MAY 2016

I N F O R M A T I O N

SECURITY EDITORS DESK:

THE PERIMETER
GOES POOF

IN SIDER EDITION

BELLWETHER
TECHNOLOGIES
TO THE GUARDING
THE VANISHING
RESCUE? NETWORK
PERIMETER
If network perimeters
vanish, how will IT
security pros protect
the enterprise? Consider
these new, and
emerging, approaches
and achieve a mature
security posture.
HUNT DOWN APTs
WITH BIG DATA
ANALYTICS
 E D IT O R S D E S K

HOME
The Perimeter Goes Poof
EDITORS DESK
The traditional network perimeter has all but vanished, but that doesnt
GET YOUR mean enterprise security must follow suit. BY BRENDA L. HORRIGAN, PH.D
ENTERPRISE

H
MATURE AND SECURE
WITH BELLWETHER
TECH

GUARDING THE
VANISHING NETWORK
PERIMETER

HUNT DOWN APTs

WITH BIG DATA
ANALYTICS OW DO YOU defend something thats
disappeared? Thats the sort of ho-
cus pocus IT security professionals
are dealing with these days. The net-
work perimeter, at least in the tradi-
tional sense, has vanished. And yet the need to secure it
continues.
This Insider Edition offers some technological tricks
that could make all the difference when it comes to keep-
ing security threats at bay. In our cover story, Nemertes
Research CEO Johna Till Johnson explains eight bell-
wether technologies and whom theyre suited for.
Then David Strom delves even deeper into the secu-
rity implications of the perimeter-less network of the 21st
century. Dont miss his four pointers on how to keep en-
terprise systems secure. Finally, Adam Rice and James
Ringold put a laser focus on one more tool to employ
against threats to enterprise security: Big data analytics.
Because all the data in the universe is worthless unless it
gets mined efficiently.
Though the network perimeter that security pros have
trained years to protect has, essentially, vanished, the
means still exist (and are waiting to be adopted) to secure
enterprise systems. Read up and learn how its still pos-
sible to battle the threats the bad guys launch. Security for
your enterprise systems wont magically appear. But with
the aid of our four experts and information on the latest
security tools and techniques, you can still deliver the sort
of security the 21st century requires. n
BRENDA L. HORRIGAN is the managing editor for the TechTarget
Security Media Group.

2 BELLWETHER TECHNOLOGIES TO THE RESCUE? n MAY 2016

 COVER STORY: BELLWETHER TECHNOLOGIES

HOME
GET YOUR
ENTERPRISE
EDITORS DESK

GET YOUR

MATURE AND
ENTERPRISE
MATURE AND SECURE
WITH BELLWETHER

SECURE WITH
TECH
THE GAME PLAN is set: Your company will undergo a digi-
GUARDING THE tal transformation. The next-generation architecture has

BELLWETHER
VANISHING NETWORK
PERIMETER been redesigned to focus on supporting cloud-native,
mobile-enabled applications. And lean, agile, and busi-

TECH
HUNT DOWN APTs ness-aligned are the new buzzwords. But what does all
WITH BIG DATA
ANALYTICS this mean for security? The traditional notion of a se-
curity perimetera contained environment that can be

To keep your security perimeter

protectedis dissolving. How can security professionals
move forward to protect this next-generation enterprise,
safe in this era of increasingly even as its becoming more nimble, more open and more
sophisticated attacked requires distributed?

staying current on WHAT SECURITY PERIMETER?

the latest security Leading-edge security organizations have been grappling
technologies with the networks vanishing security perimeter, and re-

available.
lated issues, for the past several years, and theyre seiz-
ing on a set of next-generation security technologies that
are rapidly becoming the cornerstones for the new digital
enterprise. These are sometimes termed bellwether tech-
By Johna Johnson nologies because the deployment state of these technolo-
gies serves as a good measure of how mature a companys

