Global
SecureWorks On the Radar Newsletter
| SecureWorks - On the Radar Newsletter - June 2008 | |
|---|---|
 |
|
Staying in Control with Managed Security Services
Managed Security Services (MSS) for network and internet security have been around for more than a decade, with companies relying on providers (such as SecureWorks) to provide around-the-clock security services for their organization. However, many organizations are still reluctant to utilize MSS because they do not want to lose control over key elements in their IT security program.
This is a legitimate concern. After all, managing security devices and monitoring security activity is crucial to preventing, detecting and responding to threats. Delegating these tasks to a third-party can feel like handing someone the keys to your security program.
Fortunately, Managed Security Services can be delivered in a way that allows you to maintain – and even enhance – the control you have over your security efforts. Here are some of the qualities you should look for in Managed Security Services that keep you in control of your security program.
Co-Management
Co-management is an approach to managing security devices, like Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) and firewalls, that lets you have as much control over the management of devices as you want. You own the devices and retain administrative rights while delegating management tasks, such as policy management, ongoing tuning, patching and performing daily backups, to a MSS provider. Co-management is preferred by SecureWorks clients who rely on our experts to provide full lifecycle management for their IDS, IPS or firewall devices but are reluctant to cede total control over their infrastructure. Co-management lets them retain access and control while still gaining the benefits of our 24x7 device management services.
Be sure to clarify exactly what “co-management” means to the MSS provider you’re talking to. It is not a standard term and definitions vary widely. For some vendors, “co-management” refers to their monitoring-only level of service, where their only responsibility is monitoring security events and does not include any actual device management tasks such as ongoing tuning, patching or updating configurations. For others, “co-management” describes a service level where only the vendor has access to device configurations and settings – the client is locked out. Don’t assume that a service being described as “co-management” really includes complete lifecycle management while still allowing you to retain full access to your devices. Be sure to find out exactly what “co-management” entails when a provider describes his services.
Responsiveness
How quickly and effectively a MSS provider responds to your requests is key to how much control you have over your security. If a vendor is highly responsive, they can seem like an extension of your security team – all you need to do is send them a request, they acknowledge it and address your needs as quickly as in-house staff would. A MSS provider also serves as a single point-of-contact for responsibilities that often span multiple individuals in most organizations, making the process more straightforward in many cases. And if an issue arises at 3 AM, a provider has certified experts available to address your needs.
It is important to understand what support MSS providers offer as well. Each vendor’s approach to support is different. SecureWorks takes a “full service” approach that includes unlimited and un-metered support from SANS GIAC certified security experts. Other vendors take different approaches. Some limit support to a set amount of minutes per month. Others charge additional fees for support outside of normal business hours.
Another factor to consider is the qualifications and experience of the MSS provider’s Security Operations Center Analysts. Responsiveness is not just responding to a request quickly – if there is an issue, the quality of response itself plays a major role in how well it is resolved. When SecureWorks’ analysts detect activity that is possibly malicious, they follow a mature assessment process that leverages all available information such as packet decodes, security activity from other devices, vulnerability scanning data and global threat intelligence from our Counter Threat Unit™. This not only weeds out non-threats, it also allows our analysts to provide expert recommendations and support to help our clients mitigate risk. Without full analysis and assessment of threats, a provider’s response is limited to “bell ringing” or simply alerting you to suspicious activity without providing useful recommendations. This results in a high rate of false alarms as well as wasted time and productivity.
Technical security certifications, such as those offered in the SANS GIAC Program or from major product vendors (Cisco, Checkpoint, Microsoft, etc.), help to validate an analyst’s expertise and technical skills. There are also other certifications, such as the CISSP (Certified Information Systems Security Professional), which are not as technically focused but still demonstrate strong knowledge of information security principles and best practices.
