The PCI Security Standards Council announced on Thursday the availability of guidelines designed to help organizations develop tokenization products.

Tokenization is the process in which sensitive information, such as payment card data, is replaced with a randomly generated unique token or symbol. Tokenization products, which can be software applications, hardware devices or service offerings, can help merchants reduce the risk of having their customers’ financial information stolen by malicious actors.

“Tokenization is one way organizations can limit the locations of cardholder data (CHD). A smaller subset of systems to protect should improve the focus and overall security of those systems, and better security will lead to simpler compliance efforts,” explained PCI SSC Chief Technology Officer Troy Leach.

There are several challenges to implementing tokenization, but reliable solutions already exist and representatives of the merchant community believe this could be an efficient approach to preventing payment card fraud and identity theft.

The Tokenization Product Security Guidelines released by the PCI Council have been developed in collaboration with a dedicated industry taskforce. The report focuses on the generation of tokens, using and storing tokens, and the implementation of solutions that address potential attack vectors against each component. The document also contains a classification of tokens and their use cases.

The recommendations in the guidelines are addressed to tokenization solution and product vendors, tokenization product evaluators, and organizations that want to develop, acquire or use tokenization products and solutions.

“Minimizing the storage of card data is a critical next step in improving the security of payments. And tokenization does just that,” said PCI SSC General Manager Stephen Orfei. “At the Council, we are excited about the recent advancements in this space. Helping merchants take advantage of tokenization, point-to-point encryption (P2PE) and EMV chip technologies as part of a layered security approach in current and emerging payment channels has been a big focus at this week’s PCI Acquirer Forum.”

The PCI Council has pointed out that the guidelines are supplemental and they don’t supercede or replace any of the requirements detailed in the PCI Data Security Standard (PCI DSS).

PCI DSS 3.0, which focuses on security instead of compliance, went into effect on January 1. Version 3.1 of the PCI DSS, expected to be released this month, targets the SSL (Secure Sockets Layer) protocol. Organizations must ensure that they or their service providers don’t use the old protocol.

Last week, the PCI Council published new guidance to help organizations conduct penetration testing, which is considered a critical component of the PCI DSS.

The Tokenization Product Security Guidelines are available for download in PDF format.

Tags:

• NEWS & INDUSTRY
• Compliance

HyTrust, a provider of policy management and access control solutions for virtual and cloud environments, today announced that it has secured $ 33 million in new funding, including $ 8 million in venture debt and credit facilities.

According to the company, the new cash will be used to boost marketing, sales and product development initiatives, as well as expansion into international markets.  

HyTrust’s solutions enable the adoption of next-generation architectures through policy-based controls, visibility and data security, which helps enterprises more easily meet compliance mandates, improve application uptime, and securely take advantage of cloud-based capabilities.

The new investment is being led by AITV (Accelerate-IT Ventures). New investor Vanedge Capital also participated in the funding, while existing venture investors—Epic Ventures, Granite Ventures and Trident Capital—and strategic investors Cisco, Fortinet, Intel Corp. and VMware, also participated.

In addition to being backed by several venture firms and enterprise technology companies, HyTrust entered into a strategic investment and technology development agreement with In-Q-Tel (IQT), the not-for-profit venture capital arm of the CIA, back in July 2013.

Along with the $ 25 million equity investment from the syndicate, HyTrust expanded its relationship with banking partner City National Bank to fund up to $ 8 million in venture debt and credit facilities.  

“HyTrust is perfectly positioned to meet the needs of a market in which so many organizations are building on cloud-based technologies to increase agility for their business,” said Brian Nugent, founding principal and general partner at AITV.  

Brian Nugent will join HyTrust’s board of directors, while AITV co-founder and general partner, Bill Malloy III, and Moe Kermani, a partner with Vanedge Capital, will join as board observers, the company said.  

“Our goal at HyTrust is to make security automated and policy-based to address the needs of private and hybrid cloud data centers, as well as provide complete visibility into what is happening in cloud environments,” said John De Santis, Chairman and CEO of HyTrust.

Tags:

We’ve likely all heard the phrase “complexity is the enemy of security” many times. It’s an oft-used sound bite, but what can we learn from this concept to improve our respective security postures? Although there are many angles one could approach this concept from, I’d like to examine it from a security operations and incident response perspective.

