Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Tuesday, September 11, 2012

New HPL TR: Security Analytics – Risk Analysis for Incident Management Processes

A new HP Labs Technical Report has been recently released called “Security Analytics – Risk Analysis for an Organisation’s Incident Management Processes”. It is currently available online here.




The abstract of the HPL TR follows:

“This document is an example of the type of report an organisation would receive at the end of a HP Security Analytics engagement. The focus is on the analysis of the security risks and performance of the organisation’s Security Incident & Events Management (SIEM) Processes and related Security Operation Centre (SOC)’s activities. HP Labs carried out the underlying R&D work in collaboration with HP Enterprise Security Services and involved analysis of processes, probabilistic modeling, simulation and “what-if” analysis for some of HP’s key customers. The outcome of this was a set of case studies from which we have been able to create this more general anonymised report illustrating the richness of the risk assessment and “what-if” analysis that has been carried out.

The lifecycle management of security is critical for organisations to protect their key assets, ensure a correct security posture and deal with emerging risks and threats. It involves various steps, usually carried out on an ongoing, regular basis, including: risk assessment; policy definition; deployment of controls within the IT infrastructure; monitoring and governance. In this context, Security Incident & Events Management play a key role. Even the best information security practices and investments in security controls cannot guarantee that intrusions – accidental and criminal activities – and/or other malicious acts will not happen. Controls can fail, be bypassed or become inadequate over time; new threats emerge. Managing such incidents requires detective and corrective controls to minimise adverse impacts, gather evidence, and learn from previous situations in order to improve over time. These incident management processes are usually run in the context of a SOC and/or as part of specialised Computer Security Incident Response Teams (CSIRTS), built on top of SOCs.

Even with SIEM in place, a potential major risk for the organisation arises due to delays introduced in assessing and handling known incidents: this may postpone the successful resolution of critical security incidents (e.g. devices exposed on the Internet, exploitation of privileged accounts, deployed malware, etc.) and allow for further exploitation. Another related risk can be introduced by sudden and/or progressive changes of the threat landscape, due to changing economic and social scenarios, new business activities or process failings within the existing IT services. This might create unexpected volumes of new events and alerts to be processed by the security team and as such, introduce additional delays. Hence, it is important for an organisation to understand the risk exposure due to their Incident Management processes, explore potential future scenarios (e.g. changes in available resources or threats landscapes or adoption of Cloud solutions) and identify suitable ways to address related issues, e.g. by introducing process changes and/or making investments in security controls.

HP Security Analytics is uniquely positioned to provide the analysis of the involved risks, explore what-if scenarios and provide decision support for decision makers. This type of Security Analytics assessments is now available as a service, provided by HP ESS.”.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---



HP SILAS: Security Intelligence-as-a-Service

We are making good progress in the development of the HP SILAS service (Security Intelligence-as-a-Service), a project in collaboration with HP Enterprise Security Services.




SILAS aims at providing key decision makers within organisations with strategic metrics, predictions and “what- if” analysis (leveraging HP Security Analytics) for risk assessment, scenario planning and decision support.



SILAS uses information provided by current SIM/SEM solutions (e.g. HP ArcSight), threat intelligence services (e.g. HP DV Labs and HP TippingPoint/TreatLinq) and other logging systems to ground the statistical estimation of risk metrics and to provide input parameters to HP Security Analytics’ predictive metrics and simulations.



We are currently considering the deployment of SILAS within Security Operation Centres (SOCs). SOC customers will receive strategic reports consisting of trend analysis and benchmarks (against other customers in a community) on key, agreed metrics.



Current risk metrics relate to organisation processes (e.g. vulnerability management processes, incident management & user account provisioning/deprovisioning), assessment of SOC incident management processes (of relevance to the customer), external threats (e.g. Zero Day Threats) and predictive metrics (related to all the above areas).



They are meant to be delivered to key decisions makers (C*O). Looking forward to get suggestions about additional metrics that might be of relevance – at that level - in the security context and beyond it.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

HP Labs SAaaS: Situational Awareness-as-a-Service

At HP Labs Bristol we are making good progress towards the development of a futuristic demonstrator in the space of Situational Awareness, named “Situational Awareness-as-a-Service (SAaaS).




This demonstrator focuses on the disaggregated IT of current/future organisations which increasingly rely on third parties (IaaS, SaaS providers in the Cloud, etc.) to carry out their IT and business activities.



We demonstrate the issues and opportunities related to safely handling information sharing between the organisation and its various providers, in a context of a future Next Generation IT Operation Centre and Security Operation Centre (SOC).



This includes illustrating the trade-offs in defining information sharing policies and handling queries to gather data from the involved parties, the clever analytics processing that can be performed on top of shared data (e.g. by leveraging HP Software solutions, HP/HPL SILAS, etc.) and the role of external, trusted information aggregators.



HP Labs will use the SAaaS vision to develop further innovative technologies in the area of controlled analytics and information sharing for large data sets.



The demonstrator currently consists of various storyboards focusing on IT and security information sharing stories. I am looking for public, real stories within organisations highlighting the pain points and issues in current disaggregated IT and security operations. The goal is to showcase them and illustrate how they could improve by leveraging SAaaS and future HPL/HP technologies.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

HP Introduces Intelligent Security Solutions to Drive Innovation and Reduce Risk

HP announced additions to its security solutions portfolio that enable enterprises to assess, transform, optimize and manage their security environments to proactively protect what matters. Details are available online, here.


“Cloud, mobility and big data initiatives are helping organizations solve pressing challenges, while driving accelerated innovation, enhanced agility and improved financial management. However, these initiatives also can introduce big security concerns.

According to new research conducted on behalf of HP, concerns around understanding security requirements for cloud services as well as how to secure and consume big data are top of mind for nearly two-thirds of business and technology executives. Half of those surveyed are concerned about mobile data loss or theft. In addition, more than half of respondents admitted that their organizations spend more time and money on reactive measures than on proactive risk management.(1)

A reactive, perimeter-based approach to security is no longer sufficient. Enterprises need proactive, intelligent security solutions that span traditional and hybrid delivery models, and address the challenges brought on by these new shifts in IT.

“Cybersecurity threats are growing exponentially, and without a proactive information risk management strategy, enterprise growth, innovation and efficiencies are hindered,” said George Kadifa, executive vice president, Software, HP.

“HP helps clients protect what matters most to their organizations by delivering intelligent security solutions that prioritize security resources to help identify threats earlier and enable a faster response time,” said Mike Nefkens, acting executive vice president, Enterprise Services, HP.”



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---