Separating the Signal from Noise

In security operations, we frequently talk about the difficulties in separating the signal from the noise to detect legitimate threats and disregard false alarms. Data overload is a common problem and triage becomes a critical skill to hone and develop.

As the chief information security officer (CISO) for McAfee, I am aware at multiple levels of the risks that come from a failure to focus on the right thing. If one of our security operations center (SOC) analysts fails to notice multiple login attempts by the same user from different countries in a short span of time, it could cost us both valuable company data and our reputation in the industry.

For these reasons, McAfee announced major enhancements today to our security operations portfolio in our security information and event management (SIEM) and Security Analytics product lines – enhancements that the McAfee Information Security team I am proud to lead helped to road-test. We also announced that our state-of-the-art converged physical and cyber Security Fusion Centers are now fully operational in Plano, Texas, USA and Cork, Ireland – less than a year after we emerged from Intel as a standalone company.

The big deal for the McAfee Security Fusion Centers is that they have a dual mission: 1) to protect McAfee, and; 2) help us build better products. And for myself, I would add a third objective: help our customers to learn from our experiences protecting McAfee. We want to help them build better reference architectures, learn how to communicate with boards of directors and become more innovative in solving cybersecurity problems.

For Job 1, protect the enterprise, we believe in the primacy of fundamentals. We use the National Institute of Standards and Technology (NIST) cybersecurity framework, as well as the Factor Analysis of Information Risk (FAIR) method to quantify our risk posture, and continually manage for the framework’s core functions of Identify, Protect, Detect, Respond, and Recover. It’s critical that we understand what is happening in our environment and that is why we chose to converge our physical and cybersecurity functions into one operations center – a Security Fusion Center. We need to collect data across all aspects of our operating environment. Without that ability, we are flying blind.

Next, we focus on being able to answer a series of vital questions that help us complete the identification functions. We ask:

  1. What is on the network and how are our networks accessible? We must be able to identify our assets. That visibility into what is connected to us is critical. We use tools like Rapid7 Nexpose, McAfee Rogue System Detection, and network access control (NAC) to constantly monitor the network to tell us what is connected to us.
  2. How are we managing access to vital systems and stores of data? We decided from the beginning that we could not take access to information assets for granted. At McAfee, there is no implicit right of access – only explicit privilege. In this age of bring-your-own-device (BYOD), we have set up two-factor authentication when accessing the McAfee network. If your role requires access to sensitive information, “need to know” access is applied, and the employees must and comply with other access control mechanisms like separation of duties, least privilege, and information management.
  3. Where are the vulnerabilities? We need to evaluate risk across our environment from device to cloud. This means more than just audits and vulnerability management. We had to design our systems so that they would be scalable and support our incident response functions like patch management and counter measures in a prioritized manner. We especially rely on McAfee ePO for visibility across on- and off-premises devices.
  4. How is the data protected? This is a matter of understanding where are the crown jewels of our data and what are the risks for exfiltration. It’s vital to set up policies in a very prioritized and strategic manner. Data loss prevention requires thinking through the data, the applications and the users.
  5. How are we doing against the basics? While it is great to have next generation toolsets, it is often the basics that most organizations miss that cause compromises. For example, we are constantly focused on basics like security architecture, access and authentication control, device configuration and baselines, operating system and third-party patch levels, security awareness training, and table-top exercises.  Even at McAfee with the entire product portfolio, we are diligent about instilling the basics across our security operations.
  6. Finally, what signals do we focus on? We need context and insight to answer this. This requires a place where all the data can be collected, enriched and shared. We have been using McAfee Enterprise Security Manager 11.0, which was announced today, for some time now. The open data bus architecture enables our SIEM to ingest a high volume of data, scaling to billions of events, and then enrich that raw data nearly immediately, turning noise into insights. We also appreciate that this architecture allows the SIEM to intelligently share data to any appropriate appliance, application, or data store. This is an evolved security operations infrastructure – it’s a mix of a SIEM platform with User Entity Behavior Analytics (UEBA) and threat investigation, using McAee Behavioral Analytics (MBA) and McAfee Investigator. Our Security Fusion Centers are the first places where all those pieces will be present and working together.

As for Job #2, helping McAfee build better products, by now you can see how we are living out a commitment to be Customer Zero for McAfee. Going forward, we are going to be the first organization to use McAfee’s new products. But we are doing that in a way that will help our customers implement better, faster and more smoothly before they have even seen the product. We’re working out the bugs and we’re working on feature requests with our Product Management and Engineering teams.

This helps us to be better, more innovative, and to solve cybersecurity challenges. It is meant to be a very tight collaboration – a place to try out our products in the real-world. We’re going to get there through collaboration.  From our learnings in the first year, we have observed that diversity is the single most important factor in developing a world class organization.  Diversity of thought challenges typical thinking and results in better outcomes.

In fact, collaboration is personally my number one thing. I wanted to work with the smartest people in the world. I will acknowledge that I am not the smartest person in the room. Somebody is going to know more about security than I do. Embracing that and bringing that all together will make us all stronger and better at our jobs. And that is what we mean when we say, “Together is Power.”

As for my personal third goal, helping all of you to be better, too, that’s why I’m sharing here. We’ll continue this dialogue about how McAfee is protecting itself and, in the process, learning more about helping you with another blog post soon. I’ll be sharing the byline with my colleague, Jason Rolleston, Vice President for Security Intelligence & Analytics.

Let me know what signals you are focused on and how we can help solve problems together.

You can look for Grant Bourzikas on Twitter and LinkedIn and at security events like MPOWER, Blackhat, and RSA.

McAfee technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Learn more at mcafee.com. No computer system can be absolutely secure.

 

Leave a Comment

20 − six =