Simplicity in Collection and Analysis

Most enterprises instrument their network to collect many different, highly specialized forms of data. For example, an organization may collect netflow data, firewall logs, DNS logs, and a variety of other specialized forms of data. This creates a stream of various different data types and formats that complicates and clouds the operational workflow. Unfortunately, the first question when performing analysis or incident response is often “Where do I go to get the data I need?” rather than “What questions do I need to ask of the data?”

In addition to the variety and complexity of these specialized forms of data, the volume of data they create often overwhelms enterprises. These huge quantities of data result in shorter retention periods and longer query times. This perfect storm of circumstances creates a very real operational challenge.

Fortunately, organizations can address this challenge by seeking out fewer, more generalized collection technologies that provides the required level of visibility with greatly reduced complexity and volume. Continuing with the above example, in lieu of many different highly specialized network data sources, an organization could consider one layer 7 enriched meta-data source.

Simplicity in Detection

Wikipedia defines an Indicator of Compromise (IOC) as “an artifact observed on a network or in an operating system that with high confidence indicates a computer intrusion.” Associated contextual information is also usually included along with the artifact and helps an organization to properly leverage the IOC. Context most often includes, among other things, information regarding to which attack stage an indicator is relevant. Attack stages can be broken up into three main families, each of which contains one or more attack stages:

• Pre-infection: reconnaissance, exploit, re-direct

• Infection: payload delivery

• Post-infection: command and control, update, drop, staging, exfiltration

It is well known that many organizations struggle with excessive amounts of false positives and low signal-to-noise ratios in their alert queues. There are several different angles from which an organization can approach this problem, and in fact, I have previously written about some of them. Another such approach, which can be used in combination with the others, is to go for the “money shot”.

At some point, when an organization wants to watch for and alert on a given attack, intrusion, or activity of concern, that organization will need to select one or more IOCs for this purpose. Going for the “money shot” involves selecting the highest fidelity, most reliable, least false-positive prone IOC or IOCs for a given attack, intrusion, or activity of concern. For example, if we look at a typical web-based re-direct attack, it may involve the following stages:

• Compromise of a legitimate third party site to re-direct to a malicious exploit site

• Exploitation of the system from the malicious exploit site

• Delivery of the malicious code

• Command and control, along with other post-infection activity

Although it is possible to use IOCs from all four of the above attack stages, using IOCs from the first three stages presents some challenges:

• Compromised legitimate third party sites likely number in the millions, meaning we would need millions of IOCs to identify just this one attack at this stage. Further, there is no guarantee that the attempted re-direct would succeed (e.g., if it were blocked by the proxy). An unsuccessful re-direct means that there was no attempt to exploit. In other words, for our purposes, a false positive.

• Exploits don’t always succeed, and as such, alerting on attempted exploits can often generate thousands upon thousands of false positives.

• If we see a malicious payload being delivered, that is certainly of concern. But what if the malicious payload does not successfully transfer, install, execute, and/or persist? We have little insight into whether a system is infected, unless of course, we see command and control or other post-infection activity.

Command and control (C2) and other post-infection activity, on the other hand, is always post-infection. That means that if we can distill a high fidelity, reliable IOC for this attack stage, we can identify malicious code infections immediately after they happen with a very low false positive rate. Obviously, preventing an attack is always preferable, but as we all know, this is not always possible. The next best option is timely and reliable detection.

Simplicity in O&M

When people began moving from the cities to the suburbs in the post-war United States in the 1950s, new infrastructure was built to serve the shifting population. The infrastructure served its population well for 50 years or so, until the 2000s, when the physical lifetime of water mains, electric power lines, and other infrastructure was reached. What people quickly realized is that although money and resources had been allocated to build and deploy infrastructure, money and resources had not been allocated to operate and maintain the infrastructure for the long term. In other words, O&M would be required to repair or replace the aging infrastructure, but the resources for that O&M would have to be found elsewhere.

Similarly, in the information security realm, as new business needs arise, new security technologies are often deployed to address them. Enterprises often forget to include O&M when calculating total cost. Another way to think of this is that each new security technology requires people to properly deploy, operate, and maintain it. If head count were increased each time a new security technology was deployed, the model would work quite well. However, as those of us in the security world know, head count seldom grows in parallel with new business needs. This presents a big challenge to the enterprise.

