Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat
-
Upload
kulkarnikhil -
Category
Documents
-
view
219 -
download
0
Transcript of Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat
-
8/3/2019 Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat
1/14
A Guide to Selecting
a SIM Solutionfor Insider Threat
top10
-
8/3/2019 Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat
2/14
?A Guide to Selecting a SIMSolution for Insider Threat
Insider threats are the easiest to perpetrate,hardest to detect and most politically-charged
to manage. And unortunately, there is no
security panacea or insider threats. There is
no piece o sotware that someone can install,
box that can be plugged in, policy that can be
written or guru that can be hired that makes
an organization 100 percent secure. Managing
insider threats is a merger o people,
process and technology that requires vigilance
and constant awareness. The most secure
companies in the world have discovered that
the right combination o these variables
achieves a strong security posture.
Insiders can take many orms. They may be
well-intentioned employees that simply made
a mistake that leads to a vulnerability which
can be exploited. They may be disgruntled
employees or contractors, cleaning crews, or
even plants rom competitors, oreign
governments or terrorist organizations. Some
insiders join an organization with surreptitious
intent, others typically subscribe to one or
more o the ollowing categories or their
motivation: greed, power, revenge, politics,
ear, boredom or excitement.
Luckily, security inormation management
(SIM) solutions are particularly well suited or
addressing insider threats. SIM is typically
deployed to look beyond traditional perimeter
devices such as rewalls, intrusion
detection and network devices, by processing
inormation rom the core inrastructure
such as critical servers, mainrames, applicationlogs, telephony and physical security devices.
This holistic perspective o an organizations
security posture allows or advanced correlation,
anomaly detection and the identication o
malicious patterns.
In addition to the technical capabilities o SIM,
it also has many eatures suitable or working
across disparate organizations such as human
resources, legal and executive management.
These are groups that requently lack the
coordination to manage internal threats. Someeatures or cross-departmental coordination
are: case management, reporting, workfow
integration with policies and procedures, access
controls or managing access to sensitive
inormation during investigations and interactive
visualization capabilities that allow non-technical
departments to easily understand complex
attacks. Together, this combination o technical
and business-relevant capabilities makes SIM the
ideal oundation or any insider threat program.
ArcSight has developed the followinglist of evaluation best practices to assist
organizations in making the right SIM choice
for their insider threat needs. This list has
been compiled directly from the experiences
of customers. These practices should be
used as an integral part of your evaluation
and selection process.
1
-
8/3/2019 Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat
3/14
2
Insider Threats are
Different than ExternalThreats
Dont be ooled into thinking
that addressing insider threat is
like addressing external security
threats, but now youre collecting
logs rom the inside too. Risks
associated with internal attacks
are only mitigated by incorporating
the all-important combination o
people, process and technology
into a cohesive, extensible
and scalable solution. Just as
every organization has dierent
people, they also have diverse
technologies and processes.
The SIM solution should be
fexible to work with the myriad
o solutions you have and
plan to have. This doesnt just
mean collecting events, but
10 rather transorming that rawevent data into useul, actionable
inormation tied directly tothe insider threat. Once the
inormation is processed,
unctionality must exist to
make the insider threat-specic
scenarios understandable by
technical and non-technical
people. The SIM solutions
alerting, escalation and remediationcapabilities should parallel
your organizations own policies
and procedures. When
evaluating SIM vendors, ensure
that their solution has
specialized, insider threat-specic
content that is scalable,
works with your data sources,aligns with your workfow
and delivers inormation suitable
or detailed, technical analysis
and executive-level oversight.
-
8/3/2019 Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat
4/14
3
9Detecting the Insider ThreatFrom a tactical perspective, the securityliecycle generally alls under three
broad categories: incident prevention,
incident detection and incident
management. While insider threat
prevention is critical, it simply isnt
sel-sustaining or scalableespecially
when addressing trusted or
semi-trusted users who have more
access than an outsider. This is why
incident detection and managementare needed. And this is why a SIM
is required. Based on holistic event
collection, the SIM solution should
be an early-warning system that
is triggered by suspicious actions and
automatically escalates threat levels
o malicious actions. Insider actions
cover the gamut o threats rom
inormation leakage through sabotagethus the solution must be extensible
to consider all types. It should
also provide out-o-the box content or
insider threats as well as customizable
solutions in terms o correlation,
anomaly detection and pattern discovery.
