Archive

SIEM: What are you searching for?

Search engines are now well established as a vital feature of IT and applications continue to evolve in breadth and depth at dizzying rates.  It is tempting to try and reduce any and all problems to one of query construction against an index. Can Security Information and Event Management or SIEM be (force) fitted into the search paradigm?

The answer depends on what you are looking to do and your skill with query construction.

If you are an expert with detailed knowledge of log formats and content, you may find it easy to construct a suitable query. When launched against a suitably indexed log collection, results can be gratifyingly fast and accurate. This is however a limited use-case in the SIEM universe of use-cases. This model usually applies when Administrators are seeking to resolve Operational problems.

Security analysts however are usually searching for behavior and not simple text searches. While this is the holy grail of search engines, attempts from Excite (1996) to Accoona (RIP Oct 2008) never made the cut. In the SIEM world, the context problem is compounded by myriad formats and the lack of any standard to assign meaning to logs even within one vendor’s products and versions of a product.

All is not lost, SIEM vendors do offer solutions by way of pre-packaged reports and the best ones offer users the ability to perform analysis of behavior within a certain context (as opposed to simple text search). By way of example – show me all failed logins after 6PM; from this set, show only those that failed on SERVER57; from this set show me those for User4; now go back and show me all User4 activity after 6PM on all machines.

Don’t try this with a “simple” text search engine….or like John Wayne in The Searchers, you may become bitter and middle aged.

– Ananth

Cutting through SIEM/Log Management vendor hype

Cutting through SIEM/Log Management vendor hype

While there is little doubt that SIEM solutions are critical for compliance, security monitoring or IT optimization, it is getting harder for buyers to find the right product for their needs. The reason for this is two fold; firstly, there are a number of products available and vendors have done a great job of making their products sound roughly the same in core features such as correlation, reporting, collection, etc. and secondly, vendors are too busy differentiating on shiny features that in many cases have little or nothing to do with core functionality. This is not surprising. It is easier to spin a shiny feature than slug it out on whose product actually meets core requirements.

SIEM solutions, in reality, are optimized for different use-cases and one size never fits all. The good news is that with the number of potential solutions to choose from, if you do your homework, you will find a product that meets your requirements. So how do you cut through all the vendor claims and hype and select the right solution for your environment and needs?

Read full article for the 7 steps for cutting through vendor hype

Industry News

The lowdown on zero-day attacks 
By definition, zero-day attacks always beat anti-virus vigilantes to the punch. That’s because these destructive viruses are able to exploit unknown, undisclosed or newly discovered computer application vulnerabilities before a software developer is able to release a patch to the public — which can render anti-virus programs practically ineffective.

Did you know? EventTracker detects zero-day attacks with its integrated Change Management module

Extortionists target major pharmacy processor
One of the nation’s largest processors of pharmacy prescriptions said that extortionists are threatening to disclose personal and medical information on millions of Americans if the company fails to meet payment demands.

Did you know? EventTracker safeguards your critical data whether it is at rest, in motion or in use and protects you from costly and embarrassing breaches.

3 reasons why employees don’t follow security rules
A recent survey finds employees continue to ignore security policies. (Surprise, surprise.) Here’s a reminder about what often is missing in organizations that tempts workers to walk the wrong side of security law.

Did you know? EventTracker tracks all employee activity including user rights and activities, file and object access, and logon/offs to ensure that corporate and security policies are being followed

Will SIEM and Log Management usage change with the economic slowdown?

When Wall Street really began to implode a couple of weeks ago one of the remarkable side-effects of the plunge was a huge increase of download activity in all items related to ROI on the Prism website. A sign of the times as ROI always becomes more important in times of tight budgets, and our prospects were seeing the lean times coming. So what does the likelihood of budget freezes or worse mean for how SIEM/Log Management is used or how it is justified in the enterprise?

Compliance is and will remain the great budget enabler of SIEM and Log Management but often a compliance project can be done in a far more minimal deployment and still meet the requirement. There is, however, enormous tangible and measurable benefit in Log Management beyond the compliance use case that has been largely ignored.

SIEM/Log Management for the most part has been seen (and positioned by us vendors) as a compliance solution with security benefits or in some cases a security solution that does compliance. Both of these have a hard ROI to measure as it is based on a company’s tolerance for risk.  A lot of SIEM functionality, and the log management areas in particular, is also enormously effective in increasing operational efficiencies – and provides clear, measurable, fast and hard ROI. Very simply, compliance will keep you out of jail, security reduces risk, but by using SIEM products for operations you will save hard dollars on administrator costs and reduce system down-time which in turn increases productivity that directly hits the bottom line. Plus you still get the compliance and security for free effectively. A year ago when we used to show these operational features to prospects (mostly security personnel) they were greeted 9 out of 10 times with a polite yawn. Not anymore.

We believe this new cost conscious buying behavior will also drive broader rather than deeper requirements in many mid-tier businesses. It is the “can I get 90% of my requirements, and 100% of the mandatory ones in several areas, and is that better than 110% in a single area?” discussion. Recently Prism added some enhanced USB device monitoring capability in EventTracker. While it is beyond what typical SIEM vendors provide in that we track files written and deleted on the USB drive in real-time, I would not consider it to be as good as a best of breed DLP provider. But for most people it gets them where they need to be and is included in EventTracker for no additional cost. It is amazing the level of interest this functionality receives today from prospects while at the same time you get correspondingly less interest in features with a dubious ROI like many correlation use cases. Interesting times.

-Posted by Steve Lafferty