O&M cost (including the human resources required to properly deploy, maintain, and operate technology) is an important cost to keep in mind during the technology lifecycle. O&M cost is a large part of the overall cost of technology, but it is one that is often overlooked or underestimated. In an effort to lower total overall O&M costs, and building on the collection and analysis discussion above, it pays to take a moment to think about the purpose of each technology. Is this specific technology a highly specialized technology for a highly specialized purpose? Could I potentially retain the functionality and visibility provided by several specialized technologies through the use of a single, more generalized technology?

If the answer to these two questions is yes, it pays to think about consolidating security technologies through an exercise I like to call “shrinking the rack”. Shrinking the rack can be a great option, provided it doesn’t negatively affect security operations. Fewer specialized security technologies mean fewer resources to properly deploy, maintain, and operate them. That, in turn, means lower overall O&M costs. Lower O&M costs are always a powerful, motivating factor to consider.

The concept of simplicity is one that we can apply directly to security operations and incident response. This piece touches on just some of the variety of lessons we can learn from this topic. Although the phrase “complexity is the enemy of security” is a popular sound bite, if we dig a level deeper, we see that there is a great deal we can learn from the concept.

Tags:

• INDUSTRY INSIGHTS
• Network Security
• Security Infrastructure

Tokyo – A cyber security competition began Saturday in Tokyo, with organizers aiming to show off the skills of young Japanese hackers by testing them against international rivals.

The final rounds of the Security Contest 2014, or SECCON, brought together 90 participants in 24 teams from seven nations and regions: China, Japan, Poland, Russia, South Korea, Taiwan, and the United States.

The winners of the Tokyo competition will advance to the prestigious Def Con CTF (Capture the Flag) competition, slated for later this year, organisers said. SECCON was designed to allow young Japanese technology engineers to show off their skills on the world stage, while also encouraging more to get into the field of cyber security.

Teams compete for points by hacking six virtual servers to discover particular keywords, and can also intervene to stop their rivals’ cyberattacks.

“There is a need for a forum where fledgling, young… hackers can grow and gain understanding of their families, schools and the outside world,” said Yoshinori Takesako, the head of the SECCON organising committee.

“This is important in order to keep them away from being pulled into the underground world,” he said in a statement to AFP.

The Japan-based event has drawn a total of 4,186 participants from 58 countries through various qualifying rounds.

Takesako said the organizers, supported by government agencies, tech firms, and scholars, also want to change the media image that Japan lags other nations in the cyber security field.

Tags:

• NEWS & INDUSTRY
• Training & Certification

Oracle has pushed out a massive number of patches in a security update, including critical fixes for Java SE and the Oracle Sun Systems Products Suite.

Overall, the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password. 

The most serious of the bugs however impact Java SE, Fujitsu M10-1, M10-4 and M10-4S. In the case of Java SE, a CVSS Base Score of 10.0 was reported for four distinct client-only vulnerabilities (CVE-2014-6601; CVE-2015-0412; CVE-2014-6549; and CVE-2015-0408).

“Out of these [Java] 19 vulnerabilities, 15 affect client-only installations, 2 affect client and server installations, and 2 affect JSSE installations,” blogged Oracle Software Security Assurance Director Eric Maurice. “This relatively low historical number for Oracle Java SE fixes reflect the results of Oracle’s strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organization.”

In the case of the Oracle Sun Systems Products Suite, CVE-2013-4784 has a CVSS rating of 10.0 and affects XCP Firmware versions prior to XCP 2232. Overall, there are 29 security fixes for the suite.

The update also includes eight new security fixes for Oracle Database Server, none of which are remotely exploitable without authentication. Oracle MySQL has nine security fixes. There are also: 10 fixes for Oracle Enterprise Manager Grid Control; 10 for Oracle E-Business Suite; six for the Oracle Supply Chain Products Suite; seven security fixes for Oracle PeopleSoft products; 17 for Oracle Siebel CRM; one for Oracle JD Edwards Products; two for Oracle iLearning; two for Oracle Communications Applications; one for Oracle Retail Applications; one for Oracle Health Sciences Applications and 11 new security fixes for Oracle Virtualization. 

“The challenge with the Oracle CPU is, quarter after quarter, there is so much in these advisories,” said Ross Barrett, senior manager of security engineering at Rapid7. “There are so many different, unrelated platforms, that administrators risk missing something that might apply specifically to a very niche version of hardware that might be in their environment.”