3 BELLWETHER TECHNOLOGIES TO THE RESCUE? n MAY 2016

 COVER STORY: BELLWETHER TECHNOLOGIES
thinking is when it comes to security.
HOME
In a recent benchmark study, Nemertes Research
EDITORS DESK quantified the maturity of a group of select security or-
ganizations. Then they subdivided the group into more
GET YOUR mature and less mature, and looked for differences in tech-
ENTERPRISE
MATURE AND SECURE nology deployment.
WITH BELLWETHER
TECH
Nemertes found that more mature organizations were
significantly more likely than the group overall to de-
GUARDING THE ploy these bellwether technologies. These technologies
VANISHING NETWORK
PERIMETER typically deliver a strategic advantage to companies that
deploy them, either by delivering unprecedented capa-
HUNT DOWN APTs bilities (i.e., enabling the security teams to do something
WITH BIG DATA
ANALYTICS that previously couldnt be done) or by automating previ-
ously manual capabilities (i.e., dramatically reducing the
effort, time, and operational cost required to detect and
mitigate a threat).
BELLWETHER TECH FOR 21ST CENTURY SECURITY
For security pros concerned about the increasingly hard-
to-find network security perimeter, heres a look at eight
key bellwether technologieswhat they are and how they
work:
n Cloud Access Security Brokers (CASBs) are on-prem-
ises or cloud-based software tools that automatically
detect cloud usage by employees, assess business and
technical risk, and enforce security policies. Companies
are moving increasingly to cloud services, and not all
4 BELLWETHER TECHNOLOGIES TO THE RESCUE? n MAY 2016
employees are waiting for ITs sign off before putting sen-
sitive data in the cloud. CASBs can return control to IT
without standing in the way of employee initiatives; these
products come from vendors like Bitglass, Blue Coat, Mi-
crosoft and Skyhigh Networks. Companies with mature
security organizations are three times as likely to be using
CASBs as organizations overall.
n Endpoint security is software that protects endpoints
from malware using a variety of mechanisms (such as mi-
crosegmentation and containerization). This technology
goes far beyond the list-based or algorithmic protection
the traditional antimalware software offers; it provides
execution-level virtual firewalls around endpoint appli-
cations to ensure they cant behave maliciously. Endpoint
security thus represents an architectural and technical
step function increase over existing technology, and it
aligns well with next-gen architectures that are typically
based on the concept of virtualization. Companies like
Bromium, CrowdStrike and Invincea make this software,
and more mature companies are two-and-a-half times
more likely to be using it than organizations overall.
n User Behavioral Analytics (UBA) is software that inte-
grates multiple sources of data (logs, SIEM and analytics
platforms such as Splunk) to capture and display anom-
alous behavior of users, devices and systems. UBA tools
provide proactive protection against attacks. There are a
 COVER STORY: BELLWETHER TECHNOLOGIES

host of vendors with products, including Bay Dynamics,
HOME
Gurucul, Exabeam, Splunk/Caspida; more mature compa-
EDITORS DESK nies are three times more likely to be using UBA.
GET YOUR n Automated application security testing tools include
ENTERPRISE
MATURE AND SECURE static application security testing (SAST), dynamic ap-
WITH BELLWETHER
TECH
plication security testing (DAST), interactive application
security testing (IAST), and runtime application security
GUARDING THE testing (RAST). Theyre key to implementing next-gener-
VANISHING NETWORK
PERIMETER ation development methodologies like Agile and DevOps.
HUNT DOWN APTs
Providers include Contrast, HP/Fortify and Veracode.
Sophisticated security organizations are almost twice as
WITH BIG DATA
ANALYTICS likely to be using these tools.
n Risk management software automated the process of
translating information security vulnerabilities into busi-
ness risk. These products come from vendors like Archer,
IBM, MetricStream and RiskVision. Mature security or-
ganizations are 30% more likely to be using them than or-
ganizations overall.
n Threat, compliance and risk (TCR) networks (also
known as threat intelligence networks) are subscription-
based services that provide users with real-time insight
into the emergence of threats. They come from vendors
like Anomali, Cyveillance, Dell SecureWorks and Syman-
tec. More mature companies are 60% more likely to be
using them than companies overall.
n Managed and professional services include third-
party services that review logs, manage security equip-
ment (e.g., firewalls) or conduct assessments and test-
ing (e.g., penetration testing). Companies that provide
these services run the gamut from Ernst & Young, which
is famous for its pen testing, to carriers like Verizon and
AT&T. And specialized firms too numerous to list here.
Bellwether technologies deliver
strategic advantages, either
by delivering unprecedented
capabilities or by automating
previously manual ones.
Strictly speaking, these arent technologiesnor are
they necessarily bellwether, as mature organizations are
as likely to use them as organizations overall. But theyre
important to consider because they are increasingly use-
ful in offloading routine or repetitive work from security
professionals. However, more mature companies were,
unsurprisingly, more likely to take advantage of more so-
phisticated services.
nAutomation encompasses the use of tools and tech-
nologies (both third-party and homegrown) to automate

