOC team needs a wide range of skills and
personalities, plus the ability to work closely
together under pressure. While well-documented
processes need to be in place to help reduce the
stress of dealing with a live incident, a SOC team
should also be empowered to challenge each
others assumptions target fixation and mirror

imaging can misdirect efforts and have the

ability to make real-time, experienced-based decisions beyond computer-generated alerts.
An Informed and Responsive Frontline
To close the gaps between network event,
detection, and response, automated responses,
such as scripts to update security devices, need
to run as soon as a threat is identified. Frontline
analysts should also have the ability to take
immediate action, such as place a temporary
block on a suspicious IP or reroute unusual traffic for further analysis, before handing over the
details to the incident response team for further
investigation. They should also look to incorporate analytical tools into incident-management
processes wherever possible, and use the visualization features to help analysts interpret
query results more quickly. Apply the threat
intelligence from analyzing an attacks source,
delivery system, and payload to run searches
for related attack fingerprints to block similar
attacks. A security analytics program doesnt
mean that point defense technologies such as
May 2016

firewalls and antivirus are no longer relevant.

Not only do they provide a layer of defense, but
analyzing what these devices are blocking can
reveal issues that need deeper investigation.

Why has the occurrence of a particular

event plateaued while other, similar events
have increased?
Only when SOCs are answering these types
of questions and are thinking outside the
A More Analytics-Driven Intelligent SOC
compliance checkbox will they move from
A SOC will get only so far relying on an analysis
monitoring and investigating to hunting down
tools default templates. Threat-detection methods unknown threats.
based solely on standard whitelists and blacklists,
Cybercriminals work hard to stay ahead of
signatures, and rule sets arent effective against the network defenses, constantly developing new
unknown. Data mining combined with meticuways, such as chaining persistence techniques,
lous forensic analysis is the only way to find the
to avoid detection and counter eradication atsubtle clues that lead back to an attacker.
tempts. Little is left to chance and no stone is
SIEM features, such as machine learning,
left unturned. This level of innovation, research,
behavioral analytics, and advanced automaand attention to detail has to be matched by
tion, need to be customized for your specific
leveraging SIEM technology, predictive analytics,
environment to improve detection rates and
and machine learning to gain insights on how
reduce false positives. Its an iterative process,
to improve defenses against future attacks.
and SOCs that realize the true potential of security analytics encourage data exploration by Get Smart, or Be Breached
asking questions such as:
Your enemies are persistent, resilient, and con Is there a different variable that could predict
stantly evolving. Your attack surface is constantly
an attack?
changing and expanding, and unless you con This behavior is authorized, but is it acceptable? tinually update and evolve your defenses, they
11

SSS UBM

will be overrun. Proactive, intelligence-driven

security is essential to tackle the challenge of
reducing the time between compromise and
discovery, and security analytics can be a game
changer in the war against todays sophisticated
attacks. It can provide security teams with the
real-time insights needed to expose the orchestration of an APT-style attack. SOCs that effectively capture and use threat intelligence are
more likely to recognize when their networks or
systems are compromised or under attack, and
are better placed to thwart future attacks. By
constantly questioning what is happening on
the network, they can ensure that the organization is safe to thrive and grow. p
May 2016