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

The PCI Security Standards Council (PCI SSC) published guidance today on the secure development and maintenance of software designed to run on point-of-interaction (POI) devices.  

POI devices are hardware or software components in point-of-sale equipment that allow a consumer to use a credit card to make a purchase, such as a PIN pad. According to the PCI SSC, the document is intended to address software that exists on POI devices, including payment and non-payment applications, and reinforce the importance of a layered approach to security.

“The goal of this document is to ensure that all organizations responsible for software development (and device management) understand the potential threats, and employ appropriate processes throughout the development life cycle to counter those threats,” according to the document. “The processes followed will depend on the organization, the type of application being developed, and the software languages used, but the principles remain the same.”

The document is meant to help organizations – including POI device vendors – that write or implement applications within a POI device understand the threats and counter them throughout the development lifecycle, according to the PCI SSC. It also comes at a time when cybercriminals have increasingly been paying attention to point-of-sale devices and targeting both retailers as well as vendors of point-of-sale devices (PoS). 

“Criminals are looking at every aspect of a payment transaction to find ways for data exfiltration,” said PCI SSC Chief Technology Officer Troy Leach, in a statement. “While consumers and merchants alike benefit from additional features, complexity and increasing dependency on third-party applications can create new opportunities for exploit which is why due diligence is so vital in the development of software that terminals rely upon. This paper highlights important best practices for software coding in this unique environment.”

According to the PCI SSC, organizations can use this guidance to help ensure standard secure coding practices are followed, including:

Security awareness training that supports secure software development:

• Those involved in the development process (including software developers and peer reviewers), have important roles to play in developing software to ensure secure coding practices are implemented and address current threats. Those roles need to be defined before development begins and those individuals need to be trained and understand the secure software development program.

Secure software development lifecycle:

• Organizations need to have a software security roadmap defined before development begins that will address known threats. The software needs to be mapped and documented, and rules and processes defined so that security is implemented as part of the development process and not incorporated as an afterthought.

Device-level testing:

• It is imperative to understand how the application will work when used with the hardware, firmware, and other applications that it is intended for use with. While simulators and unit testing are essential, testing the device with the complete solution should be a priority.

Internal process reviews:

• The threat environment is constantly evolving which is why organizations need to stay current on the latest threats and changes to ensure the procedures in place are still sufficient and are actually being followed.

Michael Belton, team lead of assessment services at Rapid7, said that for an average retailer, performing hardware and software security testing on a product they purchased is cost-prohibitive.

“Security awareness training for developers, along with secure software development lifecycle practices, help ensure consistency across developers working on an application,” he said. “This consistency in security design and expectations means applications are released with fewer bugs that can be exploited. Penetration testers encounter issues related to security lifecycle practices every time they perform an assessment. These two items are perhaps the most critical challenges towards creating software that operates in a secure and predictable manner.”

The document can be read here.

Tags:

• NEWS & INDUSTRY
• Compliance

PHP released last week versions 5.6.2, 5.5.18 and 5.4.34 of the scripting language. In addition to some functionality bugs, the latest releases address a series of security-related flaws.

According to the PHP development team, a total of four vulnerabilities have been fixed in PHP 5.6 and PHP 5.5, and six flaws in PHP 5.4.

One of the security bugs, CVE-2014-3669, is a high-severity integer overflow vulnerability in PHP’s “unserialize()” function. When the function is used on untrusted data, the flaw could lead to a crash or information disclosure. It’s unclear at this point if arbitrary code execution is also possible, says an advisory for this bug published on the Red Hat Bugzilla website. The issue only affects 32-bit systems.

Another vulnerability fixed by PHP has been assigned the CVE identifier CVE-2014-3668. The medium-severity security hole, which is caused by an out-of-bounds read flaw in the “mkgmtime()” function, could lead to a crash of the PHP interpreter.

CVE-2014-3669 and CVE-2014-3668 were reported to PHP in September by a researcher from Geneva, Switzerland-based IT security firm High-Tech Bridge.

Otto Ebeling, a software engineer at Facebook, reported a bug that causes heap corruption when parsing the thumbnail of a specially crafted .jpg image. This heap corruption affecting the “exif_thumbnail()” function has been assigned CVE-2014-3670.

