Some things only appear suspicious when seen in a broader context.
An accountant may regularly access financial data when working at their organisation’s headquarters in London.
It may also be usual for them to access the same data on occasions when visiting regional offices in other cities.
What would not make sense would be for the accountant to download data in New York when the company’s physical security system shows him to be in London, already accessing other systems from there.
Spotting suspicious activity in such a way is the concept behind context-aware security. It involves reviewing a single event with other events taking place as well against historical log data and relevant information from a range of other sources. This involves real-time access to extensive volumes of data and the ability to process it in real time. Some describe context-aware security as a big data challenge, meaning that you need the ability to process and gain useful insight from large volumes of data.
Read more security articles
- Video: How security leaders justify costs
- Security awareness training made easy
- Lifecycle of an advanced persistent threat
- Security Think Tank: High levels of control require detailed security intelligence
- Security Think Tank: Context-aware tech does not eliminate human touch
- Security Think Tank: Context, the 5 Ws and H of security
- Security Think Tank: Context-aware security is about more than buying technology
- Security Think Tank: Begin switch to context-aware security now, says Gartner
- Security Think Tank: New tech trends fuel need for context-based security
- Security Think Tank: context-aware security is business-aware security
There is nothing new about storing and processing log data. Suppliers of log management software have been around for years, for example LogRhythm and LogLogic (the latter acquired by Tibco in 2012). The reasons for investing in log management principally involved compliance, allowing IT staff to produce audits of who had been doing what on their organisation’s IT systems by collecting and analysing data from the log files of servers, network devices, security systems and so on.
Log management suppliers have evolved their offerings over the last decade to provide a broader capability to view log data against other events happening on and around their systems. This led to the term SIEM (security information event management), first used by Gartner around 2005. SIEM tools combine log data with other information, for example about users and their rights, third-party feeds (about vulnerabilities, malware, news, weather and so on), location data (using IP addresses and mobile device tracking) and new regulatory requirements. They use all of this to provide enriched reports for compliance reporting and security review.
As SIEM became a mainstream offering, many of the big IT security suppliers entered the market through acquisition, the most notable being: HP, with ArcSight (2010); IBM, with Q1 Labs (2011); McAfee, with Nitro Security (2011); and EMC-RSA, with Netwitness (2011).
LogRhythm is considered an SIEM supplier. Others include Red Lambda, Trustwave and Sensage. Splunk is often seen as an SIEM supplier, but its focus is even broader, using IT operational intelligence for providing commercial as well as security insight.
However, to go further still and provide the promise of context-aware security in real time requires SIEM tools to be souped-up, so they can conduct analysis at speed and provide real-time protection. Quocirca termed this advanced cyber-security intelligence (ASI) in a July 2012 report. Another term used by some is next-generation SIEM (NG-SIEM).
Basic requirements of context-aware security
Whatever term you prefer, any supplier claiming to offer a broad, context-aware security capability should have tools that can do all of the following:
- Process and analyse large volumes of data in real time; n Have an advanced correlation engine to process and compare information from disparate sources;
- Be able to enforce advanced rules that link disparate events and prescribe what should happen if there is an anomaly;
- Include a range of out-of-the-box rules as well as allowing customers to write their own; n Have the intelligence and insight to act and prevent security breaches as they happen; n Have the capability to adapt to events and improve future responses; n Gather data from external feeds;
- Have the capacity for the long-term storage of IT intelligence data in a central repository; n Provide an intuitive interface and dashboard for ease of use by all security staff.
NG-SIEM is not the only way to provide context-aware security. Some suppliers have added specific capability to provide context around their various security products. For example, Kaspersky Lab’s System Watcher combines information drawn from its firewall, behaviour analyser and cloud-based reputation server to provide a broader overall risk assessment of suspected malware.
Other tools provide very specific context awareness. For example, Finsphere uses mobile phone numbers as an additional means of user authentication. The supplier compares this with information about the user’s location to make sure a given login makes sense (similar to the example used at the start of this article). To achieve the high-speed processing necessary to deliver this in real time, Finsphere has just signed a deal with Violin Memory.
Context-aware security is not a replacement for existing point security technologies such as antivirus, firewalls and intrusion prevention systems but supplements them. It provides insight that can identify a malicious attack or undesirable user behaviour – an even greater risk that needs to be mitigated.
How context-aware security supplements point security technologies
Here are some examples of where ASI may succeed where point security products fail:
- Detecting zero-day attacks: Signature-based antivirus software cannot detect newly constructed malware, which is often used during targeted attacks. Correlating server access logs to identify that the same server is being used to contact many other servers and user end-points on the same private network and is sending messages home to an unusual IP address would give an early warning that something is amiss.
- Detecting hacking and preventing data theft: An intrusion prevention system may prevent multiple failed attempts to access a server from a particular IP address, but may not see that data is already being copied from that server due to a single successful penetration from the same IP address. Correlating log and event files could identify that two such events are related and lead to the prevention of a data theft. Target attacks often have this sort of profile.
- Non-compliant movement of data: It might be usual for an employee to access customer information; it may also be usual for them to download it to a file for reporting reasons. However, for them to copy the data to a non-compliant location – for example a cloud storage resource in a certain country– should raise an alarm. This requires rules that understand user access rights and current compliance requirements and the ability to correlate these in real time with attempts to copy data and the location of the target storage service.
- Absence of an event: Scada (supervisory control and data acquisition) systems are often controlled using human-machine interfaces (HMI); this requires someone to be present, which, with physical security measures in place, should be preceded by a record of the employee involved having used an ID badge to enter the premises in question. So, if an action is logged on an HMI system at a remote location that is not preceded by a valid record of physical entry, either someone has gained unauthorised access or the HMI has been hacked remotely. An advanced correlation rule that looks for the presence of the badge reader log in a specified time prior to an HMI access request enables such a breach to be detected
- Anomalous system-administration activity: If a system administrator account has been compromised, there may be an attempt to create a new account for future use. Correlating this activity with a change control system will identify that the creation of such accounts has not been authorised.
- Unexpected access routes: Some databases are only normally accessed via certain applications, for example credit card data is written by an e-commerce application and only read by the accounts application; access attempts via other routes should raise an alarm if the tools are in place to correlate such events and observe that a rule about the normal access route is being broken.
For businesses, there will be no end to the struggle to get the upper hand over cyber criminals, hacktivists and indeed their own users. For governments, the situation is arguably even worse, as cyber space becomes the fifth theatre for warfare after land, sea, air and space, and terrorists see cyber space as a way to go after critical infrastructure. All have to keep upping the ante to avoid falling too far behind, or perhaps even get ahead, turning cyber security into an offensive rather than defensive act.
So much criminal activity and political activism has now been displaced from the physical world to cyber space – or at least extended to cover both – IT security teams are now on the front line when it comes to ensuring their businesses’ continuity with reputations intact. To this end they must be enabled with the tools that provide broader context for the activity on the systems they manage, to protect their business from problems tomorrow that no-one can envisage today.
Bob Tarzey is service director at Quocirca. Click here for Quocirca’s free report, Advanced Cyber Security Intelligence.
This was first published in April 2013