5 BELLWETHER TECHNOLOGIES TO THE RESCUE? n MAY 2016

 COVER STORY: BELLWETHER TECHNOLOGIES

security processes. Once again, this isnt strictly speaking concept of endpoint security less relevant.
HOME
a technology, and its not possible to list vendors, since But at a bare minimum, security professionals con-
EDITORS DESK every security tool inclu des some form of automation. cerned with the networks security perimeter should be
But in practice, mature security organizations are more aware of these bellwether technologies and the advan-
GET YOUR than four times as likely as organizations overall to be in tages they can provideand a have a go-forward plan for
ENTERPRISE
MATURE AND SECURE the process of fully automating key business processes, as evaluating them and deploying them if and when the time
WITH BELLWETHER
TECH
opposed to having a limited-to-nonexistent emphasis on is right. n
automation.
GUARDING THE
VANISHING NETWORK
PERIMETER THE TAKEAWAY JOHNA TILL JOHNSON is CEO and senior founding partner of
This isnt a comprehensive list of technologies that secu- Nemertes Research, where she sets research direction and works
HUNT DOWN APTs rity organizations deploythere are many others that are with strategic clients. She served as CTO at Greenwich Technology
WITH BIG DATA
ANALYTICS equally critical. Nor is every technology right for every Partners, an infrastructure consulting and engineering firm;
headed the Global Networking Strategies Service business unit
organization. Nor is it the case that every company must of META Group; and oversaw the lab-testing program at Data
deploy these technologies or risk stagnating at a lower Communications magazine. She holds a bachelor of science in
maturity level. Some companies, for instance, may have electrical engineering and computer science (BSEE/CS) from Johns
few to no employees outside the firewall, making the Hopkins University.

6 BELLWETHER TECHNOLOGIES TO THE RESCUE? n MAY 2016

 BEYOND THE PERIMETER

HOME
WAYS TO GUARD
A VANISHING
EDITORS DESK

GET YOUR

NETWORK
ENTERPRISE
MATURE AND SECURE
WITH BELLWETHER

PERIMETER
TECH
WITH DISTRIBUTED WORKFORCES and mobile technologies,
GUARDING THE thenetwork perimeter has evolved beyond the physical
VANISHING NETWORK
PERIMETER limits of most corporate campuses. The days when the pe-
The latest approach to rimeter was an actual boundary are a fond memory. Back
network-protection looks
HUNT DOWN APTs then, firewalls did a decent job of protecting the network
WITH BIG DATA
from outside threats, and intrusion prevention tools pro-
beyond the perimeter
ANALYTICS
tected against insiders. But, over time, the bad guys have
gotten better:Spear phishinghas made it easier to infil-
trate malware, and poor password controls have made it
easier to exfiltrate data. This means that the insiders are
getting harder to detect, and IT assets are getting more
distributed and harder to defend.
Complicating matters, todays data centers are no lon-
ger on premises. As cloud and mobile technologies be-
come the norm, the notion of a network edge no longer
makes much sense. New network security models are re-
quired to define what thenetwork perimeteris and how it
can be defended.
CIOsand enterprise security managers are using dif-
By David Strom ferent strategies to defend these new perimeters, as cor-
porate data and applications travel on extended networks

7 BELLWETHER TECHNOLOGIES TO THE RESCUE? n MAY 2016

 BEYOND THE PERIMETER
that are often fragmented. The borders between trusted
HOME
internal infrastructure and external networks still exist,
EDITORS DESK but the protection strategies and security policies around
network applications, access control, identity and ac-
GET YOUR cess management, and data security require new security
ENTERPRISE
MATURE AND SECURE models.
WITH BELLWETHER
TECH
Here we look at four network edge-protection strate-
gies in use today: protecting the applications layer, using
GUARDING THE encryption certificates, integratingsingle sign-ontech-
VANISHING NETWORK
PERIMETER nologies and building Web front-ends to legacy apps.
HUNT DOWN APTs 1. Provide application-layer protection. Whilenext-gen-
WITH BIG DATA
ANALYTICS eration firewallshave been around for some time, whats
new is how important their application awareness has be-
come in defending the network edge. By focusing on the
applications layer, enterprises can better keep track of po-
tential security abuses because IT and security teams can
quickly see who is using sensitive or restricted apps.
One way to do this is to develop your own custom net-
work access software that works with firewalls and intru-
sion detection systems. This is what Tony Maro did as
the CIO for medical records management firm EvriChart
Inc., in White Sulphur Springs, W.Va.
We have some custom firewall rules that only al-
low access to particular networks, based on the originat-
ing device. So, an unregistered PC will get an IP address
on a guest network with only outside Internet access and
nothing else. Or, conversely, a PC with personal health
8 BELLWETHER TECHNOLOGIES TO THE RESCUE? n MAY 2016
information will get internal access but no Internet con-
nection, Maro says. This allows for a lot more fine-
grained control than simple virtual LANs(VLANs). We
also monitor ourDHCPleases and notify our help desk
whenever a new device shows up on that list.
Another method is to incorporate real-time network
traffic analysis. A number of vendors, including McAfee,
Norse Corp., FireEye Inc., Cisco, Palo Alto Networks Inc.
and Network Box Corp. use this analysis as part of their
firewall and other protective devices.
2. Make proper use of encryption and digital certificates.
A second strategy is to deploy encryption and digital cer-
tificates widely as a means to hide traffic, strengthen ac-
cess controls and prevent man-in-the-middle attacks.
Some enterprises have come up with rather clever and in-
expensive homegrown solutions, while others are making
use of sophisticated network access control products such
as Mobile IAM from Extreme Networks Inc. that com-
bine certificates with Radius directory servers to identify
network endpoints.
We use certificates for all of our access control be-
cause simple passwords are useless, says Bob Matsuoka,
the CTO of New York-based CityMaps.com. The com-
pany found it needed more protection than a username
and password combination to its Web servers, and pro-
viding certificates meant they could encrypt the traffic
(Continued on page 10)
 BEYOND THE PERIMETER

