Resellers charged with making sure their customers’ use of IT is secure face an on-going challenge; is the security in place good enough to counter today’s threats and, if not, can the customer be convinced to invest more? Research commissioned by LogRhythm and included in a recent Quocirca report entitled “Advanced cyber-security intelligence” underlines the scale of the problem; only 19% of the organisations surveyed said security spending was increasing as proportion of overall IT spending.
However, the number of threats is increasing and their nature is changing from being generic and random to tailored and targeted. The approach taken to IT security needs to change in line with this and in many cases this will have to be achieved without huge new investment. A starting point is to review what is in place already and gauge its effectiveness.
Traditionally IT security has been deployed as series of point products; firewalls to keep out intruders, desktop anti-virus to protect the end user environment, spam filters to clean email, web filters to police use of the internet etc. Whilst all such products have their place, mainly when it comes to countering old-style generic security threats, they are often not enough to protect against more targeted threats, detecting and mitigating these requires a broader approach to be taken.
A good example is the Flame malware that was first reported and named earlier in 2012. The early instances of the malware were not known to anti-virus products that relied on signatures, so it had to be detected in other ways, for example by monitoring for unusual activity.
Flame worked by contacting as many other devices on a network as it could and then seeking out interesting data and sending it back to a command and control server. A server that was accessing a wide range of other devices on a given network and sending reports back to a suspicious IP address could be detected by monitoring both firewall and server activity logs in real time and recognising the unusual behaviour of Flame. Spotting attacks in this is what Quocirca has called in its recent report “advanced cyber-security intelligence”.
The good news is that many organisations already have the base technology for doing this in place. The early iterations of such products were for log management; the collecting and archiving of log data for long term compliance reporting. These evolved in to what became termed SIEM (security information and event management), which involved the collection of a broader range of data. Next generation SIEM (another term for advanced cyber-security intelligence) describes souped-up versions of such tools that can use such data in real time to protect against targeted threats.
On the whole organisation are reasonably optimistic about protecting themselves against IT security with “the right technology in place” (Figure 2). However, they must also recognise that the “right technology” is changing. This is not to say point security products should all be ditched, but their effectiveness should certainly be reviewed and rationalisation which should free up some funds.
Furthermore, most organisations already have some form of log management capability in place (Figure 3). It is just that they are not benefiting from using this in real time. Again the current investment can be reviewed and more advanced capabilities recommended. LogRhythm, the sponsor of Quocirca’ recent report in once such provider, others include IBM (via its Q1 Labs acquisition), McAfee (via its NitroSecurity acquisition) and HP (via its ArcSight acquisition).
Resellers need to make sure they have an understanding of next generation SIEM, the products and their capabilities. Many of their customers may already have the base technology in place, but not be using to full effect to improve their protection against a range of increasingly sophisticate threats.
This article first appeared in the Computer Reseller News (CRN) UK print edition and on http://www.channelweb.co.uk
Quocirca’s report “Advanced cyber security intelligence” is free to ITD readers here: http://ecrm.logrhythm.com/WebQuocircaAdvancedCyberSecurity7-2012.html
We automatically stop accepting comments 180 days after a post is published. If you would like to know more about this subject, please contact us and we'll try to help.