Transparency
Knowing what is taking place within a process is essential to having firm control over it. If you have visibility to see the process in action, you can contribute feedback and take steps to improve the process. The same holds true for Managed Security Services. Service transparency creates a “glass house” that provides a seamless view of your security posture and continuous accountability for your provider.
Most providers have an online client portal where you can view information about your services, but all portals are not equal when it comes to giving you visibility into what your provider is doing to protect your network and IT assets. Many feature only static reports which do little to verify how effective a provider’s services are. It is important for a portal to include real-time reporting of security activity across your network not only for the security benefits to your organization, but also to ensure that a provider is meeting their contractual obligations for responding to security incidents. For example, the SecureWorks Portal features a Real-Time Event Queue that provides clients with full visibility into our service as security events are collected, analyzed and addressed. This allows our clients to see our services in action and verify the quality of service we deliver.
Flexibility
The flexibility of a MSS provider’s services has a big impact on the level of control you have over your security program. The more flexible a provider, the more control you have over how their services integrate with your security program. A good illustration of this is a provider’s flexibility concerning device support. If support is flexible, you can pick and choose the technologies that are the best fit for your environment. If support is limited, you may lose control over which specific technologies you are able to deploy in your environment if you want the MSS provider to monitor them.
Flexibility is also important when it comes to how an MSS provider responds to attacks against your organization. More flexible providers can tailor their response so that it maps to your policies and procedures for Incident Handling and Response. For example, SecureWorks clients have full control over how our analysts escalate incidents and they can customize procedures “on the fly” within the SecureWorks Portal for any asset within their environment as their needs change over time. When our analysts identify a security incident, they follow these customized procedures based on the assets involved and the severity of the threat.
In summary, relying on Managed Security Services does not mean that you have to give up control over your security. The right Managed Security Services can even help you have greater control by improving your visibility into your organization’s security posture. If you are evaluating Managed Security Services for your organization, consider those that offer co-management and include a high degree of responsiveness, service transparency and flexibility. Services that possess these key elements will allow you to retain as much control over your security program as you need, while still receiving the security and compliance benefits of 24x7 Managed Security Services.
Vulnerability Assessments vs. Penetration Tests
By Erik Petersen, VP of Professional Services
Vulnerability assessments and penetration tests (“pen tests” for short) are integral components of a successful Information Security Program. Although the two terms are often used interchangeably, they are quite different in their purpose and benefits. This has led to confusion and wasted resources for many organizations that need a vulnerability assessment and have a penetration test done instead because they were under the assumption that the two were one and the same.
With this in mind, I'd like to explain the differences between vulnerability assessments and pen tests.
What is a Vulnerability Assessment?
Defined, a vulnerability assessment is the process of identifying and quantifying vulnerabilities in an environment. It is an in-depth evaluation of the environment’s security posture, indicating weaknesses as well as providing the appropriate mitigation procedures required to either eliminate those weaknesses or reduce them to an acceptable level of risk. To do this, most vulnerability assessments follow these general steps:
- Cataloging assets and resources in a system or application
- Assigning quantifiable value and importance to the resources
- Identifying the vulnerabilities or potential threats to each resource
- Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
Vulnerability assessments are needed to comply with many major regulations including PCI, NERC CIP, GLBA/FFIEC, and HIPAA.