HOME

EDITORS DESK
Fingerprinting the Endpoints
Extreme Networks dashboard display presents information
GET YOUR collected from each endpoint.
ENTERPRISE
MATURE AND SECURE
WITH BELLWETHER
TECH

GUARDING THE
VANISHING NETWORK
PERIMETER

HUNT DOWN APTs

WITH BIG DATA
ANALYTICS

SOURCE: EXTREME NETWORKS INC.

9 BELLWETHER TECHNOLOGIES TO THE RESCUE? n MAY 2016

 BEYOND THE PERIMETER

(Continued from page 8) connections. One initiative that seems to be gaining is

HOME
across the Internet as well as strengthen their authenti-
EDITORS DESK cation dialogs. While this approach increases the com-
plexity of Web application security for his developers and
GET YOUR other end users, it also has been very solid.
ENTERPRISE
MATURE AND SECURE Over the past three years we havent any problems,
WITH BELLWETHER
TECH
Matsuoka says. One of the tradeoffs is his company is still
operating in startup mode. You can have too much secu-
GUARDING THE
VANISHING NETWORK
rity when you are part of a startup, because you risk being
late to market or impeding your code development.
PERIMETER
Several vendors of classic two-factor tokens such as
HUNT DOWN APTs Vasco Data Security Inc. and Authentify are also entering
WITH BIG DATA
ANALYTICS this market by developing better certificate management
tools that can secure individual transactions within an ap-
plication. This could be useful for financial institutions
that want to offer better protection and yet not something
that is intrusive to their customers. Instead, these tools
make use of native security inside the phone to sign par-
ticular encrypted data and create digital signatures of the
transaction, all done transparently to the customer. To
some extent, this is adding authentication to the actual
application itself, which gets back to an application-layer
protection strategy.
3. Use the cloud with single sign-on (SSO) tools. As the
number of passwords and various cloud-based applica-
tions proliferates, enterprises need better security than
just re-using the same tired passphrases on all of their
the use of a cloud-based SSO tool to automate and protect
user identities. Numerous enterprises are deploying these
tools to create complex, and in some cases unknown,
passwords for their users.
Better tools are being developed
to secure individual transactions
within an application without
being intrusive to customers.
SSO isnt something new: We have had these prod-
ucts for more than a decade. What is new is that several
products combine both cloud-based software as a service
logins with local desktop Windows logins, and add im-
provedtwo-factor authenticationand smoother federated
identity integration.
Also helping is a wider adoption of the open stan-
dardSecurity Assertion Markup Language, which allows
for automated sign-ons via exchanging XML information
between websites. As a result, SSO is finding its way into
a number of different arenas to help boost security, in-
cluding BYOD, network access control and mobile device
management tools.
Post Foods LLC in St. Louis, MO, is an adherent to

10 BELLWETHER TECHNOLOGIES TO THE RESCUE? n MAY 2016

 BEYOND THE PERIMETER

SSO. The cereal maker uses Oktas security identity man-

HOME
agement and SSO service. Most of their corporate appli-
EDITORS DESK cations are connected through the Okta sign-in portal. Web Wraps for Legacy Apps
Users are automatically provisioned on the service (they You can move the security into the app itself,
GET YOUR dont have to even know their individual passwords), so making endpoint security irrelevant
ENTERPRISE for bring your own devices.
MATURE AND SECURE they are logged in effortlessly, yet still securely.
WITH BELLWETHER
TECH
Brian Hofmeister, vice president of architecture and
operations for parent company, Post Holdings, in St.

