Thanks to all the people that contacted me with interest on how HP Labs has applied HP Security Analytics techniques for Risk Analysis in the context of Incident Management Processes. I would like to remind that this HP Labs capability (along with related technologies and know-how) have now been transferred to HP Enterprise Security Services (HP ESS). Please feel free to contact HP ESS representatives if you would like to use the service.
An example of the benefits and risk assessment capabilities that can be achieved with Security Analytics (specifically in the space of Security Operation Centers and their Incident Management Processes) has been docuemented in a recent HP Labs Technical Report has been recently called “Security Analytics – Risk Analysis for an Organisation’s Incident Management Processes”:
“This document is an example of the type of report an organisation would receive at the end of a HP Security Analytics engagement. The focus is on the analysis of the security risks and performance of the organisation’s Security Incident & Events Management (SIEM) Processes and related Security Operation Centre (SOC)’s activities. HP Labs carried out the underlying R&D work in collaboration with HP Enterprise Security Services and involved analysis of processes, probabilistic modeling, simulation and “what-if” analysis for some of HP’s key customers. The outcome of this was a set of case studies from which we have been able to create this more general anonymised report illustrating the richness of the risk assessment and “what-if” analysis that has been carried out.
The lifecycle management of security is critical for organisations to protect their key assets, ensure a correct security posture and deal with emerging risks and threats. It involves various steps, usually carried out on an ongoing, regular basis, including: risk assessment; policy definition; deployment of controls within the IT infrastructure; monitoring and governance. In this context, Security Incident & Events Management play a key role. Even the best information security practices and investments in security controls cannot guarantee that intrusions – accidental and criminal activities – and/or other malicious acts will not happen. Controls can fail, be bypassed or become inadequate over time; new threats emerge. Managing such incidents requires detective and corrective controls to minimise adverse impacts, gather evidence, and learn from previous situations in order to improve over time. These incident management processes are usually run in the context of a SOC and/or as part of specialised Computer Security Incident Response Teams (CSIRTS), built on top of SOCs.
Even with SIEM in place, a potential major risk for the organisation arises due to delays introduced in assessing and handling known incidents: this may postpone the successful resolution of critical security incidents (e.g. devices exposed on the Internet, exploitation of privileged accounts, deployed malware, etc.) and allow for further exploitation. Another related risk can be introduced by sudden and/or progressive changes of the threat landscape, due to changing economic and social scenarios, new business activities or process failings within the existing IT services. This might create unexpected volumes of new events and alerts to be processed by the security team and as such, introduce additional delays. Hence, it is important for an organisation to understand the risk exposure due to their Incident Management processes, explore potential future scenarios (e.g. changes in available resources or threats landscapes or adoption of Cloud solutions) and identify suitable ways to address related issues, e.g. by introducing process changes and/or making investments in security controls.
HP Security Analytics is uniquely positioned to provide the analysis of the involved risks, explore what-if scenarios and provide decision support for decision makers. This type of Security Analytics assessments is now available as a service, provided by HP ESS.”.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
No comments:
Post a Comment