Hi everyone, this is Rafal Los (some may know me as "Wh1t3Rabbit") from the "Following the Wh1t3 Rabbit" blog where I talk about all manner of things security. You may be asking yourself what I'm doing posting here on this fantastic BSM blog ... well just as the title says I'm here to talk about hackers and how you can defend yourself smarter.
Sure, every vendor you have is trying to tell you how to protect your assets and keep your organization safe from those pesky hackers right now, but how many are able to show you an innovative way of doing it without a massive investment in many cases? More importantly, how many of us vendors are making big waves in the way that IT Operations teams operate? You can't see me, but I'm raising my hand over here.
Right, let's get down to it - fundamentally, how do we improve the detection rate of 'bad things' on your infrastructure.
First, let me start off by painting you a picture, via a real story, of why this collaboration between network, applications and now security operations is critical.
On any given day your infrastructure made up of applications, systems, network components and people are being pelted with attacks which aim to separate you from the control you have over your critical data. Whether you hold the secret formula for Coca Cola, the blueprints for the next generation nuclear powered submarine, or patient records for Paducah, KY medical clinic - information you have is valuable to others. It's not just that information but it's also the devices, source code, and vital components they want that you have. Your stuff is in your office, in the data center, on mobile devices, in your users' homes or in the cloud - and you have to keep it safe of it all the same.
Now, let's look at a suspicious event from a few different perspectives.
The Network Operations Center - NetOps sees a series of traffic blips from a couple of IP addresses going into the data center. Nothing urgent (flagged) pops, and only a minor performance degradation (link saturation) is detected, but then dissipates. No alarm is raised, no investigation is launched because the NetOps team is busy - far too busy - keeping network stability and reliability under control.
The Security Operations Center - The Security 'dashboard' (or SIEM) reports suspicious traffic across 2 pairs of intrusion prevention devices from the outside world back into the data center where the applications clusters live. Flagged as 'suspicious', because there is no confirmed attack, no specific pattern matched, and only a small number of these packets are sent from an otherwise 'clean' address (based on reputational analysis).
The Applications Team - The applications team monitoring application performance sees a series of events on their dashboards. First, the application server takes a larger than normal series of unusual requests which cause a spike in CPU utilization and a temporary slight degradation in application performance. On the back-end, query times spike for approximately 45 seconds, the database CPU pegs high for that 45 seconds, then everything returns to normal. Again, a blip on the screen and no investigation is launched and no one really takes a second look as long as everything returns back to normal.
The Smarter Operations Center
The siloed operations teams see nothing significant on the event list for that period of time I just described above. A few suspicious issues, but since they're in separate siloes no one really talks to anyone else and the dots aren't connected ... but what really happened?
The truth is, in this case, the application was SQL Injected using a previously unknown pattern-based attack and the database was stolen in 45 seconds.
Ultimately, forensics will link these events months later when the investigation goes full-bore, but that's much, much too late. How can we have a more intelligent operations organization which can catch these types of events as they happen in near-real-time and prevent (or at least slow down) these types of catastrophic failures?
Here's where I point you to the Operations Manager <> ArcSight "SmartConnector". You've been told since you were a kid that sometimes the best things come in small packages, and now here it is. The SmartConnector allows you to view events pulled from the security analytics engine of ArcSight ESM console to the Operations Manager ... so a suspicious series of events has a smaller chance of giving hackers a way in without being discovered.
Breaking down barriers and silos in operations teams is critical as organizations run head-long into the new IT which is more agile, more distributed, and more elastic - and having a tool like the SmartConnector for ArcSight is a minor addition to your infrastructure that essentially can help you draw the dotted line between a series of otherwise unrelated events.
Snake Oil, Pixie Dust and Magic
This connector will absolutely not solve world hunger, create world peace, or even relieve your migraine. It will give you a much wider, clearer, and deeper vision into your IT infrastructure (and beyond, if you know how ArcSight operates!) so you can make better decisions on your technology risk. I've always said we can hyper-focus on how badly the hackers are beating us, or we can look at all the tools we have available today that make their drive at our critical data as difficult as possible.
Hackers hide in the minutia, the details, and the fact that most IT Security organizations are disconnected from the rest of IT and overwhelmed with blinking red lights demanding their attention. You have access to a piece of technology that can take away that element of stealth they have as an advantage over you. The key to winning battles is vision and having the ability and capability for response - the combination of the BSM Operations Manager and ArcSight SmartConnector give you the vision to eliminate the blind spot.
Did I mention you can get this right now from your HP rep?