1 Information Security Media Group 2013

The Importance of
Reputation
Proactive enterprise security involves turning data into
actionable informationthats where reputation comes in.
2 Information Security Media Group 2013
In the past, security meant tall,
strong wallsas in forts, citadels,
castles, etc. (think Great Wall
of China). Eventually, warring
parties fgured ways around those
vertically oriented defenses.
Te same dynamic is at play today in the electronic
realm. In the hyper-dynamic environment of the
Internet, the fortress mentality of IT security is
a throwback. With evolving online models such as
mobile computing and the cloud, and sophisticated
malware such as botnets and advanced persistent
threats, an information security defense strategy
oriented around securing an enterprises
perimeter is misguided and inadequate.
What is needed is a way to leverage ITs most
valuable asset: data. As is true in every area of
IT, security technology generates a plethora of
datawhich can be something of a mixed blessing.
What companies are wrestling with is the fact that
security has a lot of data associated with it, says
industry analyst Steve Hunt, author of the Security
Dreamer blog. But only when that data is
organized, contextualized, does it become security
information, he adds.
Turning security data into actionable information
is key. In the context of todays constantly
shifing security environment, adequate defense
demands not only reactive data collected from
internal networks, but active, up-to-the-minute
reputation data reconnoitered from the wilds
of the Internet, combined in the most efective
manner to generate meaningful recommendations
and remediations. Such reputation data can make
the diference between passive resistance and
proactive security.
The Threat Landscape
It is important to understand the hothouse
environment that surrounds IT security these
days. Public outrage over increasing reports of
data compromises, along with political reaction in
the form of widespread public disclosure laws, has
made fnding breaches and minimizing data loss a
corporate priority.
Malicious motivations have changed over the
years, as have their means to an end. Sophisticated
criminal gangs, along with spies sponsored by
nation-states and agenda-oriented hacktivists, have
replaced teenage tinkerers as the most menacing
digital marauders. Alongside brute-force virus
attacks have come stealth tactics that emphasize
the long, slow, multi-stage exfltration of data and
resources, such as the widespread surreptitious
implementation of robot networks and the
personalized targeted incursions known as spear
phishing.
It is also important to understand where security
threats come from. While much handwringing
goes on over the threat represented by internal
THE IMPORTANCE OF REPUTATION
Proactive enterprise security involves turning data into
actionable informationthats where reputation comes in.
3 Information Security Media Group 2013
personnel, the fact is that most security breaches
come from the outside. More than three quarters
(86%) of the breaches examined by Verizon
security researchers for the companys most recent
data-breach report had no internal element.
1

Given the stealth nature of many of these outsider
attacks, it is not surprising that many organizations
have security problems and do not know it.
Two-thirds of the breaches examined by Verizons
researchers took months, even years, to discover.
2
In a recent analysis of security trends, Forrester
Research called out this blindness to vulnerability
as a major concern: Most organizations dont
have the visibility or awareness to know if their
networks are breached.
3

Security = Data
Information security has always been about data.
Intrusion detection systems were intended to
monitor networks and detect and report anomalies,
while intrusion prevention systems checked
for malware against lists of known signatures.
Unfortunately, early versions of both tended to
sufer from a surfeit of data, frustrating efective
remediation with an overload of false positives.
With its sensors and dashboards, data collection
and interpretation is the point of security
Given the stealth nature of many
of these outsider attacks, it is not
surprising that many organizations
have security problems and do not
know it.
4 Information Security Media Group 2013
information and event management technology
(SIEM). SIEM found its foothold in the enterprise
as a tool to document compliance with industry
and governmental regulations. Still, the ability to
collect and correlate massive amounts of data and
make recommendations based on defned rules has
made SIEM an important security tool for mid-size
and large organizations.
As the malware landscape evolved, signature data
became an important element in the fght against
the rising tide of malicious code. Viruses, worms
and Trojan horses were captured and catalogued,
their identifable characteristics added into the
lists used by anti-virus applications. Also, sofware
vendors tracked vulnerabilities inadvertently
incorporated into their applications and systems
and began publishing regular patches to address
those potential problems.
In the online world, just as important as the what
of malicious code is the where, who and how.
Toward that end, some third-party organizations
took it upon themselves to monitor the Internet
for emerging threat areas. For instance, the SANS
Institute, a computer security-training frm,
provides an online public service known as the
Internet Storm Center, which collates data on
infrastructure events from sensors covering over
500,000 IP addresses in more than 50 countries,
and adds analysis in the form of a daily blog.
4

