Security Intelligence in ActionHP's Eric Schou on the Power of Situational Awareness
According to research, organizations may take 250 days to detect advanced threats, and then another 30 days to mitigate the attacks. This is why greater situational awareness is needed, says Eric Schou of HP.
"On average, when a breach like this happens, the result is about a 30 percent reduction in the company's market cap," says Schou, a director of product marking at HP. "There are some real issues here and a real need to change the way that organizations are looking at their security. And a lot of it really comes down to their ability to be situationally aware - to make sure they can actually respond to threats in a timely manner."
In an interview about the practical uses of security intelligence, Schou discusses:
- How a Serbian bank improved anomaly detection;
- Improved analysis capabilities for a Canadian telecommunications company;
- A major U.S. federal agency's efforts to improve situational awareness.
Schou is a Director of Product Marketing at Hewlett Packard. He leads the marketing for the HP ArcSight product line in the Enterprise Security Products group. Before joining HP, Schou spent over 16 years in the security and storage industry.
Security Intelligence in Action
TOM FIELD: Tell us a little bit about yourself, especially your expertise in this emerging area of security intelligence.
ERIC SCHOU: I'm the director of product marketing at HP in the enterprise security group. So, we're in an exciting place to be right now within the industry, as well as within HP. I've been doing software security and storage for about 15 years, and have worked for a variety of security companies. I came to HP because I really felt that HP has vision in and around the new security threat landscape, as well as really top-notch people. So, it really drew me to be a part of that organization.
FIELD: What do you find to be the most compelling needs for organizations to radically improve situational awareness?
SCHOU: It's a big deal and issue right now with customers worldwide in every region. What we're seeing right now is that ability in and around security to be situationally aware, and it's getting harder and harder. So the new threat landscape, advanced persistent threats that are there for a very long time, are really impacting the way that companies are investing. It's also changing the way that they're responding, and they're making things a lot more challenging.
If I could just quote a couple of stats that may or may not alarm you. The Ponemon Group does a study every year, and the latest one is telling us that it's taking the average enterprise, or average customer, about 250 days, or close to a year, before they even find out that there are bad guys inside their environment. That's pretty alarming. Then, once they actually do find the bad guys, it's taking almost a month to actually respond to that threat. This has devastating impacts on the business.
When something like this does happen, a breach, the result is about a 30 percent reduction in the company's market cap. So there are some real issues, and a real need to kind of change the way that organizations are looking at their security. A lot of it really comes down to their ability to be situationally aware, to make sure that they can actually respond and react to threats in a timely manner. With the new threat landscape, it's just getting harder and harder to do.
Detect Suspicious Activity
FIELD: How did you use HP ArcSight to help Banca Intesa detect suspicious activity, and what results have they seen since deploying your solution?
SCHOU: The bank is the largest bank in Serbia. In financial services, security is a big deal obviously because money is there, and bad guys know where the money is. Obviously, security is a really big deal, and they want to be on the forefront of that. What they were finding is that, like many banks, they were very decentralized. They have a lot of branches, not a lot of real synergies when it came to centralizing their overall security. They had a lot of data that they had to deal with, lots of log creation. The management of that was really difficult. Correlating information across different branches was super tough, and their ability to increase the capabilities around conducting forensics or investigations and getting the root cause analysis was challenging for them to do. Mainly because they were very decentralized when it came to security.
So, they looked at implementing HP ArcSight, the Enterprise Security Manager, as well as our universal log management product logger, connectors and identity view. What came out of that was HP really provided an automated way to look into risk and key indicators. That automation is key because when you think about how fast things are happening and really improving your situational awareness, you've got to go into an automated fashion. Manual types of activities are just not going to cut it.
They wanted to have speed inside managing how many events were coming up, which results in their ability to respond. They wanted to accurately identify countries of origin, individuals and traffic that looked suspicious, and HP really enabled them to do that. They want to make sure that log events and data that's coming in to be enriched and meaningful because just having a lot of data that's coming into the bank is not necessarily meaningful unless they can really use analytics and products like HP. Those products can actually make it something that they can react to and put in place that's going to make them more secure. That's fundamentally changed the bank and its culture in and around security intelligence.
FIELD: How did you help Telus Security Solutions Solutions in Canada improve its intelligence analysis capabilities?
SCHOU: They're a managed service partner of HP, but then also use the technology in-house. Partnerships are a big deal, and Telus really differentiates HP, by being one of the top telcos, and they are, based in Canada. One of the things they were looking for was to really safeguard internal core networks and multiple business units. Again, you're hearing this over and over when you have companies that are implementing solutions in various sites that aren't necessarily talking to each other. There are a lot of challenges there. Also, they wanted to protect the infrastructure that allowed this company to be successful, which is managing lots of their customers. They wanted a solution that was going to provide a backbone really for a highly successful managed service business, and have security as one of the main threads there.
