IT Briefcase Exclusive Interview: Securing a World of Information with Katherine Lam, HP ArcSight
July 30, 2013 No Comments
In the below interview, Katherine Lam from HP ArcSight outlines some of the most prominent security threats emerging in the IT space today, and offers expert advice for organizations looking to overcome the security challenges they face as enterprise data volumes continue to grow.
- Q. As Cloud Computing, Mobile, and Big Data continue to evolve, what are you seeing as the biggest IT Security threats emerging today?
A. According to Gartner, by 2016, 40 percent of enterprises will actively analyze at least 10 terabytes of data for information security intelligence, up from less than three percent in 2011.(1)
As organizations continue to move toward hosted applications through SaaS or cloud models that reside outside their security infrastructure, data and information about who accesses the data becomes lost.
In order to tackle evolving security threats, businesses need to gain unique and actionable security intelligence from Big Data and third-party applications delivered through the cloud.
Most enterprises have established security and risk management policies and have invested in security systems. But, as threats have become more ”industrialized”, it is critical that the ability to identify, protect, and remediate threats evolve as well.
Cloud brings with it unique challenges for security monitoring and management that require a review and adjustment to new security strategies, tools, and policies. These challenges include:
– Ubiquitous attack ”surface”
– Legacy environments
– Compliance despite shared vulnerabilities
– Information-centric security
Understanding what data capabilities become critical in a cloud environment is key.
In addition, mobile devices have changed the way people interact with businesses, pushing applications from the data center and making the data available in the cloud. As applications become the main attack vector, strong security measures need to be implemented in order to protect business services accessed by mobile devices.
Devices get lost. Devices are stolen. This is not new and will certainly continue, but with the proliferation of mobile computing, the effort that organizations put into securing vulnerabilities introduced by lost or stolen devices has become more important.
Encryption on corporate computers is now standard protocol for most Fortune 500 companies. Ten years ago the news was filled with stories of data lost from stolen PC’s. This has been reduced, in part because of legislative requirements, but also because corporations have learned their lessons the hard way. However, these same standards are not applied to mobile devices, and in the age of “Bring Your Own Device” (BYOD) to work, this is still a critical problem that needs attention.
The rate of mobile vulnerabilities continues to increase rapidly, rising 68% from 2011 to 2012. In addition, 48% of mobile apps tested in 2012 gave unauthorized access to the data stored on the device (HP Cyber Risk Report, 2012).
- Q. How has Cloud Computing changed the way we need to look at IT Security?
A. As enterprises adopt cloud computing, compliance and data access control become barriers, as the extended infrastructure creates an additional attack surface, making it difficult for companies to manage their risk.
Most enterprises have established security and risk management policies. But, as threats have become more industrialized and market-driven, it is critical that the ability to identify, protect, and remediate threats evolve as well.
In order to manage risk for an enterprise using cloud, having visibility into the actions of the users, the applications and the data is key. Visibility with context brings understanding, which becomes critical in a cloud environment.
- Q. What is your take on the risk vs. compliance issue companies face when dealing with BYOD in the workplace?
A. Enterprise Data that is stored on devices, which may belong to the user (BYOD), and where the enterprise has no management over the end-point, represents the most significant challenge—and the most risk.
Mobile devices, especially BYOD, and public Wi-Fi networks are inherently insecure. Additional security controls are required to protect IT infrastructure (server) and business applications.
Vulnerabilities grow exponentially with Web-based applications, remote users, and
data that is transmitted outside of the walls of the enterprise. A risk-based strategy is essential where the data is encrypted, the architecture is secured, security events are correlated, and threats are continuously monitored relative to business risk.
Mobile environments can be complex and introduce new vulnerabilities to the enterprise. Is your view of compliance and policies as dynamic as the environment it measures? More importantly, if attacked, could you identify the source and stop it from happening again?
- Q. How is HP Autonomy currently working to help organizations overcome the security challenges they face as enterprise data volumes continue to grow by the day?
A. HP recently announced the integration of the security information and event management (SIEM) capabilities of HP ArcSight with the HP Autonomy IDOL content engine. The new solution helps organizations automatically recognize the context, concepts, sentiments and usage patterns related to how people interact with data.