“PHP provides APIs such as exif_thumbnail that can be used to extract embedded thumbnails from various image formats. In the process of extracting a TIFF-formatted EXIF thumbnail from a JPEG image, PHP re-encodes most IFD tags present in the thumbnail directory and prepends them to the thumbnail image in order to produce a standalone TIFF file,” Ebeling wrote in his report. “Individual values are re-encoded using the exif_ifd_make_value function. If this function is asked to write out an array of floating point values (single or double precision), it erroneously uses the size of the whole array when copying individual elements using memmove, leading to heap corruption.”

“To exploit a target application that uses this API (or exif_read_data with suitable parameters), a malicious user can trigger this condition by supplying a tag that contains an array of floating-point values, and futher tags that indicate the presence of a TIFF thumbnail. The image itself need not be valid as long as the exif_ifd_make_value gets invoked,” the expert explained.

According to Ebeling, the affected code is also included in the open-source virtual machine HHVM.

PHP 5.4, 5.5 and 5.6 users are advised to update their installations as soon as possible.  Additional information on the fixes is available in the changelogs.

Tags:

• NEWS & INDUSTRY
• Application Security
• Vulnerabilities

Microsoft and Oracle customers will have their hands full applying a spate of security updates that were issued today.

Microsoft released eight security bulletins as part of Patch Tuesday, including critical updates for Internet Explorer, Windows and the .NET Framework. The bulletins address a total of 24 vulnerabilities, including a handful that is known to have already come under attack.

But the Microsoft release is dwarfed in size by the more than 150 security fixes issued today by Oracle. Within those patches are 31 fixes for the Oracle Database, several of which have a CVSS Base Score of 9.0.

“This CVSS 9.0 Base Score reflects instances where the user running the database has administrative privileges (as is typical with pre-12 Database versions on Windows),” explained Oracle Software Security Assurance Director Eric Maurice in a blog post. “When the database user has limited (or non-root) privilege, then the CVSS Base Score is 6.5 to denote that a successful compromise would be limited to the database and not extend to the underlying Operating System. Regardless of this decrease in the CVSS Base Score for these vulnerabilities for most recent versions of the database on Windows and all versions on Unix and Linux, Oracle recommends that these patches be applied as soon as possible because a wide compromise of the database is possible.”

The Oracle update also provides fixes for 25 new Java SE vulnerabilities, the most severe of which has a CVSS Base Score of 10.0. Out of the 25, 20 affect client-only deployments of Java SE, and two of these are browser specific. Four vulnerabilities meanwhile affect client and server deployments of Java SE, while on affects client and server deployments of JSSE, Maurice noted.

The remaining vulnerabilities impact: Oracle Fusion Middleware; Oracle Enterprise Manager Grid Control; Oracle E-Business Suite; Oracle Supply Chain Product Suite; Oracle PeopleSoft Enterprise; Oracle JDEdwards EnterpriseOne; Oracle Communications Industry Suite; Oracle Retail Industry Suite; Oracle Health Sciences Industry Suite; Oracle Primavera; Oracle and Sun Systems Product Suite; Oracle Linux and Virtualization and Oracle MySQL.

In the case of Microsoft, customers will have their hands full with issues of their own. Three of the bulletins released today by Microsoft are rated ‘critical’ – MS14-056, MS14-057 and MS14-058.

MS14-056 is the biggest of the updates, and addresses 14 privately-reported issues in Internet Explorer. The most severe of these could allow remote code execution of a user views a specially-crafted webpage using Internet Explorer.

“This is another Patch Tuesday that easily fuels future drive-by web attacks for the months ahead,” said Marc Maiffret, CTO of BeyondTrust. “Beyond just code execution there also exists the ability to bypass ASLR (Address Space Layout Randomization) which is a helpful OS security migration for exploitation. This ASLR bypass can be used in conjunction with other vulnerabilities for more successful exploitation where it had might not been possible in the past. It should be noted that Microsoft’s EMET technology will help mitigate some of these attacks and even more importantly these client application vulnerabilities are a great reminder of the need for Least Privilege in making sure users are not running as Administrator.”

MS14-56, he said, should be prioritized first, with the remaining critical updates coming next. MS14-058 contains fixes for two issues in Windows that are already known to be under attack.

“The more severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or to visit an untrusted website that contains embedded TrueType fonts,” according to Microsoft. “In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an email message or Instant Messenger message.”