Front End
GUARDING THE Louis, says that the consumer goods company was able UI Layer
VANISHING NETWORK
PERIMETER to offer the same collection of enterprise applications,
Browser
across its entire corporation of diverse offerings quicker
HUNT DOWN APTs through the use of SSO and federated identities, and still
WITH BIG DATA HTTP/HTTPS
ANALYTICS keep the network secure.

4. Consider making legacy applications Web-based.

Back End
UI Layer
A few years ago the American Red Cross was one of the
more conservative IT shops around. Most of its applica-
Business Logic
tions ran on its own mainframes or were installed on spe-
cially provisioned PCs that were under the thumb of the Server
central IT organization based in Washington, D.C.
But then people started to bring their own devices SOURCE: NICHOLAS C. ZAKAS

along to staff the Red Cross disaster response teams. The

IT department started out trying to manage users mo-
bile devicesand standardize on them. But within two or
three months, the IT staff found the mobile vendors came
out with newer versions, making their recommendations
obsolete. Like many IT shops, the Red Cross found that
the emergency response teams would rather use their
own devices, and these devices would always be of more
recent vintage, anyway. In the end, they realized that they
had to change the way they delivered their applications to
make them accessible from the Internet and migrate their
applications to become more browser-based. The Red

11 BELLWETHER TECHNOLOGIES TO THE RESCUE? n MAY 2016

 BEYOND THE PERIMETER

Cross still has its mainframe apps, just a different way toward being more mobile-centric, and we need to be
HOME
to get to them. And their end users are happier because much quicker and much more adaptable.
EDITORS DESK they dont have to tote around ancient laptops and smart- Certainly, breaking traditional boundaries with these
phones, too. four strategies isnt the only way you can set up a more
GET YOUR By building a Web front-end to their mission-critical secure network edge. But by tying network security more
ENTERPRISE
MATURE AND SECURE apps, the Red Cross was able to move security to inside closely to applications, certificates and transactions, you
WITH BELLWETHER
TECH
the application itself and not depend on the physical de- have a better chance at stopping the bad guys. n
vice that was running the application.
GUARDING THE Connections are made over SSL encryption so that
VANISHING NETWORK
PERIMETER data transferred from device to their mainframes is pro- DAVID STROM, is one of the leading experts on network and
tected. And their IT staff no longer has to worry about Internet technologies and has written and spoken extensively on
HUNT DOWN APTs obsolete smartphones and can focus on building and we- topics such as VoIP, cloud computing, Internet applications, wireless
WITH BIG DATA and Web services for more than 25 years. He was the founding
ANALYTICS bifying other applications. editor in chief of Network Computing magazine and has run
You have to be able to adapt to the changing mo- various print and online publications including TomsHardware.
bile environment, says John Crary, CIO for the Ameri- com and DigitalLanding.com. His work can be found via his website
can Red Cross. It is moving rapidly. Businesses are going (strominator.com)and on Twitter: @dstrom.

12 BELLWETHER TECHNOLOGIES TO THE RESCUE? n MAY 2016

 BIG DATA ANALYTICS

HOME
HUNT DOWN
APTs WITH BIG
EDITORS DESK

GET YOUR

DATA ANALYTICS
ENTERPRISE
MATURE AND SECURE
WITH BELLWETHER
TECH
ORGANIZATIONS THAT START to address information security
GUARDING THE To follow the thread of security in a meaningful way will come to a point in their matu-
events, through volumes of
VANISHING NETWORK
PERIMETER rity when they have a lot of machine data. The challenge

HUNT DOWN APTs log data, incident response teams many CISOs face is how to leverage that data quickly
and correlate events dynamically across the enterprise to
WITH BIG DATA
ANALYTICS need the help that big data track down advanced persistent threats (APTs). The Sony
analytics can provide. Pictures Entertainment hacking incident in 2014 under-
scored the importance of security monitoring and rapid
incident response to clamp down on damages before di-
saster strikes.
IT security managers cannot protect what they can-
not see, and to see associations or patterns that can help
detect APTs enterprises must have comprehensive log-
ging in place across multiple layers within a network. The
greater the visibility, the larger the machine data, and
the harder it is for cybersecurity incident response teams
to follow the thread and correlate security events with
threat intelligence in a meaningful way. The answers to
many security questions about fraudulent activity, user
By Adam Rice and David Ringold behavior, communications, security risk and capacity
consumption lie within these large data sets.

