The ubiquity of modern day computing apparatus and their connectedness to one or more networks and to the Internet can render the computing apparatus, networks, data stored and programs operated thereby vulnerable to attack by malicious agents—known as “hackers”—trying to gain access to and control of the resources made available by these connected computing environments.
Attempts at malicious attacks on a computer system or network—known as “cyber threats”—can take the form of many different attack vectors. Successful attacks can result in one or more of the key characteristics of a secure computer system: confidentiality, system integrity and resource availability; being compromised. Common attack vectors for achieving access to or control of resources of a computer system include malware such as malicious libraries, viruses, worms, Trojans, malicious active content and denial of service attacks; OS command injection attacks; buffer overflow attacks; cross-site scripting attacks (XSS); phishing attacks, and SQL injection attacks (SQLi). All of these attacks operate by exploiting weaknesses in the security of specific computer systems. Cyber threats generally are increasing in their frequency with a typical organisation trying to operate a secure computer system now facing a multitude of threats within the cyber sphere.
Specific computing environments made available securely over a network will attract specific threat sources and actors with attack vectors that are continually evolving and becoming more sophisticated. Further, specific secure computing environments will have different security weaknesses whether or not they are easily discoverable and so will be susceptible to being compromised by different kinds and variants of cyber attack vector.
Cyber threats wanting to compromise computer resources are therefore now wide ranging in their origin, arising from hostile foreign intelligence services, terrorists, hackers, hacktivists, civilian personnel or a combination of any of the aforementioned groups. Such malicious agents are becoming increasingly well-resourced and skilled at discovering and exploiting weaknesses in secure computing systems so as to gain illicit access to the computing resources, access to which is provided thereby.
For example, the Common Weakness Enumeration (http://cwe.mitre.org/top25/index.html)—a list compiled in 2011 of the top 25 most dangerous programming “errors” exploited by hackers in mounting cyber threats compiled by SANS Institute and the Mitre Corporation—indicates that SQL injection attacks present the greatest danger to cyber security. Further, referring to FIG. 1 it can be seen from FIG. 4 of the IBM Corporation's X-force Mid Year Trend and Risk Report 2012 (http://www.03.ibm.com/security/xforce/downloads.html) that the rate of SQL injection attacks in the cyber sphere is steadily increasing.
Therefore, a significant challenge facing developers and administrators of secure computer environments is to continually evolve defences to cyber threats in order to detect and avert successful attacks. Various countermeasures are known to improve the security of computers and computer networks such as the use of firewalls, malware monitoring, antivirus software, and “secure” connections, protocols and encryption. However, malicious agents are nevertheless still able to illicitly gain access to the resources made available by computers and computer networks by circumventing these countermeasures and/or exploiting weaknesses in the target computing environments implemented thereby.
In order to police access to computer resources, and to help avert cyber attacks, monitoring of network traffic in order to detect cyber threats is of crucial importance. In this respect, secured computer environments are often provided with one or more security components such as those countermeasures identified above embodied in software, middleware, hardware and/or virtual hardware which together make up elements of a Security Information and Event Manager (SIEM) and/or feed data thereto. SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. SIEM is provided as software, a hardware appliance or a managed service. It is also used to log security data and generate reports for compliance purposes. A SIEM provides an administrator of a secure computing environment with the capabilities of gathering, analysing and presenting information from network and security devices; vulnerability management; operating system, database and application logs; and external threat data. An example SIEM software suite currently available on the market is ArcSight, by the Hewlett-Packard Company of Palo Alto, Calif.
One way in which an SIEM provides information to system administrators about cyber threats is by way of alerts. On detection of a potential cyber threat by a security monitoring element of the computing environment, such as a Network Security Monitor (NSM), the SIEM issues an alert to the system administrator in real time by way of a dashboard interface of an Intrusion Detection System (IDS) (or optionally by email) to notify the system administrator of immediate potential security issues. On receipt of the alerts, the SIEM or other network security components may provide some degree of functionality allowing the system administrator to drill down into the data captured on the network, such as by a packet capture or sniffing software suite, to investigate the detected cyber threat further, and, potentially, intervene to prevent the cyber threat from successfully attacking and gaining access to the resources provided by the computer environment, for example by blocking packets from the IP address of the attacker.
A practical example of the alerts that can be collected in real-time use by an SIEM from SQL injection attacks detected by a network security monitor and presented in a dashboard is shown in FIG. 2. In even relatively modest size secure computing systems, the rate of generation of alerts that can be triggered by detections of potential cyber threats can outpace the rate at which system administrator teams can follow up on alerts and deal with them accordingly. The effectiveness of the security effort is therefore inherently limited by the quality of the data presented to the SIEM user in the dashboard, which is typically sparse including at most a brief indication of the reason for the alert being triggered, without any further meaning being provided within the data. It is therefore up to the administrators themselves to investigate further—or not—each cyber threat to evaluate the risk involved.
The security effort is often in practice incapable of effectively policing the system security due to data overload and as a result the secure computing environment can often be left vulnerable and compromised by attackers exploiting the weaknesses of the computing environment despite the system administrator's best attempts to utilise security monitoring and countermeasures.
It would therefore be desirable to provide a mechanism to facilitate the administrators of secure computing environments in effectively policing access to computer resources.