The final critical bulletin is MS14-057, which addresses vulnerabilities in the .NET Framework. According to Microsoft, the most severe of these could allow remote code execution if an attacker sends a specially-crafted URI request containing international characters to a .NET web application. In .NET 4.0 applications, the vulnerable functionality (iriParsing) is disabled by default; for the vulnerability to be exploitable an application has to explicitly enable this functionality. In .NET 4.5 applications, iriParsing is enabled by default and cannot be disabled.

The remaining bulletins are rated ‘Important’ and cover issues in Microsoft Windows, Developer Tools and Microsoft Office.

Adobe Systems also released patches today to address issues in Adobe Flash Player.

“Adobe is releasing an update to their Flash player with advisory APSB14-22, which addresses three RCE [remote code execution] type vulnerabilities,” blogged Qualys CTO Wolfgang Kandek. “Installations that run the newer Internet Explorer 10 and 11 get this update automatically. Users of older browsers or on other operating systems should apply this critical update manually.”

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

Threat protection firm FireEye has announced new offerings designed to provide customers with on-demand access to its cyber defense technology, intelligence, and analysts expertise on a subscription basis.

Designed to help enterprises scale their defense strategies, the new offerings provide customers with a single point of contact to meet their needs before, during or after a security incident.

The new FireEye as a Service offering is an on-demand security management offering that allows organizations to leverage FireEye’s technology, intelligence and expertise to discover and thwart cyber attacks.

The second new offering, FireEye Advanced Threat Intelligence, provides access to threat data and analytical tools that help identify attacks and provide context about the tactics and motives of specific threat actors, FireEye said.

Combined, the solutions are designed to equip enterprise security teams so they can implement an Adaptive Defense security model, an approach for defending against advanced threat actors that scales up or down based on the unique needs of each security organization.

“The new FireEye Advanced Threat Intelligence offering adds two new capabilities to complement FireEye’s existing Dynamic Threat Intelligence subscription,” the company explained in its announcement. “First, when the FireEye Threat Prevention Platform identifies an attack, users will now be able to view intelligence about the attackers and the malware. Security teams will be able to see who the associated threat actor is, what their likely motives are, and get information about the malware and other indicators they can use to search for the attackers.”

Additionally, a new threat intelligence research service allows customers to subscribe to ongoing research including dossiers, trends, news and analysis on advanced threat groups as well as profiles of targeted industries, including information about the types of data that threat groups target.

Other highlights of FireEye as a Service include:

• Detection of Adversaries and their Actions – FireEye analysts staff an around the clock global network of security operations centers to hunt for attackers in an environment using FireEye technology and advanced analytics that identifies outliers and correlates them with behaviors of known attackers. By finding high-risk threats at the earliest stages of an attack, FireEye minimizes the risk of a breach.

• Ability to Pivot to Incident Response – With FireEye as a Service, organizations can quickly engage a Mandiant incident response team when needed.

• Access to Personalized Intelligence Reports — FireEye as a Service customers get access to key intelligence findings and judgments specific to their organization from the FireEye intelligence team. This includes identification of attackers specifically targeting their industry, typical attack methodologies used by relevant adversaries, and key business or financial data that motivates attackers to target your organization.

“We need to analyze the environment to address the attacks that penetrate an organization’s perimeter and bypass preventive measures,” FireEye COO, Kevin Mandia, wrote in a blog post. “And then ultimately, when we understand an attack well enough, contain it to get back to normal business operations. To succeed in today’s cyber-threat environment this cycle must shrink – from alert to fix in months, to alert to fix in minutes – in order to eliminate the consequences of a security breach.”

With FireEye as a Service, customers have the option to manage their own security operations, offload security operations to FireEye, or co-manage operations with FireEye or a FireEye partner.

Both new offerings are available as a subscription to customers that have purchased FireEye products. Pricing for ongoing monitoring starts at $ 10,000 per month for smaller clients needing full support and. For larger organizations the price is much higher.

Organizations pay a subscription fee and account for the service as an operational expense or pay up front and account for it as a capital expense, FireEye said.

Tags:

• Network Security
• NEWS & INDUSTRY

Recently, at a round table discussion, I heard someone make the statement, “In five years, there will be no more security analysts. They will be replaced by technology.” This is not the first time I have heard a statement along these lines. I suppose that these sorts of statements are attention grabbing and headline worthy, but I think they are a bit naïve to say the least.

