Recent cyber-attacks to large corporations such as eBay and Target have prompted companies to reconsider the way they handle the security of their web applications. Though technologies such as antivirus software, firewalls, and code security practices greatly increase the time and effort required to compromise a system, hackers consistently stay a step ahead. Since security cannot stop all threats, the key to preventing attacks does not exist in improving threat detection, but rather in improving threat response. The future of internet security lies in "security incident and event management" tools (SIEMs), structured threat information transfer, and the newest members of the security industry, incident response software.
Today, the internet security industry offers security incident and event management tools (SIEMs). These tools provide real-time monitoring to detect and analyze security alerts generated by networks and applications, focusing on decreasing the response time associated with a breach. Dozens of vendors with SIEM tools exist, including McAfee, ArcSight, and Splunk. These tools are constantly improving, and are becoming more widespread among large corporations that require much security. However, these monitoring products operate on the same corporate network that has already been attacked and potentially compromised, a severe limitation.
Threat Information Transfer Standards
The speed of responding to a cyber-threat depends on transfer of threat information through a network of servers, both within the company and among other corporations. This is where information transfer standards, such as STIX®, are essential. These methods of information transfer enable security companies to share threat data at the moment of the incident. In order to send and receive structured threat information, there must be software on each end to read and display the data. Companies will need incident response software to meet this need.
Incident Response Software
Incident response is both a critical and long-neglected area of IT security... there is an urgent need for incident response products and toolsBruce Schneier
Incident response software, such as CyberSponse © and Co3, are all-encompassing products that can retrieve information from SIEM tools, transfer information using a threat information transfer standard, and create a workflow to be ready for attacks and automate the response process. When a cyber-attack occurs, company security teams need an application to offer secure, off-network communication and data analysis. An incident response tool can be likened to firefighters responding to a fire. Ideally, a smoke alarm needs to be linked to responders, who are linked to firefighting teams that can be at the fire within minutes. Similarly, incident response software links initial threat detection to response teams, and spreads information about the particular threat to the rest of the system to prevent subsequent attacks.
Malicious hackers are continually increasing in strength and sophistication. Security holes are prevalent in the vast majority of web applications. Even if a web application is completely secure, breaches are still possible through offline incidents such as stolen laptops or employee misconduct. Large corporations have realized that a good internet security does not exist solely in protecting against, but in responding to incidents. The onset of promising new security products such as SIEMs and incident response tools is already enabling companies to respond well to the ever-increasing amount of hostile entities online. Using a threat information transfer standard helps corporations learn about prominent attacks instantly, allowing companies to prepare for similar assaults. The future of cyber-security in online industries will be in decreasing the response time associated with a breach, thereby preventing subsequent attacks.
June 28, 2014 at 11:11 pm by Christopher