It is a valuable public resource for monitoring and
evaluating emerging Internet attack trends.
The Necessary Element
Security technology providers have realized the
signifcance of such online reputation services
to their customers overall defense postures and
to the efectiveness of their products. Being able
to provide data about the most recent Internet
threat areas means customers can use network-
monitoring technology to detect even extremely
subtle intrusions. Perhaps more importantly,
users can check outgoing network trafc for
communication with known bad actors, such as
botnet command-and-control servers, to spot
security threats already implanted within the
enterprise.
Being made aware of just how riddled with
vulnerabilities your network is can be traumatic,
says George Daglas, chief operations ofcer of
Obrela Security Industries, a managed security
services provider. One customer compared it to,
Daglas says, living in a dark room, and suddenly
someone turned on the lights, and all around us
were dragons and snakes (see sidebar Case Study:
Obrela Security Industries, pg. 7).
Up-to-date reputation data can serve as a watchlist
for organizations to guard their own Internet status
and reputationswhether your Web assets (and
those of customers and partners) are harboring
malignant entities. Tis is a more efcient and
efective (and less embarrassing) way to uncover
internal security vulnerabilities than by being
Up-to-date reputation data
can serve as a watchlist for
organizations to guard their own
Internet status and reputations.
5 Information Security Media Group 2013
made aware by some third-party source, which is
how most organizations fnd out. According to
the Verizon report, 69% of the breaches they
studied were spotted by external parties9%
by customers.
5
Reputation data has a performance aspect to it as
well. By helping to block unknown and unwanted
communication from inside the organization
to outside sources, reputation data can help
increase network performance for mission-critical
applications.
Benefiting From Benchmarks
It is worth noting that not all reputation security
services are created equal. Some security
technology providers rely on reputation research
from publicly available sources, such as SANS, as
well as that from major vendors, versus expending
the resources to generate research of their own.
Not that public data has no value, but it does not
necessarily furnish security technology providers
or their potential customerswith a competitive
advantage.
Tat is why it is important that organizations look
closely at where reputation data comes from and
how the security technology provider makes use
of that data. One of the criteria for evaluating
a security vendor is to look at their threat
intelligence research organizationwhat their
linkage is to services and products, says security
analyst Chris Christiansen, program vice president
for IDCs Security Products and Services group.
6 Information Security Media Group 2013
When evaluating a security technology provider,
especially in terms of threat research and
reputation service, potential customers should pay
close attention to these benchmarks:
Te extent and currency of the reputation
datahow much, from where, and how ofen is
it updated? Commitment is the key to currency,
and currency is the key to actionable reputation
data.
A viable scoring mechanism for reputation data.
Practical scoring provides potential customers
with the ability to determine the granular level at
which they want to flter potential threats.
Te integration of reputation data with
existing technology. Reputation data can be
a very powerful add-on to an IPS, ensuring
flters are kept valid and purposeful. Similarly,
reputation data can be used in connection
with a SIEM system to bolster the efectiveness
of the correlation engine and policy-based
recommendations.
Extensive, proactive research regarding reputation
data as well as tight integration with existing
products will not happen by accident. It must
be a part of a providers dynamic efort to keep
security technology and services as close to the
cutting-edge as possible. Potential customers will
beneft from close scrutiny of such practices before
committing.
A Proactive Strategy
If there is one thing the last few tumultuous years
have taught us, it is that information technology is
not staticit is a dynamic process that companies
must leverage or risk being lef behind. In the
same way, enterprise security can no longer be a
static, defensive stance but must take the form of
a dynamic, proactive strategyor organizations
continue to risk being victims.
Due to its currency and relevance, data is the
most dynamic aspect of IT. Te catch-phrase big
data points to its potential, through analytics and
data mining, for providing actionable insights.
Tat same potential applies to security. More data
points related to the evolving threat landscape
as it mutates and multiplies on the Internet can
mean more efective security technology better
adapted to address current and future security
vulnerabilities.
But such reputation data is only as efective as it
is made to be. Potential customers must examine
closely how such data is employed by security
service providerswhere it comes from, how
current it is, and how it is leveraged in existing
technology. When used correctly, reputation data,
and the services and technologies related to it,
represent the next most efective weapon in the war
on information security. n
Footnotes
1. Verizon 2013 Data Breach Investigations Report
2. Ibid. (62% of breaches took months to discover;
4% took years)
3. Forrester Research, Inc.: Top 15 Trends S&R Pros
Should Watch: Q2 2013; April 9, 2013
4. https://isc.sans.edu/
5. Verizon 2013 Data Breach Investigations Report

