Perimeter
2/8/2013
03:38 PM
Wendy Nather
Wendy Nather
Commentary
50%
50%

SIEMs Legit

Enough picking on SIEM; what are we doing right?

You really have to be on your toes when you’re talking to the PaulDotCom crew. Not only do they come up with weird questions, they also come up with seemingly simple ones that are actually tough to answer. One of them they tossed my way was, "In the [SIEM] space, what are people doing right? What are people doing wrong?"

Putting aside the preposterousness of my telling a whole industry what they’re doing wrong with a particular technology, I thought it was time to talk about what’s going well and what does work -- well, for some definition of “work,” because the other preposterous thing is trying to declare that any security product totally defeats the APT.

What do I think are good signs of progress with security monitoring? Here are a few.

Moving up the stack. SIEMs and their associated analytics are taking on the application layer, which is extremely important because, in many cases, you can’t get enough context around events until you get up around the business layer. Even something as innocuous as a server talking to an unexpected port somewhere else may be easily explained by the application team: "Oh, we meant to do that." Or: "Wow, nobody knew that the application used that port, too. It wasn’t documented anywhere." (That never happens in real life, right?)

Bringing in more data sources. Say what you like about "Big Data" hype; it has also prompted more innovation and discussion around the other characteristics of data, such as velocity, veracity, andm most of all, variety. Advances in analytics and processing speed both mean that you can integrate more inputs, more logs, and more systems. Some products are getting good at normalizing data and being more agnostic about where it comes from.

Adding intelligence. Wait, wait, before you set off the hype alarm again. By this I mean that more companies are integrating the results of their human research, not just aggregating IP addresses and sticking reputation labels on them. More data sources also allows confidence ratings, which you can’t really do if you only have the one set of logs to work with.

More analyst-friendly work benches. SIEMs are getting better at allowing advanced users to customize reporting, play with data models, and visualize the data in different ways that can draw out previously unnoticed relationships. Thank goodness, the era of the pie chart and red-yellow-green bar graphs is almost over.

More integration and feedback channels. It’s so much better if you can take the output from a vulnerability scan, put it together with real-time data from the SIEM, and figure out which of your vulnerabilities are in the most danger of being exploited -- right now. Even better if you can show those attempts to your management; it has a wonderful way of suddenly freeing up the budget and resources that you’ve been asking for all this time.

So that’s the good news. I’ll leave the bad news as an exercise for the reader; feel free to comment below or on Twitter. Just for a moment, let’s try to bask in the glow of a little optimism.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy.

Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
2/11/2013 | 5:49:29 PM
re: SIEMs Legit
Wait, there's good news in security? ;-) Sounds like it may be time to redefine how we look at SIEM.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0750
Published: 2015-05-22
The administrative web interface in Cisco Hosted Collaboration Solution (HCS) 10.6(1) and earlier allows remote authenticated users to execute arbitrary commands via crafted input to unspecified fields, aka Bug ID CSCut02786.

CVE-2012-1978
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Simple PHP Agenda 2.2.8 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator via a request to auth/process.php, (2) delete an administrator via a request to auth/admi...

CVE-2015-0741
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Prime Central for Hosted Collaboration Solution (PC4HCS) 10.6(1) and earlier allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCut04596.

CVE-2015-0742
Published: 2015-05-21
The Protocol Independent Multicast (PIM) application in Cisco Adaptive Security Appliance (ASA) Software 9.2(0.0), 9.2(0.104), 9.2(3.1), 9.2(3.4), 9.3(1.105), 9.3(2.100), 9.4(0.115), 100.13(0.21), 100.13(20.3), 100.13(21.9), and 100.14(1.1) does not properly implement multicast-forwarding registrati...

CVE-2015-0746
Published: 2015-05-21
The REST API in Cisco Access Control Server (ACS) 5.5(0.46.2) allows remote attackers to cause a denial of service (API outage) by sending many requests, aka Bug ID CSCut62022.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.