Integrated security: just joining the dots?

The heaviest and most persistent cyber attacks are aimed at the financial
services industry. 

After all, it looks after that most attractive commodity, our money.

I discovered recently that IBM detects an average of more than 111 million security events annually amongst financial services clients, notably higher than for other industries. Have a look at IBM 2013 Cyber Security Intelligence Index for Financial Services for more on this.

That equates to 2.14m events a week, where an ‘event’ is an observable occurrence in a system or network.

Unsurprisingly, the industry is also one of the largest consumers of security systems and services with all manner of security solutions and devices deployed across its technology estate.

So why are estimated cyber-related losses by financial services institutions so high?  See my December 2013 IBM Insights on Business - Banking blog Cyber Security – Migraine for the Banking Industry for a discussion on just how high.

There is a gathering tsunami of industry debate on this point.  Watch closely over the next few months.

I wonder how much of this debate will focus on the basics (a.k.a. looking at the rear view mirror) and how much on prevention through data-based prediction (a.k.a. looking through the windscreen with X-ray specs)?

The CESG’s (UK Government-sponsored) ‘10 Steps to Cyber Security’
a couple of years ago claimed that ‘basic information risk management
can stop up to 80% of the cyber attacks seen today, allowing companies
to concentrate on managing the impact of the other 20%’.  Its
recommendations fall into four broad categories: users, processes,
governance and technology.

 IBM advocates the holistic approach but, oh boy, takes it all several steps further and deeper, applying a ton of experiential insight and clever technology to deliver better security by pulling together and making sense of multiple sources of data or by performing predictive analytics on structured and unstructured data
sets.

How about an integrated security intelligence solution that helps organisations identify key vulnerabilities in real time, while reducing total cost of security operations?

This tool, called IBM QRadar Vulnerability Manager, aggregates vulnerability information into a single risk-based view where it can be prioritised very quickly.

Security teams can see the results from multiple network, endpoint, database or application scanners alongside the latest IBM X-Force Threat Intelligence alerts and incident reports from the National Vulnerability Database.

Handy, no?  Particularly as a dozen new vulnerabilities are discovered on average every day.

Or user profiling based on multiple data sources from NetFlow and logs, external files and unstructured data (eg from social media) which are sent to BigInsights, analysed then used for analytics, forensics and to update real-time rule sets.

You get the picture.

Smarter security, not higher walls. Seems like a good idea. Take a look.

CESG’s 10 Steps to Cyber Security

v.

IBM’s Cyber Security Recommendations

CESG

Home and mobile working / Controls on removable media 

Develop a mobile working policy; train staff in it. Apply the secure baseline
to all devices. Protect data in transit and at rest.  Produce a policy
to control all access to removable media. Limit media types and use.
Scan all media for malware before importing onto the corporate system.

IBM

Defend the workplace

Each work station, laptop or smart phone provides a potential opening for malicious attacks. The settings on each device must all be subject to
centralised management and enforcement. And the streams of data within an enterprise have to be classified and routed solely to authorised
users.

CESG

User education and awareness

Produce user security policies covering acceptable and secure use of the
organisation’s systems. Establish a staff training programme. Maintain
user awareness of the cyber risks.

Build a risk-aware culture

In using technology, everyone within a company has the potential to infect the enterprise, whether it’s from clicking a dubious attachment or
failing to install a security patch on a smart phone.  Building a
risk-aware culture involves setting out the risks and goals, and
spreading the word about them.  Communicate and educate to raise
awareness of potential cyber risks.

CESG

Incident management

Establish an incident and response and DR capability. Produce and test incident
management plans. Provide specialist training to the incident management
team. Report criminal incidents to law enforcement

IBM

Manage security incidents with greater intelligence

A company-wide effort to implement intelligent analytics and automated
response capabilities is essential. Creating an automated and unified
system will enable an enterprise to monitor its operations and respond
quickly. Build a skilled incident management and response team with
sufficient resources to conduct the forensics required. Develop a
unified incident handling policy and process.Leverage consistent tools
and security intelligence for incident management and investigative
forensics.

CESG

Information risk management regime

Establish an effective governance structure and determine your risk appetite.  Maintain the Board’s engagement with the cyber risk. Produce supporting policiesManagement.

IBM

Zero tolerance risk management system

Management needs to push zero tolerance of careless behaviour relentlessly from the very top down, while also implementing tools to track progress.  This embraces  governance and organisational design, risk management assessment, security metrics assessment and definition to shape policy development and conduct.

CESG

Manage user privileges

Establish account management processes and limit the number of privileged
accounts. Limit user privileges and monitor user activity. Control access to Activity and Audit Logs.