7 Information Security Media Group 2013
HP Reputation Services
Among the reputation solutions offered by HP:
HP DVLabs
Research organization focused on vulnerability discovery and
analysis
Maintains a database of 1-million-plus IPv4 and IPv6 addresses
and 1-million-plus DNS names
Receives reputation data from three sources: public providers,
such as SANS; open source providers, including various
malware/phishing/botnet communities; generates own
threat data from honeypot network, ThreatlinQ network, and
community of TippingPoint customers
Aggregates and normalizes these data sources into one coherent
database
Scores database entries (0 to 100) based on threat potential
HP Reputation Digital Vaccine (RepDV)
An add-on service to HPs TippingPoint NGIPS (next generation
intrusion prevention system)
Based on data feeds from HP DVLabs
Automatically updates every two hours

HP Reputation Security Monitor (RepSM)
An add-on service to HPs ArcSight SIEM (security information
and event management) Enterprise Security Manager system
Based on data feeds from HP DVLabs
Automatically updates every six hours
HP ArcSight Security Intelligence Platform
HPs SIEM (security information and event management)
solution, which offers visibility into security and compliance-
related data across the IT infrastructure
Enables organizations to identify and respond quickly to security
threats, transform Big Data into security intelligence, and
automate compliance
Collects, stores, and analyzes data from any device, any source,
and in any format from 350+ connectors
Closely integrated with HP RepSM for a complete view of
security-related data
Case Study:
Obrela Security Industries
Headquarters:
Athens, Greece.
Mission:
Provide managed services in the areas of risk management and
information security for complex enterprise environments. Obrela
is a beta class startup, three years into the startup scene and
expanding rapidly, says Kimon Skarlatos, chief commercial officer.
Customers:
Financial services, payment processors, public sector,
telecommunications.
Problem:
Find flexible, extendable, interoperable, scalable, multi-platform,
multi-tenant SIEM system with sophisticated correlation engine on
which to base growing security-as-a-service business.
Solution:
HP ArcSight Enterprise Security Manager plus HP RepSM service.
Reason for using HP ArcSight:
We were looking for something open enough to allow us to build
our own content, our own rules, (along with) multiple levels of
correlationnot be the limiting factor of what we wanted to do,
says George Daglas, co-founder and chief operations officer.
Reason for using HP RepSM:
With RepSM being constantly updated, we are able to correlate
normal internal behavior with what is happening on the
outside, says Daglas. We have identified threats in financial
organizations that had been there for years, that information was
being transmitted and collected by malicious third- parties for
yearswe were able to identify this very quickly with the RepSM
environment, he says.
8 Information Security Media Group 2013
902 Carnegie Center Princeton, NJ 08540 www.ismgcorp.com
About ISMG
Headquartered in Princeton, New Jersey, Information Security Media Group, Corp.
(ISMG) is a media company focusing on Information Technology Risk Management
for vertical industries. Te company provides news, training, education and other
related content for risk management professionals in their respective industries.
Tis information is used by ISMGs subscribers in a variety of ways researching
for a specifc information security compliance issue, learning from their peers in the
industry, gaining insights into compliance related regulatory guidance and simply
keeping up with the Information Technology Risk Management landscape.
Contact
(800) 944-0401
info@ismgcorp.com