13 BELLWETHER TECHNOLOGIES TO THE RESCUE? n MAY 2016

 BIG DATA ANALYTICS
Why so much logging? Most advanced adversaries
HOME
gain access to a victims network via malware, drive-
EDITORS DESK by links or Web shells. Once the initial attack phones
homemalware will initiate outbound connection to
GET YOUR C2 hoststo get around inbound firewall rulesroot-
ENTERPRISE
MATURE AND SECURE kits are delivered, and they quickly gain access to a user
WITH BELLWETHER
TECH
account and drive around the network as a fully cre-
dentialed user. It is difficult to lock down a Microsoft
GUARDING THE network in any meaningful way without destroying its
VANISHING NETWORK
PERIMETER functionality. A successful strategy to defeat this type of
attack includes the following:
HUNT DOWN APTs
WITH BIG DATA
ANALYTICS Detect the malware or drive-by links before users click
on them. To do this a cybersecurity incident response
team has to be able to compare user behavior against
threat intelligence. This requires full packet logging of
all ingress and egress traffic on an enterprises edge.
Detectmalware or rootkit delivery to the endpoint.
To do this the cybersecurity team needsverbose logging
on antimalware and endpoint protection systems.
The cybersecurity team needs to be able to analyze
user behaviors and access across the entire enterprise.
Security information and event management(SIEM) tools
canalert you to unusual activity, such as account usage
during off hours. This is only possible with comprehensive
logging of Active Directory (AD) and host access events.
14 BELLWETHER TECHNOLOGIES TO THE RESCUE? n MAY 2016
COMPREHENSIVE LOGGING
All of this logging can result in close to a million pings a
day about potential security events at larger enterprises
and terabytes of logging data a month. While comprehen-
sive logging is needed, several factors have to be consid-
ered when you increase logging across the enterprise.
Infrastructure that is already heavily utilized might expe-
rience performance issues with additional logging. The
network team should be involved in the design of the log-
ging infrastructure to make sure the aggregation of en-
terprise-wide logging does not affect performance when
all log sources are pointed at a few destinations. Its im-
portant to involve key stakeholders in the design and to
balance the need for logging with the function of the ap-
plications. To see across an enterprise, verbose logging
should be enabled throughout as follows:
Layer 2 switching and choke points on enterprise
distribution switches.
NetFlow enabled and logged where possible.
Critical services to send access and systems logs.
AD to log user behaviors.
All Internet-exposed devices to log access and
system events.
Endpoint protection systems to log alerts.
All firewall devices to log inbound access (accepts)
and outbound (accepts and denied).
Other security devices to log alerts and access.
 BIG DATA ANALYTICS
Most security programs begin with logs from the de-
HOME
vices at the edge of the network, because those are usually
EDITORS DESK easier to obtain. Firewall, network intrusion detection
system and other network-based security products have
GET YOUR robust and mature logging capabilities that most com-
ENTERPRISE
MATURE AND SECURE panies are already using. The level at which the logging
WITH BELLWETHER
TECH
is configured is paramount for visibility into the various
APT traffic as it is leaving or entering your environment.
GUARDING THE This means that if there is an active intrusion, traffic
VANISHING NETWORK
PERIMETER coming and going from the network edge has to be cor-
related with the suspicious traffic to see the entire com-
HUNT DOWN APTs munications channelmalicious actors infiltrating the
WITH BIG DATA
ANALYTICS network, driving a compromised account, and then mov-
ing laterally across the enterprise. Its critical to be able to
see both successful and denied traffic at the network edge
to get a profile of what is normal for your business.
NETWORK CONNECTIVITY AND COMMUNICATIONS
At the network edge, be sure that your logging doesnt
have additional blind spots to traffic that can be used to
bypass your security controls. Encrypted traffic, such as
SSL/HTTPS, and services that are traditionally used for
communication and data transfer, such as IRC and FTP/
SFTP/SSH, should also be logged with detail.
Logging of services available to the public Internet is
also of great interest, as these systems are the gateways
to and from your infrastructure. Any Web server should
log not only the connections into the server, but also the
15 BELLWETHER TECHNOLOGIES TO THE RESCUE? n MAY 2016