So HP did various things; we went onsite with a couple of key products inside the HP enterprise security portfolio, one being ArcSight and the other being Tipping Point. Another big highlight here is that with HP, Telus is able to take advantage of not just a thin solution like ArcSight, but also one of the top networking security products in Tipping Point. It's a real big advantage that the HP customers have.
HP also went in with a series of services to make sure that the ArcSight platform was really targeted at the specific threats that were facing Telus at the time. So the outcome of all that was, it really expanded Telus's market opportunities. Not only as a security backbone, but it really is expanding their overall opportunities with other customers, because of this foundation that they put in place. They also delivered an effective protection against cyber threats across the enterprise, both from the telco space and then beyond. It really gave the company an internal network to manage their security services. Again, a real backbone to make them not only secure internally, but for Telus, it's a real differentiator.
FIELD: How did you help the Department of Health and Human Services improve its situational awareness?
SCHOU: This is another broad case study, it's not just ArcSight, but ArcSight and Tipping Point, really highlighting the whole portfolio that HP Security has to offer. But one of the needs that the Department Health and Human Services had was, again, this constant theme, that their organization is big. With a lot of agencies under the umbrella of the HHS, such as The National Library, the challenge was this decentralized behavior that each one of the umbrella organizations had deployed different types of products.
Being situationally aware obviously was super tough to do. They decided to really take a hard line and be centralized, and do that with a platform and solution like ArcSight to start. They wanted to make sure that they had actionable information. They're dealing with billions of events, so being able to make sense of that and look for the needle in the haystack was important and key to their business. Core to that would be consolidating multiple products and licenses into a real centralized way to fight the bad guy and give them some control over their security posture. Deployment was at HP ArcSight, the logger product, ESM product, connectors, as well as HP Tipping Point, to really make sure that they had the real instruction protection, as well as the next-generation firewall, to make sure that they've got all the best when it comes to network security.
The business benefit from that was HHS reduced staff time. When you look at this centralized behavior, what you're saying is, "I can do a lot more with less, I can have a few people really managing multiple organizations at one time with a single pane of glass that can really reduce that time to detecting the bad guy. You're not just reducing the time to detect the bad guy; you're also dealing with fewer people and response time is going to be a lot quicker. Let's hope it's less than a month. With ArcSight it's a fraction of that, and getting better as they really fine-tune this.
They want to be much more accurate on identification of malicious activity, as well as reducing that time to insight. I heard them say that over and over again in multiple case studies; that reducing that time to insight is key. At the end of the day, they want to enhance their security, enhance their posture, and build a better platform, again not only for security, but for the business.
Solution to Centralized Behavior
FIELD: What do you find to be the common themes among your customers that are striving to improve their abilities to manage security intelligence?
SCHOU: I think you heard a couple of themes throughout these case studies. One would be really taking a centralized behavior and looking at a solution approach as opposed to a point approach. Make sure they can centralize what you're doing and have a single pane where you can really see your entire environment. Be able to make really good core, quick decisions around your security posture. That's really the key, having an overall plan, you'd be surprised. Medium-sized to large enterprises don't really have a hardcore plan as to how they're going to improve their security posture today or tomorrow. The key question that they should be asking themselves, and that the C suite is probably asking is, "Hey, if we do this investment, will we be more secure today than we were yesterday?" You need to be able to ask yourself that and make sure that your security posture is getting more mature over time, and that you're really refining your overall organization so you can reach your goals. It's not just about products and solutions; it's about us educating the workforce.
The workforce, the people inside the four walls of the building, are key as well to making a difference in and around security. Just overall security practices, how they utilize the hardware that's given them in this BYOD world, whether it's laptops, smartphones, you name it. They're carrying around this very critical data inside of those devices, and people need to really have a method, intelligence, and education in and around how to make the organization more secure.
Piece of Advice
FIELD: What is the one fundamental piece of advice you'd give to organizations that are just now starting to assess their needs and their strategies?
SCHOU: Probably the biggest thing that I would say and try to get across to customers is that it's not a matter of when you're going to be breached, but the likelihood is that you've already been breached. It's not just these big customers that are in the news, like Target was just breached; it's everybody, small and large. Take action today. Everybody is at risk today in today's landscape, whether it's medium-sized companies or large companies, whether you're in financial services or you're in federal government, it doesn't matter. Take action today. Put that plan together and take some action, build yourself a plan to improve your security posture, improve your time to respond. Don't wait for that breach to happen before you take action. That's why we buy homeowner's insurance, right? You don't want to wait until your house burns down before you say, "Wow, should have bought fire insurance." Security is everybody's business, so it's real important to look at yourself in the mirror as a security professional and take some action today to make it better and build out that security posture.