- PCI
The Payment Card Industry Data Security Standard v.1.1 places strong emphasis on detecting, assessing and mitigating vulnerabilities in your network and applications. Regular vulnerability assessments are an integral part of a successful vulnerability management program. Specifically, PCI Requirement 6 instructs merchants and service providers to develop and maintain secure systems and applications. This requires regular vulnerability assessments to identify security issues and address them appropriately. - NERC CIP
Applying to many electric generators and utilities in the U.S., the NERC CIP Cyber Security Standards are intended to protect the nation’s critical infrastructure from a cyber attack. NERC CIP requires covered entities to perform annual vulnerability assessments (CIP-007-1). NERC CIP also requires organizations to identify and document Critical Cyber Assets using a risk-based assessment (CIP-002-1) - GBLA/FFIEC (FDIC, NCUA, OCC, FRB, OTS)
As part of the regulations set in motion by the Gramm-Leach-Bliley Act, the Federal Financial Institution Examination Council (FFIEC) requires financial institutions to implement an information security risk assessment program that regularly assesses threats and vulnerabilities. FFIEC guidelines are enforced by financial regulatory agencies including the FDIC, NCUA, OCC, FRB and OTS. - HIPAA
HIPAA was created to help protect personally identifiable information (PII) as it moves through our healthcare system and it applies to all healthcare organizations, including providers, payers and clearinghouses. HIPAA requires organizations to conduct an assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.
What is a Penetration Test?
A pen test mimics the actions of an external and/or internal attacker that aims to breach the security of the organization. Using many tools and techniques, the penetration tester attempts to exploit critical systems and gain access to sensitive data. Depending on the scope, a pen test can expand beyond the network to include social engineering attacks or physical security tests.
There are two primary types of pen tests: "white box", which uses vulnerability assessment and other pre-disclosed information, and "black box", which is performed with very little knowledge of the target systems and it is left to the tester to perform their own reconnaissance. Typically, pen tests follow these steps:
- Determination of scope
- Targeted information gathering or reconnaissance
- Exploit attempts for access and escalation
- Sensitive data collection testing
- Clean up and final reporting
Of the major information security regulations, only the PCI Data Security Standard specifically requires organizations to perform penetration testing. Merchants and Service Providers under the scope of PCI must have an annual penetration test performed by either a qualified internal resource or a qualified third-party (Requirement 11.3). However, other regulations do recognize the importance of penetration testing as part of more comprehensive vulnerability and risk management efforts. From the FFIEC Information Security Booklet: “Because a penetration test seldom is a comprehensive test of the system’s security, it should be combined with other monitoring to validate the effectiveness of the security process.”
Which of the two will deliver the most value to your organization?
The answer to this question should be determined by your current security posture. Unless both leadership and technical personnel are very confident in their security posture and already have a vulnerability assessment process in place, most organizations will be much better served by having a third-party conduct a vulnerability assessment. This is because of the fundamental difference in approach between a vulnerability assessment and penetration test. A vulnerability assessment answers the question: "What are our weaknesses and how do we fix them?" A penetration test simply answers the questions: "Can someone break-in and what can they attain?" A vulnerability assessment works to improve security posture and develop a more mature, integrated security program, whereas a pen test is only a snapshot of your security program's effectiveness. Because of its approach, a vulnerability assessment is going to yield much more value for most enterprises than a pen test.
Ultimately, most organizations should start with a vulnerability assessment, act on its results to the best of their abilities and then opt for a "white box" pen test if they are confident in their improved security posture. Once an organization has gone through these successfully, they should then consider having a "black box" penetration test performed by a different third-party vendor for due diligence. If you've completed these, chances are that your organization's security posture has improved dramatically. But as with all things security, it doesn't end there. As processes within an Information Security Program, both vulnerability assessments and pen tests need to be performed periodically to ensure continuous security posture improvement.
As a leading provider of security services, SecureWorks provides both Vulnerability Assessment and Penetration Testing services for organizations of all sizes across all industries. Additionally, SecureWorks is designated as a Qualified Security Assessor (QSA) by the Payment Cards Industry (PCI) Security Standards Council and is qualified to perform annual PCI compliance audits as well as required penetration tests.
Threat Update: New bank extortion scam in Europe
Several banks in Europe are receiving an extortion letter via email claiming to be from a hacker who promises to destroy the credit card data of thousands of the banks’ clients if the bank will send 10,000 Euro to his account. Otherwise, he threatens to release the credit card data and inform news outlets of the security breach. Experts expect similar tactics to be used against U.S. banks in the near future. Click here to read more