IBM

Track who's who

Companies that mismanage the identity lifecycle are operating in the dark and could be vulnerable to intrusions. You can address this risk by
implementing meticulous systems to identify people, manage their
permissions, and revoke those permissions as soon as they depart. This
involves developing an optimised identity and access management
strategy; implementing standard, policy-based control mechanisms and
more intelligent monitoring; centralising and automating separation of
duties management and adopting a desktop and web single-sign-on
solution.

CESG

Monitoring  / Malware protection 

Establish a monitoring strategy and produce supporting poliicies. Continuously
monitor all ICT systems and networks.  Analyse logs for unusual activity
that could indicate an attack.  Produce relevant policy and establish
anti-malware defences that are applicable and relevant to all business
areas. Scan for malware across the organisation.

IBM

Control Network access

Security intelligence and analytics tools can actively monitor and correlate data activity across multiple security technologies, offering you the visibility and insight into what’s going on in your environment—to help you spot and investigate the kind of suspicious activity that could indicate an attack is underway. They help reduce complexity by communicating with one common language across multi-vendor environments,while taking the strain off your IT department and potentially delivering both time and cost savings.Companies that channel registered data through monitored access points will have a far easier time spotting and isolating malware.

Security by design

One of the biggest vulnerabilities in information systems comes from
implementing services first, and then adding security on afterwards. The
only solution is to build in security from the beginning, and to carry
out regular tests to track compliance.

CESG

Secure configuration 

Apply security patches and ensure that the secure configuration of all ICT systems is maintained. Create a systems inventory and define a baseline build for all ICT devices.

IBM

Keep it clean

Managing updates on a hodgepodge of software can be next to impossible. In a secure system, administrators can keep track of every program that’s running, be confident that it’s current, and have a system in place to install updates and patches as they’re released.  With a hygienic, security-rich system, administrators can keep track of every program that is running, be confident that it is current and can have a comprehensive system in place to install updates and patches as they are released.  This involves registering all IT infrastructure components in a centralised inventory and aggressively retiring legacy components; integrating compliance data for end-to-end visibility; automating patch management, encouraging a culture of diligence to ensure the infrastructure will protect against current threats and identying opportunities to outsource routine monitoring.

Protect the company jewels

Each enterprise should carry out an inventory of its critical assets—whether it’s scientific or technical data, confidential documents or clients’ private information—and ensure it gets special treatment. Each priority item should be guarded, tracked, and encrypted as if the company’s survival hinged on it.

Patrol the neighbourhood

An enterprise’s culture of security must extend beyond company walls, and establish best practices among its contractors and suppliers. This is a similar process to the drive for quality control a generation ago.

Security in the cloud

If an enterprise is migrating certain IT services to a cloud environment,
it will be in close quarters with lots of others — possibly including
scam artists. So it’s important to have the tools and procedures to
isolate yourself from the others, and to monitor possible threats.

I’m struck by some of the distinctive claims and proposals in the IBM approach:

- Culture as a countervailing source of protection.

- Automated incident response leveraging security intelligence.

- Outsourcing monitoring as a managed service.

- Security metrics assessment and definition.

- Centralising and automating separation of duties.

- Building in security to information systems by design not as an afterthought.

- Integrating compliance data for end to end visibility.

- Influencing the security of the business ecosystem.

- Securing cloud-based services.

It’s chalk and cheese.

I’m also struck by how few in the security market place appear to
demonstrate a similar mix of experience, insight,  high-tech magic and –
above all else – joined- up thinking.

I then discovered that IBM’s security offerings sit at, or around the
head of, whichever ‘golden’ market assessment you care to choose;
Gartner, Forrester, IDC.

I noticed, also, that these marketing assessments cover the widest
range of domains: security intelligence, anti-fraud detection, people
practices, data, applications, infrastructure and services.

Now, this is all well and good, but what does it add up to, in practice, to a harried Chief Information Security Officer?

My thoughts:

First, doing more of what you have done before is no longer sufficient nor necessarily better.

Second, sharper, joined-up thinking reflected in clever tools and services which work together looks a lot better.

Third,that integrated security is more subtle and
complex than any of us might care to admit and unites the interests of
everyone, that is everyone, around the Board Room table; CFO, COO, CRO, CHRO and LoB Directors.

There has to be readiness to look dispassionately at the whole security performance of the enterprise to discern what needs to be created from scratch, what undone and reconceieved from the ground up, what automated and / or outsourced, integrated and rationalised, enhanced or simply maintained.

Then acting on it.

Note: This blog can also be found at ibm.com's Inisghts on Business - Banking site at http://insights-on-business.com/banking/integrated-security-just-joining-the-dots-2/