All o these solutions should be able
to work with any event inormationentering the SIM. For example, correlate
OS, application, access control and
physical security badge reader logs or
causal threat determination. Correlation
acilitates the discovery o known
behaviors, pattern discovery uncovers
patterns based on trends and anomaly
detection detects deviations rom
the norm. This combination o detective
capabilities should urther leverage a
threat model that considers not only
the events, but also vulnerability
inormation associated with the targets,
and asset inormation about the
target such as geography, logical
location, applications, services,
operating system, business use, time
parameters, sensitivity o content,
relationships to regulatory complianceand so orth. Based on all these
variables, the SIM should be able
to assign a priority score to eciently
identiy malicious insider activity.
-
8/3/2019 Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat
5/14
Managing the Insider Threat
A senior employee with twenty years
experience appears to be doing
something malicious. What do you
do? What you dont want to do is
dene the policies and procedures
ater the incident. An insider threat
program completely based on
technology will ail. Successul
insider threat solutions leverage
your companys unique policies andprocedures. A robust SIM solution
will have native case management
and integration with third-party
solutions. It will have a notion o
hierarchy and escalation based on
the parameters o the threat. It will
also have an integrated knowledge
base that can guide the respondingindividuals through a step-by-step
process to ensure that their actions
are inline with company policies.
The knowledge base is essential
because with insider threats there
are oten major delays between
detection and response due to thelack o policies and procedures.
Not only can SIM shrink the window
o vulnerability by easily integrating
with these rameworks, but this
integration will yield the ability
to dene risk based on what is
important to your business. Further,
you can train employees in
eective response and remediation
centered in the SIM inrastructure.
With this design, events will
consistently have the involvement
o relevant stakeholders and will
help to achieve operational
eciencies through automation,
create a repeatable and measurable
insider threat mitigation program,decrease investigative ineciencies
and alse positives and ensure that
legal protocols are being ollowed.
4
8
-
8/3/2019 Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat
6/14
5
7Providing Intelligent,Insider-Aware Response
Capabilities
Historically the automation o
response has been a delicate
subject with poor controls
around change management,
authorization, auditing and
general change documentation.
This was typically becausetechnologies were unable to
eectively reduce alse positives
and accurately detect attacks.
With the decreasing vulnerability
threat window, automated
response is gaining renewed
momentum. This is particularly
relevant or insider threats
since insiders by denition have
elevated levels o access and
trust, their attacks progress
quickly and they are the hardest
to prevent. Thus, every insider
threat SIM solution needs toprovide intelligent, rapid response
capabilities that utilize:
Human-assisted or completely
automatic response based on
organizational policy
Integrated response verication,
escalation, authorization andchange rollback
Vendor-neutral network
quarantining as well as layer-3
and layer-2 blocking
Active directory to disable
accounts preventing logical and
even physical access
Tracking eatures ensuring
that all responses are auditable
anddocumentedevery time
-
8/3/2019 Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat
7/14
Leveraging Real-time and Forensics
Analysis to Pinpoint InsidersWhen insiders are discovered there is typically a strict
set o ormal actions that ollow. Common questions that
lead the investigations are how long has it been going
on, what else has been done, who else might be involved
and more. Since insider detection occurs in both real-time
and can be detected through historical data, these
capabilities are essential or addressing insider threat.
Within the SIM, real-time and orensics analysis must work
together seamlessly. Any eature that can be applied in
real-time analysis needs to also be available or orensic
analysis. It shouldnt matter i events are coming in rom
live eeds are rom a database archive. Oten, pattern
discovery on historical data illustrates trends that are moresubtle than real-time analysis which is why it is critical
or the SIM to support a mission-critical, enterprise-level
database and data retention/reactivation mechanism.
6
6
-
8/3/2019 Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat
8/14
7
Understanding that Insiders are People
Insiders are people; theyre not IP addresses, MACaddresses, laptops or applications. One o the most dicult
processes in insider threat identication is getting rom
a food o events to the actual malicious insider. Without an
enterprise-level SIM and supporting database, relationships
may never be discoveredor it may take an inordinately
long time to investigate. SIMs must have the ability to keep
dynamic lists o relevant inormation such as: targets,attackers, accounts, attack types and the like. In addition to
supporting a wide range o products already discussed,
SIMs must also track user-centric inormation through
identity, content and policy management solutions. They
should also consider roles, reporting structures, departmental
relationships, geographies, time and other metrics that
may be important in determining insider threat activity. Allthis inormation comes together to allow or more advanced
correlation, create baselines, identiy outlier anomalies and
ultimately connect a ace to the suspicious actions.
5
-
8/3/2019 Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat
9/14
Converging Insider Threat with IT
Governance and Regulatory ComplianceWhile security and compliance are not identical,
when you look at their juxtaposition there
is signicant overlapespecially as it relates to
insider threat. Many o the systems interesting
to insiders contain data that would all under
regulatory compliance, such as nancial data,
healthcare records and personal inormation.
