I just returned from a weeklong trip to Europe, where I contributed my voice to the wildly successful series of RSA Security Summits. With near unanimity in London and Zurich the audience accepted our premise that as a result of the changing IT landscape – including cloud, mobile, big data, extended workforce, supply chains – and the realities of today’s sophisticated attackers, the approach to security in organizations needs to dramatically change. Furthermore there was also general agreement that today’s preventive security systems, that are largely perimeter and signature-based, no longer provide sufficient defenses, and that to compensate organizations must improve their detective and response focused security controls. This quickly led to the practical and real challenge of how organizations can best make those improvements. How in an environment of fixed security budgets can organizations invest to create or significantly enhance their monitoring and response capabilities?

In effect organizations are asking themselves how they can build out their security operation centers (SOCs). No doubt there are many factors to consider when considering a significant SOC investment, not the least of which is the organization’s security maturity, type and location of sensitive digital assets, expertise, and risk tolerance. But equally important are the technical infrastructure and processes necessary to make SOCs both more effective and efficient in their task of detecting, investigating, and remediating threats and vulnerabilities. With limited human resources, how can the mundane tasks be automated away and the complex ones be made easier? This is a deep topic that we were only able to touch on during these Summits.

But fortunately if you have interest in building what we call an intelligence-driven SOC, RSA is running a webinar precisely on this topic in which we will spend most of the session walking through the detection, investigation, and response lifecycle of a representative advanced attack and show you how an intelligence-driven SOC solution can help to optimize this process. Sound interesting? Come join us at this event happening Thursday, May 2 at 2 pm EST.

Matthew Gardiner is on the product marketing team at RSA and is focused on the evolution of the SOC and RSA’s solutions which help SOC analysts be more effective and efficient in their jobs. You can follow him on twitter @jmatthewg1234.

• 

Today’s IT environments are more fluid and complex than ever. Security teams are faced with a flood of alerts and indicators across thousands of devices and massive volumes and varieties of applications and information types. It is more important than ever that the efforts of the security teams are prioritized such that threats that pose the biggest risk to the organization are investigated and resolved first.

So, how are security teams dealing with this? Yes, it is a Big Data problem and security teams must have full visibility, intelligence and governance to rapidly detect advanced threats and have an incident management process to prioritize, investigate and resolve security incidents. It is about prioritizing the efforts of the security teams by finding the right needle in a stack of needles.

At RSA Conference in February, we announced RSA Asset Criticality Intelligence (ACI) and RSA Advanced Incident Management for Security (AIMS), now I am thrilled to say that both these solutions are generally available. RSA Security Analytics is a transformative security monitoring and investigative solution that captures and analyzes all security related data as network packets and logs and fuses this with threat intelligence to speed up the detection of potential threats. With RSA ACI and RSA AIMS, the threats that pose the biggest risk to the most critical assets of the organization are prioritized and followed through by the security teams. These solutions provide a single-user interface for security analysts to use when investigating a security event;  the security analyst can engage key business stakeholders,  follow standard response procedures and document the resolution. For example, in the case of data exfiltration from a critical asset – the incident is automatically created, the asset owner can be notified of the exfiltration, and the IT team can be notified to close ports and kick-off the remediation process to remove any malware on the asset or patch the vulnerabilities. Additionally, while the security incident is being investigated, the various stakeholders are kept apprised of the situation through advanced reporting and dashboards.

RSA ACI and RSA AIMS bridge the gap between security and business teams so both teams are aligned in protecting the most critical assets and information of an organization.

This Thursday, March 21^st, RSA will hold a live webcast called “Business Context and Incident Management for the Security Operations Center (SOC)”. You can register for this webcast here: https://emcinformation.com/137302/REG/.ashx?reg_src=speakingofsecurity. It will provide you with an overview of RSA ACI and RSA AIMS and will also provide a live demonstration of both these solutions.

