EMC security division RSA released a security brief that outlines a drastic change in how organisations can better prioritise activities and identify threats in the wake of escalating advanced persistent threats (APTs).
In the brief, “Mobilizing Intelligent Security Operations for Advanced Persistent Threats,” security experts from RSA, EMC and VMware present a new vision and forward-looking model specifically designed to help organisations effectively face these new and sophisticated attacks.
This new vision for the security operations centre (SOC) includes six core elements and its effectiveness. These are:
Risk planning: The new SOC will take a more information-centric approach to security risk planning and invest in understanding which organisational assets are highly valuable and essential to protect. With priorities based on GRC policies, security teams need to conduct risk assessments that focus on the “crown jewels” of the enterprise.
Attack modelling: Understanding attack modelling in a complex environment requires determining which systems, people and processes have access to valuable information. Once the threat surface is modelled, organisations can then determine potential attack vectors and examine defence steps to isolate compromised access points efficiently and quickly. RSA Laboratories has developed theoretical models based on known APT techniques and employed game theory principles to identify the most efficient means of severing an attack path and optimise defence costs.
Virtualised environments: Virtualisation will be a core capability of tomorrow’s SOC -delivering a range of security benefits. For example, organisations can “sandbox” e-mail, attachments and URLs suspected of harbouring malware. Anything suspicious can be launched in an isolated hypervisor and the virtual machine can be cut off from the rest of the system.
Self- learning, predictive analysis: To remain relevant in tomorrow’s IT environment, a SOC will need to truly integrate compliance monitoring and risk management. The system should continually monitor the environment to identify typical states which can then be applied to identify problematic patterns early. Statistic-based predictive modelling will be able to help correlate various alerts. Developing such a system will require real-time behaviour analysis innovations, although some of these elements are available today.
Automated, risk-based decision systems: A key differentiator of a more intelligent SOC will be its ability to assess risks instantly and vary responses accordingly. Similar to risk-based authentication, the SOC will employ predictive analytics to find high-risk events and then automatically initiate remediation activities.
Continual improvement through forensic analyses and community learning: Although forensic analysis can be resource-intensive, it is an imperative element of a SOC and key to mitigating the impact of subsequent attacks. Virtualised environments can provide snapshots of the IT environment at the time of the security event providing useful information if detection of the attack was delayed.
“To manage security at the speed and scale of the cloud and to deal with unpredictable adaptive threats such as APTs, organisations need to build upon the capabilities of today’s SOCs evolving their security operations to effectively manage these new threats,” said Bret Hartman, chief technology officer at RSA.
Valeria Camerino is reporting live from the RSA Conference 2011 at San Francisco.