Protecting those systems rom insiders with SIM
can also address IT governance and regulatory
compliance. Some ways that SIM should be able
to provide double duty include: use audit trails
to track an incident, monitor and log security
activity, create incident reports, provide built-in
audit capability within the SIM itsel and retain the
events or later examination.
8
4
-
8/3/2019 Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat
10/14
9
Demanding ROI & ROSI for
Your Insider Threat Program
There has been an increasing
trend over the last ew years
security programs are being
evaluated against broader business
objectives. Organizations are
searching or ways to make security
a competitive dierentiator, an
enabler or business initiatives,a actor in increasing operational
eciencies and an instrument
or reducing costs, all while
the primary ocus remains risk
mitigation. There are two principal
areas that need to be measured.
For ROI, your SIM vendor should
be able to help in calculating the
dollars based on your custom
insider threat needs merged with
best practices rom a multitude
o customersespecially
those in your business. Beware
3 o boilerplate templates. Insiderthreat ROI needs to be an
interactive discovery processthat your vendor assists you
withnot a ll-in-the-blank orm.
This discovery process should
result in quantitative numbers
illustrating the insider threat
programs impact on cost savings
and the overall eciency o the
investment. For ROSI (returnon security investment), your SIM
vendor should be able to help
dene more qualitative variables
tied to risk reduction that
will result rom your insider threat
solution. As with ROI, this is a
discovery process that will yield
specic advantages related
to areas such as brand image,
better analysis capabilities,
increased operational eciencies
and aster remediation.
perormance and eatures.
-
8/3/2019 Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat
11/14
10
Converging Insider Threat with Physical Security
Insider threat has a clear integration path with traditionalIT security solutions and compliance. However, one
historically overlooked area that is gaining rapid appeal
is the convergence o physical and logical security.
Insider threat is a leading reason why organizations are
going this direction. A mature SIM solution should have
the extensibility o not only integrating with these devices
by collecting inormation rom them, but also be able toleverage the capabilities such as correlation, visualization,
reporting and the like to render useul inormation.
In addition, the SIMs reporting, alerting and case
management system should act as a vehicle or improved
communication between physical and inormation
security teams. SIM solutions that are simply ocused on
perimeter security products and network devices
lack the maturity and capabilities o scaling to be a truly
holistic solution or the ever expanding security posture
o todays organizations.
2
-
8/3/2019 Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat
12/14
Proving that the Vendors Insider Threat
Claims are ValidEvaluate your SIM vendors insider threat solution by
looking at their customer base, evaluating third-party
reviews, talking with like organizations that have
implemented the solution and kicking the tires by going
to trial. Ensure that the solution is truly vendor-neutral
and can integrate with all the disparate data sources in
your environment. Terms like correlation, normalization
and anomaly detection are loosely thrown around in the
SIM space, so ask to see a demonstration o the
capabilities that are most important to you and see how
their solution will improve your insider threat program.
Finally, ensure that they have specialized insider threat
content to truly provide value out-o-the-box such asintegration with insider-relevant data sources, graphical
dashboards and reports, as well as visualization, auditing,
measurement, escalation, alerting and remediation
capabilities that consider insider threat scenarios.
11
1
-
8/3/2019 Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat
13/14
12
Get Started Today
ArcSight oers an enterprise-class security inormationmanagement solution that can cost-eectively
address a broad range o insider threat requirements.
We welcome you to test our amily o insider threat
products head-to-head against any on the market.
Our account executives can provide more details that
address your specic criteria, show you a productdemo and provide a trial or an in-depth look into our
solution. Its no coincidence that leading publications
recognize ArcSight ESM or its superior fexibility,
unctionality, scalability and ease o use. For help
with your insider threat needs, contact ArcSight at
[email protected], call (408) 864 6150 or visit usonline at www.arcsight.com.
Start
-
8/3/2019 Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat
14/14
ArcSight, Inc.
5 Results Way, Cupertino, CA 95014, USA
Email: [email protected]
Phone: 408 864 2600
2006 ArcSight, Inc. All rights reserved. ArcSight and ArcSight ESM are
trademarks of ArcSight, Inc. All other product and company names may be
trademarks or registered trademarks of their respective owners.
08/06
About ArcSight
ArcSight, a leader in Enterprise Security Management,provides solutions that serve as the mission
control center or real-time threat management,
compliance reporting and automated network
response. By comprehensively collecting, analyzing
and managing security data, ArcSight solutions
centrally manage and mitigate inormation risk orsecurity, insider threat and compliance. ArcSights
customer base includes leading global enterprises,
government agencies and MSSPs.
Now