As the government prepares to launch its Cyber Security Operations Centre, Reed Henry of ArcSight discusses the importance of protecting national assets
When Google in China experienced repeated cyber-attacks and efforts to access the Gmail accounts of Chinese human rights activists in January this year, the search engine giant decided not to remain quiet, and instead choose to publicly denounce the attacks that led to confrontation with the Chinese government.
Google said it was considering closing its Chinese operations and was no longer willing to censor results on Google.cn. This triggered a storm of protest from both human right campaigners and politicians on both sides of the spectrum.
This event highlighted the very real threat that both companies and governments now face from a unseen number of cyber-warfare experts who can break into a company’s systems for industrial espionage purposes, or to attack a nation’s critical infrastructure, such as power stations, in the event of war.
In the United Kingdom, the Cyber Security Operations Centre (CSOC) hosted by GCHQ is scheduled to become fully operational on 10 March. The CSOC was created as part of the UK’s National Cyber Security Strategy, and its main purpose is to identify cyber attacks in real time.
The creation and existence of the CSOC demonstrates the seriousness that governments are now attaching to cyberwarfare. eWEEK Europe UK therefore thought it would be a good time to get an expert viewpoint on the situation. We talked to Reed Henry, SVP of ArcSight, a security firm that works with the UK government, as well as other nation states and even NATO, plus regular commercial companies, in an effort to help them identify threats and attacks, as they happen.
What is ArcSight?
“ArcSight has been around for 10 years now, and it focuses on identifying footprints in enterprises that indicates bad things are happening. We track what is actually happening in the enterprise, based on logs etc, and alert the company so that business operations can continue to function normally. If a hacker decided to attack a critical server, we would know the server that is involved, and we would know if we really care about the data being hosted on that server. We can prioritise that event, and stop that traffic.
“With a lot of attacks coming from within the organisation, either internal staff or privileged users, we can provide visibility to both external and internal threats.”
Do organisations have a lack of visibility regarding their internal infrastructure?
“Absolutely, organisations very often have a lack visibility about what is going on inside their systems. Most companies have invested large amounts in perimeter protection such as anti malware security, but these companies very often have a huge blind spot as to what is going on internally. The IT department is focused on support, troubleshooting, and building new applications. They are also under pressure to open these applications to customers and outside users, which at the time introduces more vulnerabilities. Do they know who is looking at the data?
“Security tends to be way down on the list of priorities, indeed Gartner said it was number 8 on the list of priorities. What is needed is a single plane of glass that can provide insight into what is going on inside an organisation’s infrastructure. We can map individual users and trace users back to the IP address for example. One of the problems some companies experience is with legacy accounts and people sharing the same user ID. This can lead to backdoors, so detection is the key.
“The second issue comes from staff who have been terminated, or have left the company, but their ID has not been taken out of the system when they leave. Accounts that are dormant, that is where the bad stuff happens. Disgruntled employees for example can be tempted to do something bad.”