This blog is an excerpt from GovLoop’s recent industry perspective, Bridging the Gap Between IT Operations and Security. Download the full perspective here.
John Stoner, Security Architect for Splunk Public Sector, estimates that there is an 80 percent overlap in the data being gathered in the Network Operations Center (NOC) and the Security Operations Center (SOC). Each needs end-to-end visibility of the infrastructure to see user behavior, spot suspicious activity and understand system and device status. Each uses this data to answer its own questions:
- IT Operations: Are the systems running? Are they available?
- Security: Is the enterprise secure? Can we detect intruders and suspicious activity?
It makes sense and would improve efficiency if the two sides shared not only the data being collected but also the answers to their questions, said Bill Babilon, IT Solutions Architect for Splunk Public Sector. “But more often than not we find that data sharing is not happening as much as we would like.”
Like the two sides of a coin, each is different. There are situations in which security needs to limit access to certain data. These can include maintaining a chain of custody for forensic investigations and ensuring that sensitive data such as personally identifiable information is not being exposed.
On the other hand, system data generated to help IT operations make informed decisions contains critical information on users, customer activity and capacity consumption that is not routinely needed by security personnel and that could pose privacy risks if not properly handled. Each side is rightly jealous of this data and the privacy of its constituents.
But while acknowledging the specific needs of each function, failure to recognize common goals and to take advantage of the common resources creates a sub-optimal situation for both IT operations and security.
Common Ground Scenarios
Machine data — data created by the activity of computers, mobile devices, embedded systems and other networked devices — is critical to operational intelligence. Operational intelligence turns machine data into valuable insights that gives you a real-time understanding of what’s happening across your IT systems and technology infrastructure and can provide a wealth of information on network activity that does not directly affect performance, but might be valuable indicators of malicious activity for the security team.
And some security issues, such as a Distributed Denial of Service (DDoS) attack, have an immediate impact on availability. In these situations, sharing information can help both sides.
As the first line of defense, security uses tools that identify known threats — those threats that already have been identified and can be detected by their signatures. However, this approach is ineffective against advanced threats that utilize new and stealthy exploits as well as rapidly morphing malware that makes signatures obsolete. Operational data can be helpful in hunting out these unknown threats.
Advanced threats can be delivered through a variety of vectors to slip past defenses. Gaining access to operational intelligence produced from host and network data can help defenders detect these threats. This data includes:
- Suspicious file names in systems logs,
- Unusual executables and processes in process logs and registries,
- Unusual administrator activity in event logs
- Malicious command and control traffic from web proxy and firewall logs, and
- Malware delivery from web proxy and firewall logs.
Domain Name Service (DNS) traffic is an increasingly common way for attackers to hide communications with compromised servers and to exfiltrate data. DNS traffic often is not secured and data masquerading as DNS requests can be sent past the enterprise’s firewall without detection. This malicious traffic can be difficult to detect because DNS is ubiquitous and these requests form routine traffic to the Internet. But if not spotted it can put an agency’s most sensitive data at risk. But operational intelligence can contain indicators of DNS exfiltration that might be ignored by the operations team because they do not create performance problems. These can include:
- The presence of encrypted DNS traffic;
- Repeated requests to a single domain, a restricted domain, or to rapidly shifting domains that could be hiding botnet activity;
- Recognizable patters in requests; and
- Unusual packet sizes or spikes in traffic.
Server errors are another type of operational information that could point to security incidents. Error messages can cover a range of problems from the inconsequential to serious. Errors that do not have an impact on performance might not be investigated, but log analysis could reveal patterns or unusual activity that could be indicators of malicious — or at least suspect — activity on the network.
Download the full perspective here.