This article can also be found in the Premium Editorial Download "Information Security magazine: Spotlight on the incident response hot seat."
Download it now to read this article plus other related content.
Evolving risk dashboards will tell how secure you are and when something's wrong.
A car's dashboard provides drivers with all the information they need to operate their vehicle--speed, fuel level, temperature, oil pressure and the all-encompassing "check engine" light.
The concept of a security dashboard is very much the same: Under a single pane of glass, a security manager can see the vital statistics in a simple format that reflects the operating efficiency of his defenses, threats, exposures, policy compliance and incident alerts. An example is a display that shows the relationship between a known vulnerability, the number of exposed systems and the staff's remediation progress.
Many security vendors offer dashboards for their point solutions, or their products integrate with complementary solutions to show rudimentary intelligence. The state of the art in security dashboards is more focused on events (what's happening now) than posture (what's happening over time).
The dream is to have a risk management dashboard that provides snapshot reporting, trending and compliance analysis, and command and control for remediation. Many existing point-product and management dashboards have the elements for a good, comprehensive dashboard, both in appearance and behind-the-scenes mechanics. We'll look at a few existing event-oriented consoles and how their features and elements could be used in building a posture-oriented, risk management
Making Sense of Chaos
A security dashboard is useless without the ability to collect and analyze data to produce refined intelligence. A dashboard must pull information from multiple sources--asset inventory scanners, firewalls, IDSes/IPSes, antivirus, routers and switches--then correlate the raw data into easily digestible, actionable intelligence.
The masters of information gathering and correlation are the SIM vendors, such as netForensics, ArcSight, GuardedNet, Intellitactics, Network Intelligence and e-Security. Originally built on the premise that IDSes need a filter to squelch the alert noise, SIMs pioneered the art of collecting information from multiple, disparate devices (either through syslog or SNMP traps), normalizing and correlating that raw mass of data, and producing easily understandable intelligence.
SIMs are rapidly evolving to include application monitoring, and are correlating threats and incidents with policy and regulatory compliance. GuardedNet, ArcSight and netForensics have made releases expanding their monitoring to layer 7.
SIMs come with information-rich dashboards. GuardedNet's NeuSecure dashboard (see "Sorting Data") provides graphic and text displays of vulnerabilities, scanned ports and events by type, volume of attacks and traffic. At a glance, security managers can see problems and select data sets for analyzing information and trends. For example, the dashboard may display that a network is exposed to a new vulnerability, but a security manager will have to click through a series of links to see the specific systems and who owns them.
Some of the emerging risk management consoles--such as Skybox Security, myC.R.O. Solutions, Secure-Info and Cybertrust--provide risk indexing against regulations such as Sarbanes-Oxley and security standards such as ISO 17799. The merging of SIM and risk indexing technologies will provide enterprises with a dashboard that has contextual business intelligence.
Premium Real Estate
A dashboard must present all of the data infosecurity executives and managers need to make decisions and take action in a display limited to the viewable area of a standard desktop monitor.
With real estate at a premium, a dashboard must be organized logically: push the bad stuff to the top and drop the routine, unimportant details to the bottom or to subordinate pages. Security managers don't need to know what is working well; they need the critical, must-act-now information, such as a new vulnerability for which there's an exploit in the wild.
Managed security service providers--such as LURHQ, Symantec, VeriSign, SecureWave and Cybertrust--have built dashboards that show clients' data on their monitoring and response services. A benefit of an MSSP dashboard is that most services can quickly correlate threats and how they relate to a specific enterprise's infrastructure, as well as compare how that enterprise's security posture relates to others.
|Preserving Real Estate|
For example, at the top of LURHQ's dashboard (see "Preserving Real Estate") are threat management trends, which correlate vulnerabilities, known threats and advisories to a network's posture; monitored incidents over time, showing the relationship of a network security posture to other like organizations; and security intelligence trends, reflecting the severity of security warnings and how they relate to an environment.
Even these views aren't enough, though. Along the top of the LURHQ dashboard is a series of tabs for deeper reports on monitoring, security intelligence, scanning and job tickets. Many dashboards will use either tabs or dynamic links to drill down on particular reports or graphics, and provide deeper intelligence into an incident or trend. While this runs counter to the single-view goal, it presents the most important information first, letting the users select which bits they want to examine more closely.
Data streams, logs, job tickets, vulnerability reports and risk analyses are meaningless in a dashboard if they're not presented in a quickly digestible format that doesn't detract from the intelligence. This means a heavy emphasis on colorful graphics--pie charts, comparative bars, trending lines--and minimal text.
