Download the Report
Advanced Threat Protection
Download the Datasheet
Let's Go Threat Hunting: Gain Visibility and Insight into Potential Threats and Risks
Download the Whitepaper
Bracing for the Tidal Wave of Data Privacy Compliance in America
View Recent Catches
Catch More Threats
February 23, 2011
In 2010, CBS rebooted the classic series Hawaii Five-O. It features a fictional state police unit run by Detective Steve McGarrett and named in honor of Hawaii’s status as the 50th state. The action centers on a special task force empowered by Hawaii’s governor to investigate serious crime.
The tech guru on the show is a Detective Chin Ho Kelly (played by Daniel Dae Kim) and is shown to be adept at various forensic techniques, including…wait for it…SIEM (of all things).
In Season 1, Episode 15 (Kai e’ e) the island’s leading tsunami expert is kidnapped on the same day that ocean reports indicate that a huge tsunami is headed to Hawaii. However, Five-0 soon suspects that the report is a hoax and is related to the kidnapping.
During the investigation, Chin Ho uncovers two failed logins with the kidnapped expert’s username and a numeric password each time. This is followed by a successful login. This seems odd because the correct password is all alphabetical and totally unrelated to the numbers. Turns out the kidnapped person was trying to send a message to the cops, knowing the failed logins would get scrutiny. The clue is incomplete though, because the failed logins do not capture the originating IP address and so can’t be readily geolocated.
Its great that SIEM is now firmly entrenched in the mainstream….bodes well for our industry and for IT security.
When the bad guys attack your assets, use EventTracker to “book ‘em Danno”.
– A.N. Ananth
February 12, 2011
Randy Franklin Smith compares methods for detecting malicious activity from logs including monitoring for high impact changes, setting up tripwires and anomalous changes in activity levels. Security standards and auditors make much of reviewing logs for malicious activity. I am frequently asked what event signatures are indicative of intrusions: “What are the top Event IDs for intrusion detection?” Ah, if it was only as easy as the movies make it, where the protagonist furiously defends the network while a computer voice stridently calls out “Intruder! Intruder!”
February 07, 2011
In the spirit of the Washington Posts’ regular column, “5 Myths”, here is “a challenge everything you think you know” about SIEM/Log Management.
Driven by compliance regulation and the unending stream of security issues, the IT community, over the past few years, has accepted SIEM and Log Management as must-have technology for the data center. The Analyst community lumps a number of vendors together as SIEM and marketing departments are always in overdrive to claim any or all possible benefits or budget. Consequently some “truths” are bandied about. This misinformation affects the decision-making process so let’s look at them.
1. Price is everything…all SIEM products are roughly equal in terms of features/functions.
An August 2010 article in SC Magazine points out that “At first blush, these (SIEM solutions) looked like 11 cats in a bag” quickly followed by “But a closer look shows interesting differences in focus.” Nice save but the first thought was the products were roughly equal, and for many that was a key take-away. As so many are influenced by the Gartner Magic Quadrant, the picture is taken to mean everything separated from the detailed commentary, even though that commentary states quite explicitly to look closely at features.
Even better, look at where vendor started? Very different places it turns out, but then added the features and functionality to meet market (or marketing) needs. For example, NetForensics preaches that SIEM is really correlation; Logrhythm believes that focusing on your logs is the key to security; Tenable thinks vulnerability status is the key; Q1Labs offers network flow monitoring as the critical element; eIQ origins are as a firewall log analyzer. So, while each solution may claim “the same features”, under the hood, they each started in a certain place, and packed additional feature/functionality around their core – they continue to focus on their core as being their differentiator; adding functionality as the market demands.
Also, some SIEM vendors are software-based, while others are appliance-based, which in itself differentiates the players in the market.
All the same? Hardly.
2. Appliances are a better solution.
Can you spell groupthink? It’s a way; neither better nor worse as a technical approach; perhaps easier for resellers to carry.
When does a software-based solution win?
– Sparing. To protect your valuable IT infrastructure, you will need to calculate a 1xN relationship of live appliances to back-ups. If your appliance breaks down and you don’t have a spare, you have to ship the appliance and wait for a replacement. With software, if your device breaks down, you can simply install the software on existing capacity in your infrastructure, and be back up and running in minutes versus potentially days.
