Security Analytics: Risk Analysis for an Organisation's Incident Management Process
Casassa Mont, Marco; Brown, Richard; Arnell, Simon; Passingham, Neil;
Keyword(s): Security Analytics; Risk Analysis; What-if Analysis; Incident Management Processes; SOC;
Abstract: This document is an example of the type of report an organisation would receive at the end of a HP Security Analytics engagement. The focus is on the analysis of the security risks and performance of the organisation's Security Incident Management Processes and related Security Operation Centre (SOC)'s activities. HP Labs carried out the underlying R&D work in collaboration with HP Enterprise Security Services (HP ESS) and involved analysis of processes, probabilistic modeling, simulation and "what-if" analysis for some of HP's key customers. The outcome of this was a set of case studies from which we have been able to create this more general anonymised report illustrating the richness of the risk assessment and "what-if" analysis that has been carried out. The lifecycle management of security is critical for organisations to protect their key assets, ensure a correct security posture and deal with emerging risks and threats. It involves various steps, usually carried out on an ongoing, regular basis, including: risk assessment; policy definition; deployment of controls within the IT infrastructure; monitoring and governance. In this context, Security Information & Events Management (SIEM) solutions play a key role. Even the best information security practices and investments in security controls cannot guarantee that intrusions - accidental and criminal activities - and/or other malicious acts will not happen. Controls can fail, be bypassed or become inadequate over time; new threats emerge. Managing such incidents requires detective and corrective controls to minimise adverse impacts, gather evidence, and learn from previous situations in order to improve over time. These incident management processes are usually run in the context of a SOC and/or as part of specialised Computer Security Incident Response Teams (CSIRTS), built on top of SOCs. Even with SIEM solutions in place, a potential major risk for the organisation arises due to delays introduced in assessing and handling known incidents: this may postpone the successful resolution of critical security incidents (e.g. devices exposed on the Internet, exploitation of privileged accounts, deployed malware, etc.) and allow for further exploitation. Another related risk can be introduced by sudden and/or progressive changes of the threat landscape, due to changing economic and social scenarios, new business activities or process failings within the existing IT services. This might create unexpected volumes of new events and alerts to be processed by the security team and as such, introduce additional delays. Hence, it is important for an organisation to understand the risk exposure due to their Incident Management processes, explore potential future scenarios (e.g. changes in available resources or threats landscapes or adoption of Cloud solutions) and identify suitable ways to address related issues, e.g. by introducing process changes and/or making investments in security controls.
External Posting Date: September 6, 2012 [Fulltext]. Approved for External Publication
Internal Posting Date: September 6, 2012 [Fulltext]