Effective Threat Management embodies the actions organizations must take to defend themselves against today’s ever-present cyber-threats. At a high-level, these actions form an intrusion prevention and protection lifecycle where each stage provides critical information to the next. These actions must include fortifying the environment through proper threat research and scanning, monitoring the network infrastructure for signs of malicious activity, responding to any incidents that do occur and, finally, conducting incident analysis through data mining to discover areas that need additional fortification. Organizations must have a dedicated, 24X7 team focused on these activities. Only by developing an integrated Threat Management program will organizations truly be able to achieve enterprise-wide intrusion prevention and protection.
Threat research and scanning represent the proactive Threat Management actions necessary to prevent intrusions across the enterprise. Threat research is a system that allows organizations to gain intelligence on the emerging vulnerabilities and threats that will impact their IT infrastructure. Additionally, this system must have workflow management capabilities that enable security teams to track new threats through to their resolution.
Currently, threat research is conducted inefficiently. Security teams today rely on email alerts from BugTraq and other service providers. Sometimes these emails are just forwarded to administrators for them to patch the affected systems. Only after events like Slammer and MSBlast do security teams find out that the systems were never patched. Instead, organizations should build a database for these alerts and any of the additional vulnerability research they conduct. Severity, priority and responsibility must then be assigned to all new threats. From there, security teams can pull reports to make sure all threats are addressed in a timely fashion.
Vulnerability scanning is the second preventative action. Organizations must conduct regular scans of their environment to find any vulnerabilities that could be exploited. Threat research alone does not guarantee successful prevention, since new devices are typically added frequently to the IT infrastructure. If possible, organizations should also schedule scans on remote users’ computers, as these are increasingly becoming the starting points for successful attacks. Armed with scanning and an effective threat research program, security teams can prevent most external attacks.
Unfortunately, fortifying the environment through threat research and scanning is not enough to guarantee the elimination of incidents. Organizations need to stay vigilant and continuously protect themselves against insider threats or the savvy hacker carrying out premeditated attacks. To accomplish this, security teams must conduct 24X7 security monitoring, immediate incident response and ongoing analysis of their enterprise-wide security activity.
Monitoring the network 24X7 will alert organizations to anything unusual that may signal malicious activity. Security monitoring should not be limited to just security devices. Instead, monitoring needs to be holistic, encompassing applications, databases and other critical, high risk components of the IT infrastructure. All the security information generated by the environment must be aggregated and correlated in real-time. This will provide security teams with the context of the attack in a timely fashion. Armed with this information they will be able to respond quicker and reduce the amount of exposure to an attack.
When incidents do occur, it becomes necessary for organizations to respond in near real-time to minimize the impact of the incident. To accomplish this, organizations need to have the proper combination of people, process and technology focused on the incident response efforts. Organizations must deploy technology that performs security event aggregation and correlation to facilitate the rapid identification and response efforts. Security teams must then have dedicated, properly trained staff assigned as Incident Handling experts who monitor this technology for signs of an attack. SANS’ Global Information Assurance Certification offers specialized tracks on Incident Handling that can provide the appropriate knowledge. Of course, these dedicated experts must augment this training with extensive experience. Possessing a wealth of experience will enable them to recognize the attack and respond quickly to the threat.
Organizations must also develop the appropriate Incident Handling process. This process can be set up in a flow chart style. At the top of the process is receipt of correlated incidents. The next stage is categorization where incidents are classified by type of attack and target. At the bottom of the chart a threat assessment and appropriate responses are assigned to the alert. The goal of this process is to have a repeatable, disciplined set of actions that will reduce exposure time and provide an audit trail to measure effectiveness.
The final component of an integrated Threat Management program is the analysis. Organizations must conduct data mining to determine the effectiveness of the program, areas of weakness and the overall threat level facing the organization. Security teams should be able to achieve this by performing ad-hoc correlation and generating reports. Proper analysis can only be performed if the organization deploys the aggregation and correlation technology discussed above. This will provide them with a centralized database for all vulnerabilities, incidents and their associated actions. Analysis is one of the most important components of an integrated Threat Management program. Thorough analysis will provide the feedback necessary for improving this lifecycle over time.
An integrated Threat Management program will enable a true, enterprise-wide intrusion prevention and protection lifecycle. By implementing this program, an organization will fortify their environment, reduce their exposure to threats and attain the security intelligence they need to continuously improve their security. The end result of the integrated Threat Management program is more efficient security management, greater return on security investments and the ability to demonstrate provable security to management and auditors.
Steven Drew is Chief Operating Officer of LURHQ. LURHQ Corporation is the trusted provider of Managed Security Services. Founded in 1996, LURHQ protects the critical information assets of more than 400 customers by offering integrated Threat Management services. LURHQ’s 24X7 Threat Management capabilities enable customers to enhance their security posture while reducing the costs of managing their security environments. LURHQ’s OPEN Service Delivery methodology facilitates a true partnership with customers by providing a real time enterprise security and service delivery vision via the Sherlock Enterprise Security Portal. For more information visit http://www.lurhq.com.