SIEM: the Answer to Awkward Security Questions
by Nick Lowe - director of Northern Europe for Check Point - Thursday, 8 January 2009.
Bookmark and Share
Whatís the one security question that you donít want to be asked about your company? I believe itís the same question that Her Majesty the Queen raised when she visited the London School of Economics in November 2008. Describing the global credit crunch as "awful", she asked an LSE professor: "Why did nobody notice what was happening?" Caught off-guard, the professor replied, "Someone was relying on somebody else..."

This exchange neatly sums up a key IT security problem. Companies have to rely on staff to observe reasonable security practice, on partners not to pass on malware, and so on. Just like the financial markets, a big part of security is trust. But when that trust is undermined, things fall apart rapidly. And the problem is, itís very hard to spot the clues that show when trust has been breached, and a security threat is emerging.

Drowning in data

Why is this? Because complex networks and security deployments throw out Gigabytes of log data every day. Although theyíre vital, security systems such as IPS, IDS, firewalls and anti-virus also create problems by generating false positive alerts, often hiding emerging threats from the IT team.

A recent IBM survey of 700 European IT managers highlighted the scale of the issue. Over 45% received more than 4,000 security events per second. This volume of data swamps IT teams, and makes it almost impossible to prioritise potential threats.

Perhaps the most critical issue is delayed action. These events take time to sort through Ė time that can be exploited by REAL security threats. And before you know it, you could have business partners, customers or shareholders asking: "Why didnít you notice what was happening?"

Filtering false positives

So what causes false positives? The biggest cause is insufficient alert context. Firewalls and intrusion systems donít understand the business importance and vulnerabilities of all systems within the organization. For example, an attempted malware infection of a web server may be reported as a high-priority event by the firewall, even if systems have already been patched against it. This is the ultimate aim of security management: understanding and prioritizing reported activities in context. So if a threat arises, it generates an alert. The IT team doesnít need to know if the threat presents no risk. This gives the IT team the ability to filter the noise, and focus on real threats.

Putting it in perspective

How do you contextualize threats, and filter out the extraneous noise from networks? This is where Security Information and Event Management (SIEM) solutions come in. A SIEM solution automates the collection, correlation and contextualization of security log data and events, which puts whatís happening on the network into perspective Ė removing the irrelevant noise, and enabling focus on the important events. This makes management easier, and frees up time for the IT team. Letís look at a real-life SIEM deployment.

Spotlight

Attackers use reflection techniques for larger DDoS attacks

Posted on 17 April 2014.  |  Instead of using a network of zombie computers, newer DDoS toolkits abuse Internet protocols that are available on open or vulnerable servers and devices. This approach can lead to the Internet becoming a ready-to-use botnet for malicious actors.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Apr 18th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //