Tag Archives: Asset repository

Vastly improve your IT security in 2 easy steps?

1 April 2017

Keep your software patched and defend against social engineering, and you will win the battle against the bad guys. Let me be clear: From my point of view this is simply not enough. Nevertheless, Roger A. Grimes’ post “Vastly improve your IT security in 2 easy steps” published on March 21, 2017 at InfoWorld is really worth reading, in particular the section about patching.

The key to diminishing this risk is to identify the right software to patch and do it really, really well. The risk reducers I respect know the difference between the largest unpatched program in their environment and the unpatched program mostly likely to be exploited in their environment. A security expert knows there is usually a gulf between the two.

In particular in the production domain, where patching has always to be delayed to the next scheduled maintenance, this is a very important hint.

The big question is: How can we identify the right software on the right and important systems? Without an up-to-date asset directory with the relevant details about cyber security this is a very complex and expensive matter.

But even with an up-to-date asset directory this remains a complex task.

Rockwell/Allen Bradley Systems directly connected to the Internet

Rockwell/Allen Bradley Systems directly connected to the Internet in North America

For example, the likelihood of a cyber-attack on an Industrial Control System (ICS), which is directly connected to the internet, is many times higher than the likelihood of an attack on an ICS which is completely isolated in a security zone within the production network. The first ICS is definitely one of those systems Roger Grimes has in mind, the latter can be ignored.

But the likelihood of a cyber-attack is only half the story. For example, in functional safety the risk is the combination of the probability that a hazard will lead to an accident and the likely severity of the accident if it occurs. Thus, from this point of view, even the first ICS may be uncritical unless it is not used for controlling a critical infrastructure.

To identify the right and important systems is the hard task. It requires an up-to-date asset inventory and a smart risk management process. The plain patching process is just a piece of cake.

Have a good weekend.

Advertisements

To be successful a SIEM implementation should follow the ISO 27001 approach

20 July 2015

Last Wednesday I participated in a workshop on Production IT Security in Frankfurt. The presentations about Security Assessments, SIEM solutions, Next Generation Firewalls and Threat Intelligence were very interesting, but, as always, I got the most valuable information from the discussions with the other attendees during coffee break. It was really amazing to hear that the attendees, although they came from different companies, talked about the same mostly negative experiences in their SIEM projects.

During my ride back to Leverkusen I had time to think about this. Expectation management was a big issue in the discussions. The PowerPoints of the vendors suggest a quick and easy installation and start-up, and with some days training in Big Data methods the SIEM operator can set up dashboards which show the current security status of your company. Far from it!

The key capabilities of a SIEM solution are:

(1) Data aggregation and correlation:  Collect event data from various sources, correlate them, and integrate them with other information sources to turn the data into useful information.

(2) Compliance: Gather compliance data to support security, governance and auditing processes.

(3) Retention and Forensic analysis: Long term storage of historical event data for correlation over time and forensic analysis in the case of a security incident.

(4) Dashboard: Turn aggregated and correlated data into informational charts to aid security staff in identifying abnormal usage patterns.

(5) Alerting: Automated analysis of correlated events and production of alerts, to notify recipients of immediate issues.

The implementation of each function requires a big effort in preparation and operation. Let me show this by the means of two examples:

(4) Dashboard. In order to find abnormal usage patterns you have to define normal usage patterns first. This takes not only time. It is really hard to find relevant patterns from the ocean of events that systems create during normal operation. To ensure fast start-up it is required to cleanup your systems of e.g. event errors created by mis-configured services before you start operation.

(5) Alerting is probably the most interesting capability of a SIEM system. It allows you to act directly upon security incidents. To get the most of alerting you have to set up an incident response process, ideally depending on the classification of the information assets to prevent wasting of time and effort.

This requires that all assets are listed in an asset repository, classified and an asset owner is assigned, before your SIEM solution goes into production.

In addition it is required that your SIEM operations group is sufficiently staffed, the operators are well-trained, and enabled to take proper actions on an incident, e.g. alerting your server operators or shutting down a server to prevent larger damage.

Sounds like the preparations required for the implementation of an Information Security Management System due to ISO 27001.

With this my advice is: For a successful and quick SIEM implementation you should follow the major steps for implementation of an ISMS.

Bonne semaine!