• 

My blog today reflects on newly published research from Jon Olstik at ESG (from whom I borrowed the title of this blog), which covers the collision of advanced threats, security monitoring, SIEM, big data technologies and techniques, and organizational security maturity.  In the paper Jon clearly brings forward his argument – with which I completely agree – that security threats have changed and thus the tools used and approaches for defense need to change significantly.  I recognize this sounds a bit clichéd, but read the paper and you will see that there is a clear argument and evidence to back up this claim.  One very obvious technical trend is that the flood of security data that is required to provide the visibility that is necessary to improve the organization’s defenses, have gone up — way, way up.

But there is the rub, as most centralized security data collection and analytics systems in use by enterprises today (SIEM systems generally) not only rely on partially informative data sources (logs/events), but are already computationally overwhelmed by the amount and rate of change of this security data.  Collecting data that can’t be analyzed in a timely manner adds little value.  Asking these traditional SIEM systems to provide better security monitoring to match the stealthiest attacks has become a dead end.  It is our view that further tuning and tweaking of traditional, log-centric SIEM systems is futile given the security realities on the ground.  While security organizations face more than SIEM technology challenges, such as rapid infrastructure and application changes and the growing security skills shortage, more effective monitoring tools can help to mitigate the impact of all of these problems.

Enter the era of Big Data security analytics.  RSA’s new product for this new era is RSA Security Analytics.  Whether or not the market ultimately considers this product a SIEM or creates a new category for it, RSA Security Analytics brings forward a new approach to the detection and investigation of threats that goes beyond traditional, log-centric SIEM systems.  It enables the ingestion and analysis of large and fast changing data sets with the goal of helping the security analyst draw intelligence from it in near real-time.

Does it consume logs?  Yes.  But it is not limited to only that form of telemetry.  RSA Security Analytics combines broad telemetry (most notably full network packet capture, automated threat intelligence, and asset information) with a data management and analytic platform that scales to make real-time security monitoring effective against even the most stealthy attacks.

To take part in our product launch event (or view a recording of it later) come join us here.

Matthew Gardiner is on the Security Management & Compliance product marketing team at RSA and is focused on the evolution of the SOC and RSA’s solutions which help SOC analysts be more effective and efficient in their jobs.  You can follow him on twitter @jmatthewg1234.

• 

If you were wondering when Big Data and security analytics were going to collide, recent data strongly suggests that they already have. In a big way. If you are currently employed as a security analyst you can stop rolling your eyes now. I know you know this; the purpose of this blog is to communicate to the people around you that don’t know what you already are living every day.

RSA recently sponsored some survey-based research with analyst firm ESG largely on the topic of Big Data & security. While ESG hasn’t published this research yet, RSA was recently able to get an early look at the results. A key take-away from the research is that most enterprises are already smack in the middle of the challenge/opportunity of using Big Data approaches to improve their security position. In an effort to gain better visibility and improved detection and investigative efficiency and effectiveness, organizations are collecting and trying to glean intelligence from more sources than ever before.

For example, when asked “How has the amount of data your organization collects to support its information security activities changed in the last 2 years”, 86% of respondents answered either “substantially more” or “somewhat more”. –  0% selected “less”.  When asked about the types of data that their organization collects or plans to collect in the next 12-24 months, the list of data types that more than 75% of respondents checked included more than 18 types.

These two questions hit directly at two key pillars of the Big Data phenomenon, namely the existence of large data sets of highly diverse data types, from which key insights must be quickly gleaned. In the case of security, organizations need to understand where the risks are, where the infections have landed, where the attacks are in process, and what they should do about them, fast. This has lead security organizations directly into the challenge/opportunity of Big Data, now.

Matthew Gardiner is on the product marketing team at RSA and is focused on the evolution of the SOC and RSA’s solutions which help SOC analysts be more effective and efficient in their jobs. You can follow him on twitter @jmatthewg1234.

• 

It is a well known that if you want someone or something to change, just apply pressure over a period of time. This is true for organizations, people, and even earthly matter, such as carbon (diamonds) and formerly living plants (hydrocarbons). Markets also transform when under pressure. I believe this is precisely what is happening to the SIEM market right now.