Taking a step back, it seems to me that this statement is based on the belief or assumption that operational work being performed within the known threat landscape of today can be fully automated within five years. I don’t know enough about the specific technologies that would be involved in that endeavor to comment on whether or not that is an errant belief. However, I can make two observations, based on my experience, which I believe are relevant to this specific discussion:

• Operational work tends to focus on known knowns

• The threat landscape of today, both known and unknown, will not be the threat landscape of tomorrow

The work that is typically performed in a security operations setting follows the incident response process of: Detection, Analysis, Containment, Remediation, Recovery, and Lessons Learned. Detection is what kicks off this process and what drives the day-to-day workflow in a security operations environment. If we think about it, in order to detect something, we have to know about it. It doesn’t matter if we learn of it via third party notification, signature-based detection, anomaly detection, or any other means.

The bottom line is that if we become aware of something, it is by definition “known”. But what percentage of suspicious or malicious activity that may be present within our organizations do we realistically think is known? I don’t know of a good way to measure this, since it involves a fair amount of information that is unknowable. I do, however, think we would be naïve to think it is anywhere near 100%.

If we take a step back, the ramifications of this are quite striking. In essence, most of the work we are performing today involves what is likely a mere fraction of what ought to concern us. Even if technology could automate all of today’s security operations functions within five years’ time, that still leaves quite a bit of work undone.

I think we would also be naïve to think that the threats of today, both known and unknown will be the threats of tomorrow. If I think back five or ten years, I’m not sure how many of us foresaw the degree to which intrusions involving large-scale payment card theft would become an almost regular occurrence. Granted, theft of sensitive information has been an issue for quite some time, but not to the degree that it has been in the recent past. Payment card theft is now a threat that many organizations take very seriously, whereas five or ten years ago, it may have been a threat that only certain specific organizations would have taken seriously. This is merely an example, but my main point here is that we can’t view today’s threat landscape as a base upon which to build predictions and make assertions for the future.

In my experience, analysts can provide unique value that may not be obvious to those who have not worked in the role. For those who don’t know, I worked as an analyst for many years before moving over to the vendor side. It is from that experience that I make this point.

In a mature security operations setting, there will be a certain workflow and process. Some organizations will be in a more mature place, while other organizations will be in a less mature place. Regardless of where an organization finds itself, there will always be room to improve. Alongside performing the tasks required by the process, a good analyst will make the process better and improve the maturity of the organization. This can happen in many ways, but here are a few different approaches that I have often seen:

• Improving existing alerting

• Identifying automation opportunities

• Performing gap analysis

• Implementing new alerting

Any work queue will have both signal (true positives) and noise (false positives). A mature, efficient security operations program will have a high enough signal-to-noise ratio so as to allow for a reasonable chance at timely detection of incidents. Regardless of the signal-to-noise ratio, alerting that populates the work queue can always be improved. As the people most familiar with the ins and outs of various different alerts, analysts play an important role here. The analyst can provide unique perspective regarding tuning and improving alerts to make them less noisy and ensure they keep up with the times.

It is certainly true that some alerts follow a nearly identical sequence of events each time they are vetted, qualified, and investigated. These cases are good candidates for automation, but they won’t identify themselves. A skilled analyst is needed to identify those repetitive manual tasks best suited for automation. Automation is a good thing and should be leveraged whenever appropriate, but it will never replace the analyst.

With automation comes newly liberated analyst cycles. Those cycles can and should be used to hunt, dig, and perform gap analysis. Hunting and digging help to identify unknown unknowns – network traffic or endpoint activity for which the true nature is unknown. Gap analysis serves to identify points within the organization where proper network and endpoint telemetry may not exist. All these activities help provide a window into the unknown. After all, today’s unknown may be tomorrow’s breach.

When unknown unknowns are discovered, they should be studied to understand their true nature. This process turns them into new known knowns. And it is from this pile that new alerting is continuously formulated. The analyst is an invaluable resource in turning unknown unknowns into known knowns. Based on my experience, there is no shortage of unknown unknowns waiting to be investigated.

A good analyst is hard to find and is a critical resource within a mature security operations function. Although it may be tempting to envision a world where the analyst has been fully automated, this does not seem particularly reasonable. Rather, the work of the analyst can and must evolve over time to keep pace with the changing threat landscape.

Tags:

• INDUSTRY INSIGHTS
• Network Security