CiscoWorks Security Information Management Solution (SIMS)
With the rapid proliferation of security threats that has barraged IT organizations since the late 1990s, nascent security teams have struggled to keep pace with the volume of threats, focusing mostly on threat identification. Security Information Management (SIM) products have helped security organizations improve their ability to detect the presence of attacks and distinguish real attacks from false positives. However, until recently, security organizations have largely neglected to address the incident response process itself; for the most part, security organizations continue to rely on special processes and tools that were not designed to support a security-specific workflow. This frequently results in problems that are not properly documented, threats that are not fully eradicated, and systems that are not fixed correctly the first time.
Timely and effective incident response is directly related to minimizing incident-induced loss to any organization, and at an operational level, ensuring that the security organization is continuously reducing risk exposure. A clearly defined, documented, and repeatable security management process is fundamental to ensuring fast and accurate handling of security incidents. It is also critical that security organizations choose a SIM solution with a fully integrated incident response workflow to support this process. Security organizations should look for SIM solutions that implement an incident resolution management workflow based on common security best practices, but still remain open to integrate with trouble-ticket systems in use by other groups where necessary. This allows security teams to collaborate effectively throughout the security incident lifecycle to accelerate remediation times while improving overall security.
The CiscoWorks Security Information Management Solution (SIMS) from Cisco Systems® is based on the only SIM technology with a fully integrated incident resolution workflow based on the best practices for incident resolution management. By providing a comprehensive remediation workflow based on the standards-based methodology, CiscoWorks SIMS guides teams through a proven, security-specific process to fully eradicate threats. It allows teams to attach all relevant information about a threat, so anyone on the team can quickly see the analysis that led to the creation of a case, or replay the attack. Furthermore, CiscoWorks SIMS includes an integrated knowledge base of information relating to specific threats and how to address them, so security personnel can take the appropriate action at each step of the process.
INCIDENT WORKFLOW AND TODAY'S SECURITY CHALLENGES
Most security practitioners are painfully familiar with the primary obstacles most enterprise security organizations face: too much security data to sift through, too many false positives to deal with, and not enough budget or resources to handle an ever-growing number of security incidents. One additional and often overlooked challenge involves the security management process itself. Largely ignored in many of today's IT enterprises, it may also help to prevent expensive and often difficult-to-repair reputation damage, which often occurs following a security incident. More importantly, this process is seminal to helping the security organization improve operational performance by lowering total risk exposure and shortening response times. It also is critical that steps be taken to prevent incident recurrence. Therefore, being prepared with a systematic incident response plan is likely to be one of the most cost-effective security measures an organization can take.
ADOPTING A METHODOLOGY
Fortunately, organizations do not have to start without resources. The CiscoWorks SIMS standards-based methodology provides an excellent blueprint to help organizations develop an incident resolution plan.
The methodology includes six critical steps to deal with security incidents:
Overall, the CiscoWorks SIMS methodology allows an organization to give structure to the otherwise chaotic incident response workflow. The steps outlined in the methodology are both clearly defined and easy to follow. Choosing a SIM solution designed to support an established SAN methodology that makes it much easier for a security organization to put a repeatable process in place and achieve greater efficiency across the organization.
Although this seems like a practical way to implement an effective incident resolution management process, it represents a departure from the way most organizations have deployed incident resolution management systems across their enterprise. Most organizations either do not have a process or rely on upon generalized, non-security savvy "incident tracking" systems such as the Remedy or Computer Associates help desk systems. This is problematic because people and processes needed to quickly resolve a security incident are significantly different from those required for a traditional application or network incident tracking systems that focus on simple problem-and-fix reporting. General trouble-ticketing systems also do not have a built-in security workflow and require a steep learning curve.
INTEGRATING RESOLUTION PROCESSES WITH THE SIM INFRASTRUCTURE
Effective incident response fuses together technical and non-technical resources, bound by incident response policies that are formulated into an incident resolution plan. In order to be effective, the process must unify everyone in the security organization by integrating with the SIM infrastructure. This is important in order to:
• Achieve widespread adoption of the process in a short timeframe
• Create a single environment for both identification and resolution of security threats
• Ensure that the workflow corresponds to the unique requirements of a security organization-not just generic IT resolution workflow
• Generate comprehensive reports that measure security operations performance, as well as compliance with the established security policy and important industry regulations
• Unify the entire team by fostering collaboration throughout the resolution process
• Allow anyone involved in the resolution process to recreate the original attack
• Provide access to an integrated knowledge base with detailed instructions about what to do at each step of the resolution process for a particular type of vulnerability
The best way to integrate resolution management with the SIM infrastructure is to choose a SIM solution that includes comprehensive resolution management functions based on an established resolution methodology.