What are the points of pressure for the SIEM market? There are a number of them, but the big one is the rise of advanced or targeted attacks against organizations. While traditional, log-centric SIEM systems are theoretically well positioned to become early warning systems for advanced threats, due to their centralized position pared with highly distributed data collection, they currently fall short in many critical ways.

For one, traditional SIEM systems do not have sufficient visibility into the IT environment or organizational context to be able to detect security vulnerabilities or risky anomalous activity. Even if they had this capability, SIEM systems don’t provide sufficiently deep analytics to be able to aid the security analyst sort through the meaningless noise to find the security issues that matter. Furthermore, even if they could accomplish the previous two things, most traditional SIEM systems choke when applied to this level of “big data” – often measured in terabytes per day.

And finally, SIEM systems were not designed with the security (or SOC) analyst sufficiently in mind. Since security analysts spend much of their time investigating issues and incidents, it is absolutely critical, especially with the rise of advanced threats, that they be able to conduct these investigations efficiently and effectively, as time is the enemy.

The traditional, log-centric SIEM market is under pressure from advanced threats, but as do organizations, people, and earthly matter, the SIEM market in general (and RSA in particular) is responding to this pressure by transforming SIEM into Security Analytics.

Matthew Gardiner is on the product marketing team at RSA and is focused on the evolution of the SOC and RSA’s solutions which help SOC analysts be more effective and efficient in their jobs. You can follow him on twitter @jmatthewg1234.

• 

I recently had the pleasure of attending the annual EMC World user conference in Las Vegas, NV. And it was, in my opinion, immensely informative, not just for me but for EMC, RSA and all of its partners and customers. The sessions and Solutions Pavilion were lively and engaging, the keynotes had the production value worthy of most Hollywood movies and the topics were relevant for today’s IT and security managers.

What truly stood out to me was the strong sense that this era of “big data” is no longer just a marketing phrase or jargon about a future state of the industry. The challenge and opportunity of Big Data is here and now. In session after session EMC’s partners and customers discussed the data sets they are managing. The sheer size was staggering. My favorite example was during a session entitled “Chad’s World” with Chad Sakac. He had with him an EMC customer, Los Alamos National Lab, who was responsible for running nuclear missile detonation simulations. When asked what his data set size typically was he calmly responded, “Somewhere around an Exabyte”.

An Exabyte! (That’s 1,000 petabytes for those counting at home). On top of it all both Joe Tucci and Jeremy Burton mentioned in their keynotes that it’s no longer a question of big data – it’s about big FAST data.

So our security tools must adapt to support this new paradigm. IT infrastructure is no longer application centric – its user and data centric. There are no hard and fast perimeters, the enterprise is boundless. These types of infrastructures create mountains of data. This means that having security solutions capable of big data analytics is more important than ever. To take it further, security solutions capable of predictive analytics, to help wade through the mountain of data.

In my previous blog, I talked about the tactic of removing the hay from the haystack in order to find “security incident” needles more easily. Think about the types of solution(s) that would be able to sift through petabytes of data, filtering to remove known good and intelligently prioritizing the data you need – all with the end goal of finding the tiniest piece of evidence that something is awry. It would take a solution built from the ground up for security, speed and massive data sets. A tool with predictive analytics, real-time access to relevant data and the scale required for the ‘big data’ security world.

And guess what? These are no longer the solutions only for the bleeding edge innovators – these are the tools of today, the tools of our trade, the solutions that you need.

Barrett is a member of the product marketing team focused on the evolution of RSA’s SIEM and security analysis portfolio and is always looking to bring fresh “insights” to the security management landscape.  Outside of work you can find Barrett at the top of the closest mountain or running his legs off in the nearest road race.

