Perimeter
2/8/2013
03:38 PM
Wendy Nather
Wendy Nather
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

SIEMs Legit

Enough picking on SIEM; what are we doing right?

You really have to be on your toes when you’re talking to the PaulDotCom crew. Not only do they come up with weird questions, they also come up with seemingly simple ones that are actually tough to answer. One of them they tossed my way was, "In the [SIEM] space, what are people doing right? What are people doing wrong?"

Putting aside the preposterousness of my telling a whole industry what they’re doing wrong with a particular technology, I thought it was time to talk about what’s going well and what does work -- well, for some definition of “work,” because the other preposterous thing is trying to declare that any security product totally defeats the APT.

What do I think are good signs of progress with security monitoring? Here are a few.

Moving up the stack. SIEMs and their associated analytics are taking on the application layer, which is extremely important because, in many cases, you can’t get enough context around events until you get up around the business layer. Even something as innocuous as a server talking to an unexpected port somewhere else may be easily explained by the application team: "Oh, we meant to do that." Or: "Wow, nobody knew that the application used that port, too. It wasn’t documented anywhere." (That never happens in real life, right?)

Bringing in more data sources. Say what you like about "Big Data" hype; it has also prompted more innovation and discussion around the other characteristics of data, such as velocity, veracity, andm most of all, variety. Advances in analytics and processing speed both mean that you can integrate more inputs, more logs, and more systems. Some products are getting good at normalizing data and being more agnostic about where it comes from.

Adding intelligence. Wait, wait, before you set off the hype alarm again. By this I mean that more companies are integrating the results of their human research, not just aggregating IP addresses and sticking reputation labels on them. More data sources also allows confidence ratings, which you can’t really do if you only have the one set of logs to work with.

More analyst-friendly work benches. SIEMs are getting better at allowing advanced users to customize reporting, play with data models, and visualize the data in different ways that can draw out previously unnoticed relationships. Thank goodness, the era of the pie chart and red-yellow-green bar graphs is almost over.

More integration and feedback channels. It’s so much better if you can take the output from a vulnerability scan, put it together with real-time data from the SIEM, and figure out which of your vulnerabilities are in the most danger of being exploited -- right now. Even better if you can show those attempts to your management; it has a wonderful way of suddenly freeing up the budget and resources that you’ve been asking for all this time.

So that’s the good news. I’ll leave the bad news as an exercise for the reader; feel free to comment below or on Twitter. Just for a moment, let’s try to bask in the glow of a little optimism.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy.

Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
2/11/2013 | 5:49:29 PM
re: SIEMs Legit
Wait, there's good news in security? ;-) Sounds like it may be time to redefine how we look at SIEM.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3154
Published: 2014-04-17
DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file conte...

CVE-2013-2143
Published: 2014-04-17
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

CVE-2014-0036
Published: 2014-04-17
The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVE-2014-0054
Published: 2014-04-17
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External ...

CVE-2014-0071
Published: 2014-04-17
PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

Best of the Web