The lowly banana – it’s a great source of potassium. As a stand-alone food source, it’s rather boring. Mono-flavored (like a banana). It’s sometimes squishy or bruised or otherwise imperfect. And it’s often part of a dull breakfast routine (mine).
But pair banana slices with bran cereal or as the basis for a smoothie, and your taste buds come alive. Let’s call that an “integrated solution.” We’ve learned that lesson from ham and eggs; peanut butter and jelly; and my favorite, pancakes and yogurt. The resulting flavors transcend the individual components. The power of integration!
Integrated IT security solutions offer many of the same benefits.
While helpful alone, once integrated, new insights emerge. And those insights are not possible when each solution is ‘consumed’ by itself. I learned this lesson early in my career as a marketing research analyst in Chicago. We crossed data elements all the time to yield insights into consumer behavior.
For example, what percentage of 18 to 49-year-old men with 4-year college degrees living in the suburbs of a top 25 market ate fast food more than three times a week versus women in the same demographic? We even had a program for it: “CrossTabs.” We integrated age + education + market size + fast food consumption and came up with deeper insight into the behavior of that sought-after demographic. Cross-tabulations are a wonderful tool.
Unfortunately, gaining insight from integrated IT security solutions isn’t always as easy as scooping yogurt on top of hot pancakes. Even so, many vendors have done a LOT to open their solutions for integration. Here are a few examples … as food for thought (pun intended).
Highly Vulnerable Systems Experiencing Changes to Critical System Components
Congratulations! You have an outstanding vulnerability management process in place. You know which systems to fix first because you know which vulnerabilities provide an attacker with remote privileged access and where the skill level needed to obtain control can be easily automated, and you’ve taken the age of the vulnerability into consideration, so those that have been around longer are escalated above the new ones.
OK, wouldn’t it be nice to sharpen your to-do list a bit more by knowing what changes are happening on those highly vulnerable systems and making them the #1 priority for remediation?
For example, let’s say you identify a Windows 2008R2 server with high priority vulnerabilities, and you see that changes were made earlier in the day and a new user was added to the Administrator’s Group. That server just became your number one priority over other similarly vulnerable systems where no such change was made.
New Objects – Threat or Benign?
Because of the sheer volume of file changes that happen on systems, it’s difficult for users to effectively review and investigate every change that is detected by a file integrity monitoring (FIM) tool.
When a binary file, such as an .EXE or .DLL file on Windows, or an executable on a Linux system is added to a system or changes, how do you know if it’s the product of a bad actor or business as usual? How easy is it to quickly check the file against trusted sources?
By integrating the FIM tool with a threat intelligence service (FireEye, LastLine, Blue Coat, Cisco ThreatGrid, PAN Wildfire, etc.), a comparison is made between the file hash and digital signature of the file against a set of configurable trusted sources. If the file is matched, that information is delivered as a set of properties of the file version stored within the FIM tool (e.g. Tripwire Enterprise). If the file is looked up but not matched, that information is also made available.
Think about the dashboards available from this type of integration? Would that be helpful to the SOC?
Are Assets with Vulnerabilities being Targeted by Attackers?
Your vulnerability management efforts may tell you there are vulnerable assets in the environment, and your logging tool may tell you there are attacks happening against your infrastructure.
Wouldn’t it then be helpful to prioritize your IT security workload if you could see the intersection of those two disciplines? That is, to receive alerts when correlation rules detect an event directed toward a vulnerable host with matching CVE?
This integration is yet another way of prioritizing response when scan results from the vulnerability management system are sent to the logging/SIEM solution. For example, a vulnerability score indicating the severity (or seriousness) of a vulnerability event is translated into a Risk level in the logging solution, and asset values in the vulnerability management tool are translated into Priority levels in the logging product. Then correlation can look at Risk Levels + Priority Levels (for a host) + Events occurring against the host and generate alerts based on impact to IT security.
Would that be helpful in your SOC?
Now the question becomes what technology do you currently own that needs a partner? Is your logging solution sending alerts on events of interest? Can you correlate these events with the changes on the same systems easily? Are you able to reconcile the changes occurring with your change management process?
These questions can help drive the next stage in your overall security posture while making your current infrastructure work better for you. We already know peanut butter and chocolate are a winning combination. What security “flavors” can you integrate?