actions and input within the applications, so you can un-
derstand if they are being used as a bridge to your net-
work. This logging should include not only internally
developed Web applications and services but also vendor-
provided appliances and applications that reside on those
systems. The logging needs to enable you to see what is
behind all network communications to and from your
environment.
Any security device or system software within your
network should also create logs. These security systems
usually include, but are not limited to, antivirus or other
host intrusion detection software. You can review the
host logs on the systems to gain an understanding of the
network accounts and computer systems that are used
within the scope of the threat. Host firewall logs can be
critical to understanding how the threats are moving
around within the network after an initial compromise.
Similar to the host-based firewall logs, NetFlow can
help monitor the traffic within your network and iden-
tify areas that require further investigation. NetFlow can
alert your team to data-transfer activity that is happening
within your network that might not be authorized or sen-
sitive information that is being prepared for transmission
outside of your network.
CENTRALIZED SYSTEM
Network authentication logs from AD and otherLDAP-
based services used for central authentication of users
 BIG DATA ANALYTICS
and network systems enable you to trace access within
HOME
your environment and begin to frame up which systems
EDITORS DESK are involved with the threat. Many of the applications
and systems in this list will have the capability to send
GET YOUR logs off to a centralized system, either through syslog or
ENTERPRISE
MATURE AND SECURE another facility. Having a central log collection and analy-
WITH BELLWETHER
TECH
sis system is crucial because trying to look in all of these
systems, with multiple sources and locations, for the log
GUARDING THE information is tedious work. This log information will be
VANISHING NETWORK
PERIMETER written to system logs on the hosts, which systems ad-
ministrators will want to constrain so the data doesnt
HUNT DOWN APTs consume usable system disk space. Security logs kept on
WITH BIG DATA
ANALYTICS systems will usually contain data for a few days at most,
and in many situations only a few hours. This is not suffi-
cient time to allow for analysis and review.
Most intrusions are not detected for months after
the initial compromise (which may have been the case
withSony). If log data is not collected and retained dur-
ing those months, the ability to identify the system of
source or persistence is impossible, and the threat may
remain within your network for a very long time.
BIG DATA PROBLEM
When the cybersecurity incident response team investi-
gates an incident they must be able to follow the thread
of events through logged data, and that path is interwo-
ven through the Microsoft domain, security devices, edge
devices, switches and routers. During a security event,
16 BELLWETHER TECHNOLOGIES TO THE RESCUE? n MAY 2016
time is essential in stopping the unauthorized exfiltration
of data from a network. From the point of discovery to
when an active defense is put in place and the adversary
is stopped is a critical time.
To besuccessful in seeing, stopping and investigat-
ing a cyberevent, an enterprise must have the ability to
quickly query very large sets of machine data. The notion
of having a commercial off-the-shelf tool that has all the
answers programmed into its graphical user interface is
a fallacy. There is no fixed solution. Queries against large
sets of machine data must be dynamic, and results must
be presented quickly. For security analysts to be success-
ful, they have to be able to manage big data.
As the number of log sources grows, so does the vol-
ume of the log data being collected. This growth never
follows a linear path. Each system generates more and
more data; and with each system, another system comes
into the scope. If all systems and devices are sending logs
to a centralized system, which is the ultimate goal, the
volume of data quickly becomes unmanageable.
With systems now producing more log data than ever
before, and diverse data sources required to search out
and locate a threat within the network, a new way to
perform data analysis and identify correlated events is
needed. The commercial SIEM companies are trying hard
to play catch up and positioning their products to support
the large volumes of data produced and collected.
(Continued on page 18)
 BIG DATA ANALYTICS