• 

Unless you have been hiding under a rock in another universe, you are aware that Microsoft is soon to be releasing the latest major round of the Windows franchise, namely Windows 8 and its cousin Windows Server 2012. In fact at the upcoming TechEd North America 2012, this latest version of Windows will have a very prominent role in the conference content. This brings me to the point of this blog entry. How can these new versions of Windows, in particular Windows Server 2012, improve the security profile of the organization that uses it? And how is RSA extending this security value even further through upcoming product integrations with Windows Server 2012?

A good place to start your Windows Server 2012 security education is on the Windows Server 2012 portion of Technet. For the purposes of this blog, specifically check out the area of Technet which explains Dynamic Access Control (DAC). This is a new set of capabilities for Windows Server 2012 that enhances data governance by enabling more granular access enforcement and audit visibility.

The Windows Server 2012 DAC is a natural touch point for multiple RSA security management technologies, specifically RSA NetWitness and RSA Data Loss Prevention (DLP) to name a couple. At TechEd 2012 RSA will be demonstrating a real life scenario where Windows Server 2012 audit information is used to discover an internal user “gone bad” using the investigative capabilities of NetWitness. The increased level of security visibility enabled through the integrated use of NetWitness and Windows Server 2012 with the DAC is but one example of how the combination of RSA technology and Windows 2012 will make sensitive data “spills” less likely.

In addition to developing integration with NetWitness, RSA is also working on leveraging the Dynamic Access Control capability of Windows to better find and block misuse of sensitive information. This part of the story brings together RSA DLP and Windows Server 2012/DAC. Leveraging upcoming integration RSA DLP will be able to more easily find sensitive information so that it can track it, initiate remediation, block its movement outside the enterprise, force encryption, or all of the above. The bottom line, is as Microsoft moves forward with its enterprise infrastructure so RSA moves forward in collaboration with Microsoft to deliver more effective and efficient security controls.

Matthew Gardiner is on the product marketing team at RSA and is focused on the evolution of the SOC and RSA’s solutions which help SOC analysts be more effective and efficient in their jobs. You can follow him on twitter @jmatthewg1234.

• 

Typically the Count didn’t have too much trouble bagging his human game.  After all how long and how far can one run on an island?  However, the hunt of Bob Rainsford (and Fay Ray – of King Kong fame – as his helpless love interest) went very differently.  Bob, being an experienced hunter himself, used his skills and guile to turn the table on Zaroff.  The hunted became the hunter.  Let’s just say it didn’t end well for Zaroff.

This story actually relates directly to organizations and the security departments that digitally protect them.

For too long, too many organizations have been like most people on Zaroff’s island, they ran and hid “digitally” for as long as they could, but ultimately were found and breached by persistent computer attackers.  Defensive measures can’t keep organizations completely safe, these alone are akin to running and hiding.  What leading organizations are now doing, with the help of RSA and others, is to turn the tables and transform from hunted to hunter.

In this case they are hunting with a combination of powerful detective tools, threat intelligence, big data analytics, and deep security “big game” expertise. I think of the perfect SOC analyst as being the Bob Rainsford of their organizations.  The SOC analyst being every bit as good and as aggressive as their digital attackers.  They lay traps and monitor the attackers long before the attackers realize it.  Of course in the digital world no one is fed to the dogs in the end (as far as I know), but just the psychological lift of transforming from hunted to hunter should positively impact the security of organizations that make the switch.  If nothing else it should make the job of a SOC analyst more fun.

Matthew Gardiner is on the product marketing team at RSA and is focused on the evolution of the SOC and RSA’s solutions which help SOC analysts be more effective and efficient in their jobs.  You can follow him on twitter @jmatthewg1234.

• 

A few weekends back I had the pleasure of going to the local children’s museum with a young nephew of mine. One of the attractions was a magnet from an old air craft carrier’s radar system –it was huge and really powerful. The sign explained what it was and joked, “Finding a needle in the haystack isn’t hard with this.”

This got me thinking. As security professionals we are constantly thinking about finding the needle (security incident) in the data haystack. But what if we just used a really powerful magnet? The needle in this case is the tiniest piece of evidence that an adversary is traversing your network or attempting to inflict digital damage and the haystack represents the mountain of innocuous data that the needle is hidden within. And in the era of big data that haystack isn’t getting any smaller.