What really gets security managers' attention is seeing red. The classic traffic light colors are essential for classifying, prioritizing and presenting information to security managers. Red is bad--needs immediate attention; yellow means hazard--proceed with caution; and green says systems are normal. Text-based elements should only be incorporated when the user wants to drill down to the supporting details of a particular element.
|Color Gets Attention|
BigFix's patch and configuration management console (see "Color Gets Attention") effectively uses graphics to convey important information and text for drilling down. The graphics at the top show the total security events, issues resolved by severity, and number of computers on the network and their patch/vulnerability status. At the bottom of the screen are links to information on new threats and patches.
Security managers want to see vulnerability exposure over time, configuration status vs. hardening standards (NIST, SANS, etc.), regulatory controls (Sarbanes-Oxley, FISMA, ISO 17799) and time to remediation.
Once a security manager has addressed the red alarm lights, he can turn his attention to the trending data and granular details. This is where the tables of IP addresses, host names, services, protocols and traffic flows come in handy for more detailed analyses.
Not everyone needs to look at the same security intelligence. The CISO wants compliance intelligence, threat trends and response analyses. The security manager wants lists of threats to vulnerable systems, remediation times and job-ticketing progress reports. The security admin needs to know about the machines he maintains and secures.
Dashboard personalization accomplishes two things: separating duties and providing users with the information they need most. Many dashboards offer personalized views and feature rights access based on a user's role and defined needs. This prevents users from seeing confidential information about an overall security posture and keeps them from making changes outside their authorization level.
Ideally, the role-based access control and customization and integrated ticketing systems will combine to give a daily worksheet for security managers and admins. The dashboards offered by Secure Elements, a vulnerability management firm, and Preventsys (see "Personalization"), an enterprise security management company, provides users with exactly what they need. Based on their profile, users are presented cursory information on top threats and exposures. But the dashboard also shows open tickets and the remediation required. Dynamic linking allows the user to drill down on his assignments to see what work has been performed upstream and what's left to be done. Security managers should be able to adjust settings to see the security posture of groups, business units and campuses. Preventsys has this capability; the key is presenting the information in a consistent format, allowing for quick reads and comparisons.
Reports on Everything
Dashboards give a snapshot view of what's going in your infrastructure. For real utility, they must become historical reporting consoles, able to generate data on any combination of security data or framework.
Many dashboards come with myriad reporting options. For instance, Qualys' QualysGuard Enterprise vulnerability scanner's reporting dashboard (see "Quick Reports") allows users to generate detailed reports on the number of vulnerabilities discovered, the severity of vulnerabilities and exposure trends. From this single, concise report, security managers can see how well they're doing at closing security holes.
The drawback with state-of-the-art reporting is specificity; it's too focused on snapshot events. What's needed is a dashboard that can reach across the spectrum of the security and network infrastructure and produce reports on the relationship of security activity at the perimeter and interior nodes, or how an enterprise is trending against regulatory controls. For instance, a dashboard should produce an index that measures SOX compliance and reflects the enterprise's effort to stay within the bounds of the law and the auditors' requirements.
Dashboards also need the ability to track remediations and job ticketing. Some SIM, patch and vulnerability management products include job assignment and tracking functions. For instance, McAfee's Foundstone FS1000 vulnerability management platform allows security managers to assign tickets to specific admins and will issue alerts if the ticket remains open too long.
The failsafe remains integrating leading dashboards with leading reporting tools, such as Hewlett-Packard's OpenView, Remedy or Crystal Reports. As dashboards evolve, they'll need to develop better reporting tools and functions, and have the capacity to allow users to customize reports based on individual needs.
The crop of existing dashboards has varying degrees of proactive response capabilities. For instance, patch and configuration management products can scan and report on hosts' status, and then push corrections. IPSes monitor network traffic, report on suspicious activity and, if enabled, initiate preprogrammed responses.
Leading the next wave of cross-platform response are the configuration management solutions, such as Configuresoft's ECM, which uses the DCOM protocol to pull state data from servers and hosts, correlates that information for reports and threat exposure, and allows security managers to push changes to groups or specific hosts. Similarly, McAfee's ePolicy Orchestrator was designed to bridge the management of multiple antivirus applications, but is evolving to incorporate cross-vendor administration of IPS as well.
And, of course, there are the automated network defense initiatives by Cisco Systems, Juniper Networks and Microsoft. A byproduct of these vendors' attempts to bake security into the fabric of IT and automatically respond to threats and incidents could produce a robust dashboard that will show everything that's happening on the network--attack and defense--and allow security managers to manipulate actions globally and locally. Some of this functionality exists in endpoint security solutions, such as those by Sygate, StillSecure, ENDFORCE, Check Point Software Technologies and InfoExpress.
Is a posture-oriented, comprehensive risk management dashboard possible? That depends. Each vendor wants to present information in a way that best reflects its product's function and value proposition, while users only want consoles that present the information that they want and need.
Each vendor has a piece of the puzzle; the trick is whether someone will pull them all together and form the tool enterprises need.
This was first published in March 2005