HOME

EDITORS DESK
The Security Lifecycle
Tracking APTs across an enterprise, from robust logging
GET YOUR and actionable intelligence to security analytics.
ENTERPRISE
MATURE AND SECURE
WITH BELLWETHER
TECH
Data Analytics
Tool(s)
GUARDING THE Splunk
Netwitness
VANISHING NETWORK ArcSight

!
PERIMETER

HUNT DOWN APTs

WITH BIG DATA Alerts
ANALYTICS
Large sets of Machine data

3rd Party Malware

Comprehensive IOCs analysis
Logging of:
Network devices Security Analytics
Spear
Security devices Intel from Phishing SIEM
Servers LE Analysis Big Data Tools
Mail Actionable Intelligence Frameworks
Alerts and Blocks

Devices on the edge Intelligence Endpoint agents

Directory server Open Data
Source Malware sandbox
SEIM tool analysis
Forensics
IDS
Network DVR Analyst
Commercial Internal
Intel Investigation

SOURCE: ADAM RICE; DESIGN: CHRIS SEERO

17 BELLWETHER TECHNOLOGIES TO THE RESCUE? n MAY 2016

 BIG DATA ANALYTICS
(Continued from page 16)
HOME
ANALYTICS TOOLS
EDITORS DESK Big data analytics must provide the ability to correlate
logging events based on time and user behavior across
GET YOUR the entire spectrum of devices and technologies in an en-
ENTERPRISE
MATURE AND SECURE terprise. Traditional SIEM tools are not good at this task
WITH BELLWETHER
TECH
because they organize data into databases, which be-
come too big and clunky to query across. Typically, the
GUARDING THE flat files of machine data are best for fast queries. Several
VANISHING NETWORK
PERIMETER network tools designed for this purpose work very well.
Splunk Enterprise and IBM QRadar Security Intelligence
HUNT DOWN APTs Platform are examples ofbig data analytics tools, but or-
WITH BIG DATA
ANALYTICS ganizations need to build an integrated tool set that is de-
signed to complement the security analysts needs. With
these tools and processes come unique skills. The evolv-
ing job of the modern security analyst is exactly what the
big data problem needs.
With the right tools, a cybersecurity incident response
team can follow the thread from a known event, like a
malware alert, to behaviors of credentialed user accounts
that are compromised, to machines from which the ac-
counts are coming, to active IP sessions on the edge of
the network. Without logging, none of this would be
possible.
As CISOs build an active defense against the APT, the
need to increase logging across the enterprise becomes
a critical part of seeing and correlating events to track
down the bad guys. It is not enough to simply turn on
18 BELLWETHER TECHNOLOGIES TO THE RESCUE? n MAY 2016
logging across the enterprise: People, tools and processes
have to be established to use the data in a meaningful
way.
Without a means of leveraging this big data quickly
and dynamically, its usefulness disappears. Planning, pro-
cess and skilled staff are all keys to using the large sets of
machine data to win the battle against the APT. Before
simply turning up logging across the enterprise, CISOs
have to make sure that the budget is in place to acquire
the big data analytics tools necessary to correlate events
across the data, and that they have the staff with the ex-
pertise to use those tools. One without the other is not a
workable solution. n
ADAM RICE is the CISO at Alliant Techsystems (ATK). An infosec
professional with 17 years of experience, he has served as CSO of
a global telecommunications company; general manager and vice
president of a managed security services business; and director in
several network consulting companies. He is a retired U.S. Army
noncommissioned officer and a regular contributor to several
information security publications.
JAMES RINGOLD is a senior enterprise security architect at ATK,
who has worked in the aerospace and defense, electronic discovery
and investigations and retail industries, performing technical
evaluations and building information security programs in various
stages. As a security operations manager and incident responder for
17 years, he focused on countermeasures and controls to detect and
mitigate cyberintrusions.
 TechTarget Security Media Group

EDITORIAL DIRECTOR Robert Richardson EDITORIAL BOARD

HOME
Phil Agcaoili, Cox Communications
EXECUTIVE MANAGING EDITOR Kara Gattine
Seth Bromberger, Energy Sector Consortium
EDITORS DESK
Mike Chapple, Notre Dame
MANAGING EDITOR Brenda L. Horrigan
GET YOUR Brian Engle, Health and Human Services Commission, Texas
ENTERPRISE
MATURE AND SECURE
FEATURES EDITOR Kathleen Richards Mike Hamilton, City of Seattle
WITH BELLWETHER Chris Ipsen, State of Nevada
TECH DIRECTOR OF ONLINE DESIGN Linda Koury
Nick Lewis, Saint Louis University
GUARDING THE COLUMNISTSJohna Till Johnson, Adam Rice, James Ringold, Rich Mogull, Securosis
VANISHING NETWORK David Strom
PERIMETER
Tony Spinelli, Equifax
Matthew Todd, Financial Engines
HUNT DOWN APTs CONTRIBUTING EDITORSKevin Beaver, Michele Chubirka, Michael MacDonnell Ulsch, PwC U.S.
WITH BIG DATA Cobb, Scott Crawford, Peter Giannoulis, Francoise Gilbert, Jo-
ANALYTICS
seph Granneman, Ernest N. Hayden, David Jacobs, Nick Lewis, VICE PRESIDENT/GROUP PUBLISHER Doug Olender
Kevin McDonald, Sandra Kay Miller, Ed Moyle, Lisa Phifer, Ben dolender@techtarget.com.
Rothke, Mike Rothman, Karen Scarfone, Joel Snyder, Steven
Weil, Ravila Helen White, Lenny Zeltser Stay connected! Follow @SearchCloudSecurity today.

2016 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or byany means without written
TechTarget permission from the publisher. TechTarget reprints are available through The YGS Group.
275 Grove Street,
About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable
Newton, MA 02466 quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our
www.techtarget.com live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social
community, you can get advice and share solutions with peers and experts.

COVER IMAGE AND PAGE 3: TRIFONENKO/ISTOCK

19 BELLWETHER TECHNOLOGIES TO THE RESCUE? n MAY 2016