Continuous monitoring, little to no burden on the network and easy to understand, prioritized reporting top list for CISOs and CIOs
Cyber attacks are growing more sophisticated, frequent, and dynamic. It is therefore critical that companies and governments protect their networks, systems, and information from unauthorized access or disruption.
However, network security has become an industry in which there is a tremendous amount of “noise,” with competing products and services making similar claims about the comprehensive nature of the protection provided without fully delivering on it.
A more realistic assessment of the available options is that for the most part there are a variety of products and services that exist. Among these are traditional endpoint monitoring solutions, including SIEMs (Security Information and Event Management Systems), along with other less comprehensive network security solutions.
Furthermore, traditional endpoint monitoring solutions often sell security consulting services with the software to maintain the system, interpret reports and prioritize remediation. This drives up the overall costs and is a key profit center for the provider.
“It is extremely difficult to wade through all the verbiage, the claims, out there to determine what really works well and what doesn’t,” says Bob White, CISM, VP and CIO of the A.L.M. Holding Company. “Unfortunately, there are quite a few different tools that meet different purposes and no one-size-fits-all solution.”
According to White, there are three primary factors on the “wish list” when selecting a comprehensive network solution: it should be unobtrusive, quietly running in the background without burdening the network; it should be providing true continuous monitoring of all assets in real time; the data should be well organized, prioritized and documented over time.
While this seems like quite a wish list, next generation security systems are now available that meet these requirements.
Understanding Network Assets, Vulnerabilities
White says he joined the A.L.M. Holding Company in December of 2015. The holding company’s portfolio of businesses includes wholesale distribution companies for construction aggregates; asphalt and concrete paving companies; as well as wholesale fuel suppliers.
According to White, he was brought on with a mandate to upgrade the overall security of the entire network. Although he found a very hard-working IT team, “there were some areas that needed immediate attention.”
From an IT perspective, the challenge was finding a way of operating several disparate systems. This included a transportation management system for the company fleet of 700 vehicles and ERP systems for the wholesale fuel distribution service (including real-time petroleum trading) and another paving division in the company.
“Each division or business is a little different, but we have to support the way each does business,” says White. “So, we wanted to provide what they needed out in the field, along with access to information in a timely fashion.”
The first order of business, however, was to achieve a complete understanding of the extent of the network.
“We needed to understand exactly what was going on within our network and how many devices were connected – and we needed to do that very, very quickly,” says White.
Initially, White considered available SIEM options. After some research, White turned to AristotleInsight from Sergeant Laboratories.
The comprehensive IT and security management platform combines several IT and security functions behind a single-pane of glass to provide insights, actionable items, and the data needed to properly manage and audit configurations, assets, user behavior, and risk.
“What is unique about AristotleInsight is the depth and breadth of what is being monitored on a continuous basis, where other solutions do a little of this and others do a little of that,” says White.
The product runs on most systems and works down at the kernel level. While collecting data the network is not burdened. In fact, the program is typically not even noticed by network security or virus scanners while operating.
Within 24 hours of installation, the program can determine what is happening on the network even with tens of thousands of computers involved. Within 48 and 72 hours, it will be clear if the network has been breached, there has been illegal access or other issues exist.
“After a short initial set-up and configuration, the system was able to identify all of the computers on the network within a matter of days,” says White.
The next step was to understand the network’s risks and vulnerabilities.
“With a full inventory of all the computers connected to the system, we could then determine what software was loaded on each computer, including the version, and compare it with the patches that needed to be applied,” explains White.
True Continuous Monitoring
White says AristotleInsight is the first offering that meets the requirements of Continuous Diagnostics and Mitigation as outlined by the Department of Homeland Security.
Continuous Diagnostics and Mitigation (CDM) program is the government’s approach to fortifying the cybersecurity of government networks and systems. This includes tools that identify vulnerabilities and risks on an ongoing basis, prioritizes the risks based upon potential impact and enables network cybersecurity personnel to mitigate the most significant problems first.
“It’s extremely important because this capability is something we didn’t have before,” says White. “And to understand what is going on with the network in real-time provides a benefit that very few IT departments have.”
The continuous monitoring has also enabled A.L.M. Holding to institute an enforceable IT security and information use policy that employees were expected to sign when hired and renew annually. The policies outline guidelines for passwords, internet usage, software downloads, using external drives, etc.
“Now an alert pops up and tells us what is happening so we can reach out to the individual and confirm what is going on. We didn’t have that capability before,” explains White.
White declined when asked to give specific examples, “but suffice it to say that when something inappropriate or unforeseen happens and it goes against our IT policy, we know about it within minutes,” says White.
Reporting and Remediation
One of the challenges of Big Data is that the mass of information can often be difficult to sift through or understand. Therefore, a priority for CISOs and CIOs is to utilize a security platform that effectively analyzes, prioritizes and presents information in organized, understandable reports.
With AristotleInsight, the software prioritizes the vulnerabilities and risks, and then walks network administrators through the steps to remediate the problem.
The data is organized into an accounting double entry system, developed in 1494 by Luca Pacioli, which provides forensic auditing capabilities. A unique Bayesian Inference Engine and data linking techniques are then used to interpret and prioritize the data.
The information is organized into 3-tiers in logical layers using a top-down approach. Specialized knowledge, training or the help of security consultants are not required.
The reports are presented in an understandable format for management, while also providing more detailed information for security and compliance professionals to protect their organization.
“With ‘big data’ security you can easily get lost in all the information,” says White.
“It really helped point us in the right direction,” adds White. “It allowed us to focus on certain things like vulnerable software that we really needed to pay attention to before we start focusing on other issues.”
Improved Security Posture
According to White, AristotleInsight has improved A.L.M. Holding’s security posture significantly since it was implemented.
“Like any other CIO, I still worry about our exposure risk posture overall,” says White. “But before implementing AristotleInsight I had no idea what I had. Now I can see how our overall security posture is shaping up, so I can have more intelligent discussions with senior management.”
Another side benefit was that the system helped White determine the appropriate cyber liability insurance coverage.
“My recommendation regarding the insurance a while ago would have been ‘buy it all,’ because I had no idea where the highest risks were,” says White. “Now I can target it more specifically and say, ‘we’re fine here, we’re ok there, but we still remain concerned here. Let’s focus on that part for the insurance coverage.’”
A high resolution printable version of this article is available for download here.
About the Author
Gary S. Miliefsky is the Publisher of Cyber Defense Magazine (CDM). Gary is a globally recognized cybersecurity expert, inventor and founder of numerous cybersecurity companies, is a frequent invited guest on national and international media commenting on mobile privacy, cyber security, cyber-crime and cyber terrorism, also covered in Forbes, Fortune and Inc Magazines. Miliefsky is a Founding Member of the US Department of Homeland Security (http://www.DHS.gov), the National Information Security Group (http://www.NAISG.org) and the OVAL advisory board of MITRE responsible for the CVE Program (http://CVE.mitre.org). Gary is a member of ISC2.org and is a CISSP®. He’s frequently writing thought provoking articles at CDM and on LinkedIn as a Top 1% of all INFOSEC LinkedIn profiles and a Top 3% Globally on LinkedIn. Learn more about Gary on our website.