We’ve talked quite a bit about collaborating with other firms on information security issues, as that has been the ILTA model for all things technology and firm related items over the years. We’ve put additional emphasis on this for security, as many of us believe an early warning of potential targeted attacks or threats in general can prevent a large scale data leak for one or many firms. So what is actually being done outside of our willing this to happen, and working with our peers to share redacted information when possible? A lot! In both the security vendor space and across sectors, security professionals are making a true effort to bridge the gap of what I like to call DI or Delayed Intelligence. It’s the complete opposite of what intelligence in the security and defense sectors was meant to be. Intelligence should serve as an early warning system, a heads up of sorts. Though most of the intelligence many firms' products seem to get is quite delayed, there has been progress around information sharing within the industry, as well as how security professionals approach the acquisition and handling of any type of indicators of compromise or intelligence.
A positive step forward was the forming of the cyber threat alliance, consisting of heavyweights such as Palo Alto, Fortinet, McAfee and Symantec (Palo Alto and Fortinet being the early co-founders). The overall goal of this initiative is to lead a coordinated effort of sharing threat intelligence and indicators of compromise (IOC’s), to take down or at least better understand our cyber-adversaries through extensive collaboration. This type of cross-platform engagement is a great indicator that some of the security companies that many entrust their perimeter and beyond to, are taking this matter seriously, and doing whatever it takes to deliver a better service and value proposition to their clients. Bravo to the security industry for this, and we can only hope that the additional time allotted through this alliance, will be enough to prevent one or many from a substantial data breach in the future.
While we’re on the intelligence topic, that word is thrown around quite a bit, and with some intelligence feeds stretching upwards of six figures per year for their service alone, products that integrate several of these intelligence feed services offer a tremendous amount of value add to the respective platform. Almost every vendor that comes through the door, talks about their intelligence feeds or industry leading intelligence feeds, and how that makes them superior to their competitor, but if you peel the layers of the security “threat feeds” onion back, you will find there a few major players there, and that’s it. The big areas to focus on should be how you can leverage said intelligence within your environment, as the actionable items rather than the noise, is what allows your organization to be more efficient and agile when reacting to threats or daily minor incidents.
With so much time spent on prevention, many have lost site of the value of detection. Security professionals have been bombarded with thousands of lines of logs, vulnerabilities, and threat information, but how much progress has actually been made on mitigating the overall risk within an organization with all that data. A recently published report by researchers from the University of Maryland stated that following a review of the National Vulnerability Database, antivirus, and intrusion prevention from more than 6.3 million hosts, less than 35% of disclosed vulnerabilities were ever exploited on Windows XP-Windows 7, current version of Adobe Reader, Microsoft Office, and Internet Explorer. When combining all of those products, the number drops to 15% overall. This group proposed new metrics to which we should consider when gauging our risk by, which are as follows:
· A count of vulnerabilities exploited in the wild, compiled from a variety of reliable sources including the National Vulnerability Database and vendor IPS and antivirus signature databases;
· An exploitation ratio which is the proportion of disclosed vulnerabilities for a product within a certain time frame (for example, in the first couple of months after a version release) that captures the likelihood a vulnerability will be exploited
· Attack volume, which measures how frequently a product is attacked within a specific time frame.
· Exercised attack surface, which captures the area of attack surface targeted during a particular time frame, essentially revealing the number of vulnerabilities exploited on a host.
For a full copy of the report, you can download it from the following location: http://www.umiacs.umd.edu/~tdumitra/papers/RAID-2014.pdf
I’m not saying we need to make a sudden drastic change in how we approach managing vulnerabilities, handle intelligence we acquire through products or relationships with security vendors, or how we collaborate. I’m simply stating the obvious, that while we all agree this security thing is a moving target, let’s remain nimble and open to different approaches to protecting our organizations, and how we view and interpret intelligence. Please be mindful of your peers, and share whatever knowledge you can, as in the end it makes us all a little bit safer.
#ServerOperationsandSecurity #RiskManagement #InformationGovernanceorCompliance