Detecting and Mitigating Security Risks - AT&T

Detecting and Mitigating Security Risks________________________________________________________________________________________________________ 4Securing public Internet accessFederal agencies are expected to comply with the Officeof Management and Budget (OMB) Memorandum 08-05,which not only defines the Trusted Internet Connections(TIC) initiative, but also requires agencies to reduce thenumber of public Internet connections and provide secureIP portals for traffic to and from the public Internet.This new directive allows greater security between eachagency’s IT infrastructure and the public Internet, bysignificantly reducing the number of Internet connectionsthroughout federal agencies. TIC solutions are availablenow through GSA Networx contract holders, includingAT&T.antivirus software versions residing on the devices with the agencypolicy. If there is a match, the connection is allowed. If not, the systemtakes the action as dictated by policy to block the connection, updatethe software or quarantine the connection for later remediation.Security Information and Event Monitoring (SIEM)SIEM tools and services enable enterprise-wide event logging,correlation to other events, incident management and reporting.Based on the resulting comprehensive network security picture, SIEMtools provide snapshots, trends and related incidents that help identifythe number of security events that should be viewed and addressedby IT staffs.This helps IT staffs facing increased workloads to prioritize securityevents, while also helping to decrease the number of events thatneed to be manually addressed. Automated capabilities that reviewand correlate hundreds or thousands of daily events leave staff ableto handle a manageable number of events in a given day. Accordingto the SANS Institute, a worldwide provider of information systemsecurity training and certification, about 1,000 events per day is apractical maximum of events to handle.* But some organizationswithout SIEM systems are seeing 100,000 or more events per day.user authentication systems to correlate events enterprise-wide. SIEMtools generally consolidate logs, gathered from various monitors, intoa centralized server, for example, where AI-based software quicklysifts through the logs to identify attacks and correlate them in anenterprise-wide context. Such a system might pick up on a repeatedevent over a period of time, such as multiple unsuccessful log-inattempts to crack a password (called a “brute force” method). If thesystem identifies a number of unsuccessful log-in tries, followed by asuccessful log-in and a network configuration change, this is the typeof activity IT security staff would likely wish to be alerted about rightaway with an automated page or an email notification.Once a threat is identified, SIEM systems and services also enable theautomation of managing an incident, whether that entails an emailalert, an automated remediation action or the creation of a troubleticket. Security event reporting is also part of this discipline.Today’s environment requires audits, logging and the tracking ofnetwork resource access. Tracking is performed through the use ofInternet cookies, messages from a Web server that a Web browserstores in a text file. The message is sent back to the server eachtime the browser requests a page from the server to identify usersand potentially prepare customized Web pages for them, based oninformation they have input in the past.In the future, protection of data and information at the individual levelwill become of paramount importance. Security policies and monitorswill be able to identify, down to the file level, those individuals whohave read a document. They will also control who has access to aCentralizing network policies and security also helpsovercome software-patching issues, which have thepotential to cause significant vulnerabilities if a foolproofpatching process is not in place. By pushing softwareupdates out to predetermined network devices all atonce from a central location, organizations keep patchesupdated and synchronized throughout the organization.In the future, protection of data and information at theindividual level will become of paramount importance.Security policies and monitors will be able to identify,down to the file level, those individuals who have reada document. They will also control who has access to agiven document using versions of identity managementthat utilize biometrics, smart cards and othertechnologies.SIEM tools can also be used in the context of a centralized securityservice from an ISP. As a service or on-site tool, SIEM plays a largerole in detecting, alerting and remediating vulnerabilities. SIEMgenerally involves using automated security tools and services thatintegrate with other security devices such as firewalls, IDS/IPSs andgiven document using versions of identity management that utilizebiometrics, smart cards and other technologies. What will be requiredfor this model is a universally accepted and trusted source for identitymanagement, similar in concept to the public key infrastructure thatbinds public keys with respective user identities by means of a trustedcertificate authority.The Importance of PoliciesCentralizing network security policies is a recommended industry bestpractice. To follow this model, enterprises create one central place forsetting, maintaining and enforcing a common set of security policiesacross all network sites. The functions, services and systems describedin the section above function as the “policy enforcers.”Policies are at the core of any security foundation. They can cover alot of ground, including what action is to be taken if certain conditionsare discovered. These conditions can range from the discovery of