Although adopting a security-specific workflow as part of a SIM solution is the best way for the security team to improve resolution processes, it is also important for this workflow to integrate trouble-ticket systems that might be in use by other groups within the IT organization. For example, the network operations team might use a traditional trouble-ticket system to apply patches or fix an infected host. The CIO may also desire this integration to obtain global reports on issue tracking to gauge the overall responsiveness of the IT organization. It is, therefore, important to choose a SIM tool with a built-in process that is extensible to leading trouble-ticket systems.
CISCOWORKS SIMS: FULLY INTEGRATED RESOLUTION MANAGEMENT FOR RAPID REMEDIATION
CiscoWorks SIMS delivers most-if not all-data and procedural information necessary to resolve even the most complex security incidents. Its incident resolution management capabilities focus on gathering and organizing security event data into a logical form and then enforcing a proper security response workflow to facilitate a fast and effective response to security incidents. In addition, CiscoWorks SIMS contains an integrated knowledge base so users can get additional decision support to help resolve virtually any security incident.
By establishing a single control point for both managing security events and tracking incidents, operators and analysts gain access to a unified solution to easily monitor events and then respond and track incidents when they arise (see Figure 1).
Figure 1. CiscoWorks SIMS Event Console
CiscoWorks SIMS features one of the most advanced security incident resolution management solutions available today, offering a complete range of features to handle even the most complex security incident management needs. The following are some of the primary incident management features and benefits of CiscoWorks SIMS:
• Intuitive and easy-to-use GUI-CiscoWorks SIMS uses a powerful and yet easy-to-use GUI from which operators and analysts can easily open, edit, and close security incidents. Using the intuitive interface, users are guided through the steps necessary to create and resolve virtually any security incident. CiscoWorks SIMS allows analysts to open cases based on the observed real-time events, historical events revealed by forensics reports, or other incident indicators in use within a customer's enterprise.
• Built-in workflow-By using a flexible, comprehensive, and customizable workflow, users are assured that each security incident is handled with a rigorous, defined, documented, and complete process targeted specifically at security incidents. Additionally, CiscoWorks SIMS offers preconfigured incident templates and site-customizable incident resolution management procedures, which simplify the incident resolution management process. This allows organizations to tailor the out-of-the-box workflow to address the unique process requirements as defined in their incident resolution plan.
• Built-in knowledge base-An integrated knowledge base offers vendor-specific device information as well as a complete database of security best practices from such sources as CERT and CVE. With a readily available, in-depth warehouse of security information, operators and analysts command powerful decision support capabilities that, in turn, make incident response a much easier and more streamlined process.
• Evidence retention and security-Virtually any document, image, image, report, chart, or other relevant data can be attached to an individual incident case. Other files, such as scanned images, audio interview records, and traffic captures also can be added to cases, and they are cryptographically check-summed upon insertion to assure the integrity of evidence. Different authorized users also can add notes and comments to the case to alert others and to cover additional aspects of the investigation.
• Role-based access, incident collaboration, and incident security-CiscoWorks SIMS cases can be assigned to different system users as well as shared among a group of users. Case change notification is both flexible and configurable. Granular access controls are applied to case data and incident management system functions, so that several analysts can collaborate on a case while maintaining important "need-to-know" authorization structures. This critical feature provides a secure way to store case evidence and apply tight and granular access controls to case data, while still allowing investigators to work together on a case. Additionally, all actions performed by the system users on the case are recorded in the audit log (see Figure 2). Finally, when the investigation is concluded, the case handler can choose to export the case to other systems. Final reports include all case data and can be printed or sent by e-mail.
• Reporting-Robust reporting capabilities include both incident- and executive-level reports. Incident cases can be easily searched by authorized operators and analysts from within the incident case database. Case reports can be generated on individual cases or groups of cases. Case monitoring and summary reports are easily generated for management and executives. Additionally, CiscoWorks SIMS can be configured to automatically generate incident reports to share with company management or third parties.
• Integrated threat visualization-Users can attach specific Link Map, Geo Map, and Chart views to cases so different members of the security team can replicate the threat identification process throughout the remediation lifecycle.
• Unified policy compliance and remediation-CiscoWorks SIMS takes information related to policy violations and closes the loop by triggering a workflow that allows teams to contain and remedy any policy violations that represent real network attacks. The solution simultaneously helps ensure that vulnerable systems apply appropriate updates, definitions, etc. so they can access the network safely.
• Remedy integration-In addition to providing a security-specific workflow as part of the SIM environment, the CiscoWorks SIMS incident resolution management process integrates with the Remedy solution to facilitate communication with other IT groups such as network operations that are involved in the remediation process.