The data a typical security analyst has to look at is growing by the second: Logs, packets, critical IT assets, threat intelligence, event data, and data classification feeds, to name some key ones. And on top of that, attackers are getting better at disguising their needles. Potential threats are more targeted, stealthy and dynamic than they have ever been. Which means you won’t find the needle if you aren’t collecting the hay in which the needle may be hiding. So, it’s more than just collecting a lot of data, it’s about collecting the right data. This means log collection AND full packet capture, it means external threat intelligence applied to this data to help identify previously unknown attack sequences and it means enabling analysis on all of this data to help detect threats without signatures.

“It’s more than just collecting a lot of data, it’s about collecting the right data.”

The haystack is growing, the needles are getting smaller, yet more damaging and we’re collecting lots of (the right) data. Now what?

Must be time for the really big magnet, right? Well, not exactly. A lot of organizations have started down that path, but it’s more than just buying the right magnet. It’s about pointing that magnet at the right sized haystack. To put it more realistically, how about we use tactics to remove a lot of the hay and make our existing “magnets” more powerful? This could make the haystacks more manageable.

Tactics can be applied like removing items within your data set that you know are “good” – or not threatening – to reveal items that have a higher probability of being ”bad”. This method, sometimes called data or traffic carving, can be an incredibly valuable tool. Start a new investigation where you aren’t looking for anything in particular – just looking to remove things you know are good, normal or OK activity. I’ll bet you’ll be surprised at what is left behind – at the very least some activity that is hard to explain.

Now I’m sure we all wish we had an aircraft carrier-sized magnet to find the needle in a haystack, but using the right tactics in combination with stronger tools can actually improve your results.

Barrett is a member of the product marketing team focused on the evolution of RSA’s SIEM and security analysis portfolio and is always looking to bring fresh “insights” to the security management landscape.  Outside of work you can find Barrett at the top of the closest mountain or running his legs off in the nearest road race.

• 

Continuing on the theme from a previous blog, what if the use of state-of-the-art security technologies were believed to conflict with EU data privacy regulations? Are security professionals really to be put in the difficult position of not being able to use the most current security approaches to protect their organizations and users? Is there a way to both protect the organization and its users while respecting the rights of users to not be excessively and unreasonably monitored?

With the rapid rise of detective oriented security monitoring technologies such as data loss prevention, centralized log collection, and network forensics, security professionals, primarily from Europe, often have become stuck in the uncomfortable position of being “damned if they do and damned if they don’t.” Damned if they don’t use every available means to protect their organizations against advanced threats and damned if they do use technologies which can be construed as collecting, analyzing, and generally “seeing” the personal information and communications of employees and other users.

In other parts of the world, such as the USA, the conflict between security and privacy is not currently so intense and as a consequence security monitoring technologies, like those mentioned above, are in much wider use. Why? The laws and business practices are different, the culture is different, and the use of these technologies is more established. But does this mean that European organizations are destined to be ripe hunting grounds for attackers, who after all are not known for respecting the privacy rights of their victims? Are European organizations really expected to defend against advanced attacks with a hand tied behind their digital backs?

“But does this mean that European organizations are destined to be ripe hunting grounds for attackers, who after all are not known for respecting the privacy rights of their victims?”

What European organizations should do is to use advanced security technologies, but in ways that are sensitive, respectful, and compliant with the laws, culture, and practices of the countries in which they are operating. They must work closely with their data privacy officers and their workers’ councils on the why, what, when, and how of their security program to make sure it is well-designed, operated, and most importantly, understood. Security monitoring versus data privacy is a tricky question, but one that we are working on here at RSA. Being stuck is not an option.

Matthew Gardiner is on the product marketing team at RSA and is focused on the evolution of the SOC and RSA’s solutions which help SOC analysts be more effective and efficient in their jobs. You can follow him on twitter @jmatthewg1234.

•