– Scalability. With an appliance solution, your SIEM solution has a floor and a ceiling. You need at least one device to get started, and it has a maximum capacity before you have to add another appliance at a high price. With a software solution, you can scale incrementally… one IT infrastructure device at a time.
– Single Sign On. Integrate easily with Active Directory or LDAP; same username/password or smartcard authentication; very attractive
– Storage. What retention period is best for your logs? Weeks? Months? Years? With appliances, its dictated by the disk size provided; with software you decide or can use network based storage
So appliances must be easier to install? Plug in the box, provide an IP and you are done? Not really – more than 99% of the configuration is local to the user.
3. Your log volumes don’t matter…disk space is cheap.
Sure…but as Defense Secretary Rumsfeld used to say $10B and $10B there and pretty soon you’re talking real money.
Logs are voluminous, a successful implementation leads to much higher log volume and terabytes add up very quickly. Compression is essential but the ability to access network based storage is even more important. The ability to backup/restore archives easily and natively to nearline or offline storage is critical.
If you consider an appliance solution, it is inherently limited in the available disk.
4. The technology is like an antivirus… just install it and forget it, and if anything is wrong, it will tell you.
Ahh, the magic bullet! Like the ad says, “Set it and forget it!” If only this were true… wishing will not make it so. There is not one single SIEM vendor that can justify saying “open the box, activate your SIEM solution in minutes, and you will be fine!” To say so, or even worse, to believe it would just be irresponsible!
If you just open the box and install it, you will only have the protection offered by the default settings. With an antivirus solution, this is possible because you have all of the virus signatures to date, and it automatically looks to the virus database to see if there are any updates, and is constantly updated as signatures are added. Too bad they cannot recognize a “Zero Day” attack when it happens, but that for now, is impossible.
With a SIEM solution, you need something you don’t need with an antivirus… you need human interaction. You need to tell the SIEM what your organization’s business rules are, define the roles and capabilities of the users, and have an expert analyst team monitor it, and adapt it to ever-changing conditions. The IT infrastructure is constantly changing, and people are needed to adjust the SIEM to meet threats, business rules, and the addition or subtraction of IT components or users.
Some vendors imply that their SIEM solution is all that is needed, and you can just plug and play. You know what the result is? Unhappy SIEM users chasing down false positives or much worse false negatives. All SIEM solutions require educated analysts to understand the information being provided, and turn it into actions. These adjustments can be simplified, but again, it takes people. If you are thinking about implementing a SIEM and forgetting about it…then fuhgeddaboutit!
5. Log Management is only meaningful if you have a compliance requirement.
Seen the recent headlines? From Stuxnet to Wikileaks to Heartland? There is a lot more to log management than merely satisfying compliance regulations. This myth exists because people are not aware of the internal and external threats that exist in this century! SIEM/Log Management solutions provide some very important benefits to your organization beyond meeting a compliance requirement.
– Security. SIEM/Log Management solutions can detect and alert you to a “Zero-Day” virus before the damage is done…something other components in your IT infrastructure can’t do. They can also alert you to brute force attacks, malware, and trojans by determining what has changed in your environment…
– Improve Efficiency. Face it! There are two many devices transmitting too many logs, and the IT staff doesn’t have the time to comb through the logs and know if they are performing the most essential tasks in the proper order. Many times order is defined by who is screaming the loudest. A SIEM/Log Management solution help to know of a potential problem sooner, can automate the log analysis, prioritize the order in which issues are addressed, improving the overall efficiency of the IT team! It is also much more efficient to perform forensic analysis to determine the cause and effect of an incident.
– Improve Network Performance. Are the servers not working properly? Are the applications going slowly? The answer is in the logs, and with a SIEM/Log Management solution, you can quickly locate the problem and fix it.
– Reduce costs. Implementing a SIEM enables organizations to reduce the number of threats both internal and external, and reduce the operating cost per device. A SIEM can dramatically reduce the number of incidents that occur within your organization, which eliminates the cost it would take to figure out what actually happened. Should an event occur, the amount of time it takes to perform the forensic analysis and fix the problem can be greatly shortened, reducing the total loss per incident.