Meaning-based security connects the dots between massive data stores to paint a picture of what is actually happening. The integration between HP ArcSight and HP Autonomy IDOL is able to make sense of and process unstructured, ‘human information,’ and creates business value from that meaning. It provides sophisticated identification techniques to improve the contextual understanding of all content types, including social media and audio. Embracing traditional legacy methods such as keyword, Boolean and parametric search, as well advanced, proven techniques such as conceptual and contextual search, HP’s approach enables clients to manage, quickly find and easily visualize relevant information. Automatic clustering and hyperlinking of data provides advanced visualization capabilities to speed the investigation process and the certifying of threats and culprits.
- Q. In your opinion, what sets HP Autonomy’s data protection solutions aside from other solutions on the market today?
A. HP is providing a rounded, mature offering that marries the unique strengths of HP ArcSight ESM with HP Autonomy IDOL. Unlike competitive offerings, the HP solution provides real-time, cross-device correlation, not just analytics. The combination of these technologies delivers the following unique abilities:
- – Automatically classify petabytes of documents from more than 400 repositories and information from 1,000 file formats, for sensitive information on an ongoing basis, unlike competitive offerings where this is a manual process. (IDOL)
- – Process 100,000 security events per second through in-memory processing, the fastest in the industry. (IDOL) (1)
- – Establish baseline security and operations “behavior” to compare pattern changes against to identify possible threats. For example, if a server was compromised, that sever would ping others in the botnet. That “behavior” would be flagged as outside the baseline and remediation could begin. (CORR)
- – Create meaningful context to a security event that no other solution can. For example, if a bad IP address is discovered on the network.
- – Autonomy IDOL can tell which employee’s machine is connected to the IP, if that employee’s usage patterns have changed to access folders and documents they don’t typically access. With this capability, organizations can determine the content of those files / documents the employee accessed and understand if there is a security risk. (CORR)
Today, HP protects more than 200 petabytes of data each year and the unique combination of these two technologies extends security monitoring that no other solution can.
(1) Internal HP testing and benchmarking
- Q. Can you please give us a few customer examples of how HP Autonomy’s security solutions are being successfully implemented today?
A. Here are two use cases we have implemented to demonstrate security solutions created between ArcSight and Autonomy:
Case Study 1: Beyond DLP, detecting Information Leakage
It is very difficult to protect data in today’s hybrid enterprise. You can lose data through multiple transport channels and devices and even well-meaning internal users may inadvertently leak data.
When a user generates an “information” related event, like sending an email or accessing a file, an event will be generated and sent to HP ArcSight ESM. Now, that we have ESM connected with Autonomy IDOL, it will query IDOL for the context behind the event. IDOL will send back to ESM a full set of information properties like, information classification, category, etc. This set of properties will be used to fire events that can be processed by HP ArcSight.
Here is a samples screenshot from a previous POC:
In this example, an email was sent out from “Jameson Jones” to Peter Chambliss with potentially information related to Mergers (~57%), then he sent an email with content, potentially related to research (~51%) and then some HR data.
Case Study 2: Better Threat Intelligence with Sentiment Analysis
Intelligence has a long history of providing pivotal information to decision-makers. Many have proposed that we must apply this concept of intelligence to information security and the struggle against the threat landscape. Without intelligence, we cannot proactively protect against attacks or potential attacks, mainly because we don’t understand the motivations and what’s behind them. One source, out of many, is the human intention or behavior of internal employee or an outsider to the company.
IDOL technology enables organizations to actively get this type of intelligence by monitoring the spiraling amount of user generated content on the internet (social media) and analyze it for sentiment. Sentiment analysis extracts meaning from these articles, posts, tweets and conversations and automatically performs detailed statistical analysis to identify emerging trends. IDOL can determine the degree to which a sentiment is positive, negative or neutral for the entire content or a segment of the content.
For example, a tweet that can be defined as “negative”:
By enabling the tracking and analysis of human sentiments associated with data, organizations are better equipped to quickly identify threats that would have previously gone unnoticed.
Here is a typical flow between HP ArcSight ESM and Autonomy IDOL:
In both of these use cases, HP was able to give context to human generated data, so that events that could create additional risk to a company could be discovered much earlier, and mitigated before data was able to leave the corporate network.
Katherine Lam is a Product Marketing Manager for the Enterprise Security Products division at HP. In this role, Katherine is responsible for evangelizing the HP ArcSight enterprise security information and event management suite of solutions. Previously she was focused on Application Security, as a Product Manager for HP Fortify on Demand. Katherine has over 12 years of experience in Product Management, Product Marketing and IT Management.