 
|
|
The Holy Grail of infosecurity
Monty Python and The Holy Grail made Ben Hur look like an epic, set cinema back 900 years, and is one of the richest sources of quotes for pub conversations. Yet the film is also rich in security management concepts from which any IT security team can learn. Here’s a selection of key scenes which show how you could improve your infosecurity stance. Build on secure foundations Prince Herbert’s father is proudly showing his son the kingdom he will inherit. He tells the Prince: “All I had when I started was swamp… other kings said I was daft, but I built my castle all the same, just to show 'em. It sank into the swamp. So I built another one... that sank into the swamp. I built another one... that burnt down, fell over and sank into the swamp. So I built another, and that stayed up…” The lesson is to build the security fortress on solid foundations, using established security frameworks such as COBIT, COSO, ITIL, BS7799 / ISO17799 or the newer ISO27001. These help you implement robust IT and security management processes and determine your control indicators for ongoing security and governance procedures. So your security processes won’t sink into the mud at the first challenge. Event filtering – living to tell the tale The Knights Who Say ‘Ni’ were feared for the manner in which they uttered this sacred word. In fact, those that heard the Knights’ mass chorus of ‘Ni!’ seldom lived to tell the tale. It’s the same with monitoring security events across networks – those that try to do it without first filtering out the event noise will be lucky to survive. With thousands of events from multiple systems being reported every second, staff can’t hope to cope without tools to help them. This is where security information and event management (SIEM) comes in. It filters, aggregate and correlates the security data and log traffic generated by multiple systems, reducing the number of visible alerts by a factor of 1000 or more - giving IT staff a far less cluttered view of what's happening. Yet at the same time, the solution stores the raw data logs for analysis,if required.. Chasing false positives Sir Lancelot the Brave, the most violent and unstable of the Knights of the Round Table, receives a note reading: “I have been imprisoned by my father who wishes me to marry against my will. Please, please, please come and rescue me. I am in the tall tower of Swamp Castle." Fired with zeal to rescue what he believes is a damsel in distress, he storms the castle single-handed, slashing and hacking at guards and guests alike. On reaching the tall tower, he finds the author of the note: Prince Herbert. Lancelot is crushed, and curses his overeagerness to respond. False positive alerts from security systems such as IDS/IPS are the bugbear of security teams, and cutting these to a minimum is another key SIEM system function – assisted by tuning the IDS. Black Beasts and raw logs The Knights are reading the carvings written by Joseph of Arimathea which tell the location of the Holy Grail. The carvings say that the Grail is located in the "Castle of Aaaarrrrrrggghhh". As they try to figure out what the Castle of Aaaarrrrrrggghhh is, the Black Beast sneaks up on them. The carvings are a prime example of a badly-correlated security alert that is no longer supported by the raw log data of the original event. Without access to the original raw logs, Arthur and the Knights cannot see what happened, and so are unprepared for the Black Beast’s attack. In the same way, if IT teams have access to the logs from earlier security events, they can review and replay those logs to better understand the actual events. So there you have it – four key steps on the quest for the Holy Grail of IT security. With these, you’re sure to have more success than King Arthur and his knights. Jason Holloway is vice-president of marketing for SIEM vendor ExaProtect Through the barricades: Phil Worms of NetIntelligence compares the orcs of Lord of the Rings to viruses and trojans (February 2005)
|
|
