Sadik Al-Abdulla, security solutions specialist for Berbee Information Networks Corporation in Madison, Wisc., says that in order to see the real problem, security professionals must examine the whole picture and not simply isolated data points in a vast network.
Smart Business spoke with Al-Abdulla about security threats and what companies need to do to keep their networks safe.
How much more important has it become to protect one’s network now than several years ago?
Much more so. More assets reside as information on the network, and in many cases the network itself has become a mission-critical asset that must be protected.
As an example, most accounting systems 10 years ago required manual entry of data, and were entirely self-contained. Today, modern systems interface directly with point-of-sale systems, invoicing, accounts payable/receivable, and even the IRS. This level of integration has delivered tremendous agility to many businesses, but in doing so has also dramatically increased the attack surface of the solution and put business-critical data at risk.
How do you define true network security?
True network security relies on achieving three things: confidentiality, integrity and availability.
Confidentiality requires that information and assets be protected from unauthorized disclosure.
Integrity requires that information and assets be protected from unauthorized, unanticipated or unintentional modification. This includes, but is not limited to, authenticity, nonrepudiation and accountability.
Availability requires that a technology resource, be it system or data, be available on a timely basis to meet mission requirements or avoid losses. Availability should also require that resources be used only for their intended purpose.
How can a system reduce ‘false positives’ to free up more resources?
Mostly by looking at the environment as a whole and applying the same intelligence to the problem that a human being would.
The term ‘false positive’ is intriguing. If a system reports an event, from the perspective of that system it is obviously true. The falseness comes into play when that individual data point is examined in a larger context. For example: If an intrusion detection system reports that Host A attacked Host B, from the context of that system it is a real problem. In the larger context of the environment as a whole, the event might be false for any number of reasons: a firewall between Hosts A and B might have dropped the attack, Host B might not be vulnerable, etc.
A security information management system can reduce false positives by parsing each of those individual data points into a larger context. Each piece of information can be correlated across every device that reported on the event. Each correlated session can be mapped to the topography of the network. Intelligence can be applied across sessions such that, rather than simply looking for attacks, the system can also look for matching responses. Each potential incident can be filtered if the victim isn’t vulnerable.
At the end of the day, what we’re talking about here is holism.
How can a company simplify audit compliance?
Most regulatory audits require companies to provide accounting information for certain security data points for instance, who has logged onto systems with administrative access. The Information Technology (IT) department typically has to track this information across every system in the environment, and the major challenge posed by the audit request is finding the right information ... and finding it in every system.
Companies that have implemented a form of security information management are able to dramatically simplify this equation. First off, the information management system centralizes all of the relevant information. More importantly, the intelligence in the information management system is interpreting each data point as it comes into the system. This interpretation comes down to parsing the data, understanding it, and building it into a database with relationships to every other relevant data point. Using the above example, when an administrative logon event reaches the information management system it’s filed into the database as an administrative logon event. This means that at audit time, a simple database query in a single place would be able to retrieve every administrative logon to every type of system for any time period the auditor is interested in.
SADIK AL-ABDULLA is a security solutions specialist for Berbee Information Networks in Madison, Wisc. Reach him at (608) 288-3000.