So what do you say when a client asks for your opinion on the top threats to their IT environment. What do you say to the next question, what assets do you think are vulnerable to these threats? Naturally it depends on how close you are to the client's operations but these are very pertinent questions. So assuming you have knowledge of the client’s environment how do you answer it? Do you simply go on gut feel and/or what's written in public fora? If you do go on gut feel then how do you validate your assertion? Knowing an environment well enough you ought to be able to understand not only the typical threats to an environment but who the likely attackers are. It however does need validation to ensure that security spend is targeted at areas that are justifiably and unequivocally needed. So the big question is how do you get to an evidence based result to justify your assertion about threats and vulnerable assets?
Typically you will need to rely on your monitoring tools and audit logs but that in itself sounds a little too simplistic. In today’s ever changing security threat landscape you will also need to consider the newer breed of threat management services that monitor the ”Darknet” to complement the traditional methods. There are a plethora of tools available, using traditional methods, such as network and host IDS/IPS, file integrity checkers, content filters, firewalls, DLP solutions, etc which all play a useful part in meeting this need. The key however is in the design of the network and the placement of these devices to get the most from them. Using network IDS/IPS as an example, the placement of these devices will give you an indication of the source of the attack, the sort of methods used and the extent to which the attack has been successful on your network (mostly with IDS). There is however a piece missing from the puzzle, what does it matter if your environment is targeted with a particular threat that has no bearing on the business, e.g. Microsoft based attack in a pure Unix environment? In short an understanding of the information assets and their importance to the business is a key component. Once identified use of a vulnerability management tool can be beneficial to identify areas of weakness to specific threats. Note however that this is only as good as the tool you are using so it is normally worthwhile signing up to a threat and vulnerability management service to proactively identify not only new/zero-day attacks but will act as a failsafe for any missed by the tool.
When you tie this in with your SIEM solution then theoretically you will have a baseline view of the type and nature of attacks against your environment (assuming the input information is adequate). More importantly you will be able to correlate the ‘real’ threats to your environment to assets that will be vulnerable to them. It is a very good idea however for the output from the SIEM to be reviewed together by both the client and supplier as the synergy to be gained from this group ensures a focus on key areas and joint ownership for management of security weaknesses (contractual issues not withstanding).