Tag Archives: ISMS

Threat intelligence is the new Hype, but can threat intel actually defend you against future attacks?

19 January 2016

Can threat intel actually defend you against future attacks?

Tim Holman’s answer is simple, although not surprising:

‘Most of the time, yes. But by far the best way is to take a pro-active approach, presume attackers are already on the inside and tailor your defences from the inside out.’

For effective treatment of the inevitable he recommends to invest in a ISMS:

‘No firm can ever defend against 100% of attacks, 100% of the time, but without a doubt you can create resilient systems and business processes that are 100% effective in restoring your firm to business-as-usual when the inevitable cyber attack happens.’

For the full report please see ‘Security Think Tank: Security intelligence demands getting the basics right‘ published on ComputerWeekly.com

 Have a good day.

Lessons learned from Tom Clancy’s ‘Novel Red Strom Rising’

14 December 2015

In the past weeks I listened to Tom Clancy’s ‘Novel Red Strom Rising’ during my ride to the office. Red Storm Rising is about a Third World War in Europe around the mid-1980s. From a IT security point of view one of the most impressive scenes is about a missile attack against the carrier Nimitz.

Nimitz has a layered defense system which successfully destroys all missiles except of two which cause severe damage. However, the continual emergency drill was successful, the carrier achieves the dry dock under its own steam and is soon back in combat.

In the IT world we are facing similar problems when a cyber attacker manages to get across first line of defense, i.e. the firewall which separates the company network from the internet. In the best case, if a Information Security Management System (ISMS) is in place, everyone reacts the right way and serious damage is prevented.

But reacting the right way requires some practice, and the lack of practice is the crux of the matter. Is all software available to rebuild a system from scratch? Have you ever performed a restore test to make sure your backup concept works and your business critical systems could be restored to the required point in time, and in the defined time frame?

Practicing of security procedures is often avoided because of the risk for the systems and the costs. But without practicing you cannot ensure the effectiveness of your ISMS. It is all a question of finding the proper balance.

I digged somewhat deeper into military strategy in the past weeks. In publication ‘The Strategic Game of ? And ?‘ John Richard Boyd shows the direction to a strategic approach to defense in cyber war:

The Strategic Game is one of Interaction and Isolation. A game in which we must be able to diminish adversary’s ability to communicate or interact with his environment while sustaining or improving ours.

Seems to be a good motto for 2016.

That’s it for today, and for this year. I will take a Christmas break.

A merry Christmas to you all and the best wishes for health, happiness and prosperity in the New Year.

Christmas Trees

To be successful a SIEM implementation should follow the ISO 27001 approach

20 July 2015

Last Wednesday I participated in a workshop on Production IT Security in Frankfurt. The presentations about Security Assessments, SIEM solutions, Next Generation Firewalls and Threat Intelligence were very interesting, but, as always, I got the most valuable information from the discussions with the other attendees during coffee break. It was really amazing to hear that the attendees, although they came from different companies, talked about the same mostly negative experiences in their SIEM projects.

During my ride back to Leverkusen I had time to think about this. Expectation management was a big issue in the discussions. The PowerPoints of the vendors suggest a quick and easy installation and start-up, and with some days training in Big Data methods the SIEM operator can set up dashboards which show the current security status of your company. Far from it!

The key capabilities of a SIEM solution are:

(1) Data aggregation and correlation:  Collect event data from various sources, correlate them, and integrate them with other information sources to turn the data into useful information.

(2) Compliance: Gather compliance data to support security, governance and auditing processes.

(3) Retention and Forensic analysis: Long term storage of historical event data for correlation over time and forensic analysis in the case of a security incident.

(4) Dashboard: Turn aggregated and correlated data into informational charts to aid security staff in identifying abnormal usage patterns.

(5) Alerting: Automated analysis of correlated events and production of alerts, to notify recipients of immediate issues.

The implementation of each function requires a big effort in preparation and operation. Let me show this by the means of two examples:

(4) Dashboard. In order to find abnormal usage patterns you have to define normal usage patterns first. This takes not only time. It is really hard to find relevant patterns from the ocean of events that systems create during normal operation. To ensure fast start-up it is required to cleanup your systems of e.g. event errors created by mis-configured services before you start operation.

(5) Alerting is probably the most interesting capability of a SIEM system. It allows you to act directly upon security incidents. To get the most of alerting you have to set up an incident response process, ideally depending on the classification of the information assets to prevent wasting of time and effort.

This requires that all assets are listed in an asset repository, classified and an asset owner is assigned, before your SIEM solution goes into production.

In addition it is required that your SIEM operations group is sufficiently staffed, the operators are well-trained, and enabled to take proper actions on an incident, e.g. alerting your server operators or shutting down a server to prevent larger damage.

Sounds like the preparations required for the implementation of an Information Security Management System due to ISO 27001.

With this my advice is: For a successful and quick SIEM implementation you should follow the major steps for implementation of an ISMS.

Bonne semaine!

Would the European NIS Directive have averted the TV5 Monde hack?

16 April 2015

‘Never one to miss a chance to push policy, Oettinger also suggested that the proposed Network and Information Security (NIS) Directive could have averted the hack in the first place.’ This excerpt from Jennifer Baker’s post ‘What would have stopped TV5Monde hack? Yup, MOAR LAWS’, published on 14 April 2015, shows once again the naïvety of top European leaders.

The implementation of an information security risk management will not raise the security level. It just manages the structural weaknesses of a security strategy. That’s much more than most of the companies have in place today, but it’s not enough to fight the current attacks and, to stay secure in future. This is best explained by an example.

One of the required controls for implementation of an Information Security Management System (ISMS) is a security standard or security baseline. The baseline lays down the security configuration of e.g. the servers in a company. It’s very important to define a security baseline because it allows you to find deviations of an individual server from the baseline. Each deviation is a vulnerability that could be exploited by an attacker and should be mitigated as soon as possible.

But a security baseline lays down the structural weaknesses of a security configuration as well. If your baseline was originated on the basis of Windows 2008 R2 Server, and if you use it for Windows 2012 R2 Server without changes, a Windows 2012 Server will show the same structural weaknesses as a Windows 2008 Server.

Thus, the baseline has to be continually improved to at least keep the security level because the threat level develops faster than vendors release new security features.

Would the European NIS Directive have averted the TV5 Monde hack?

The answer is: Definitely Not!

Information Security is more than implementing policies and the obligation to inform the authorities in the case of a cyber-attack.

Take care! And check the complexity of your passwords!

For details about the NIS directive please see the NIS platform.