Perimeter
2/8/2013
03:38 PM
Wendy Nather
Wendy Nather
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

SIEMs Legit

Enough picking on SIEM; what are we doing right?

You really have to be on your toes when you’re talking to the PaulDotCom crew. Not only do they come up with weird questions, they also come up with seemingly simple ones that are actually tough to answer. One of them they tossed my way was, "In the [SIEM] space, what are people doing right? What are people doing wrong?"

Putting aside the preposterousness of my telling a whole industry what they’re doing wrong with a particular technology, I thought it was time to talk about what’s going well and what does work -- well, for some definition of “work,” because the other preposterous thing is trying to declare that any security product totally defeats the APT.

What do I think are good signs of progress with security monitoring? Here are a few.

Moving up the stack. SIEMs and their associated analytics are taking on the application layer, which is extremely important because, in many cases, you can’t get enough context around events until you get up around the business layer. Even something as innocuous as a server talking to an unexpected port somewhere else may be easily explained by the application team: "Oh, we meant to do that." Or: "Wow, nobody knew that the application used that port, too. It wasn’t documented anywhere." (That never happens in real life, right?)

Bringing in more data sources. Say what you like about "Big Data" hype; it has also prompted more innovation and discussion around the other characteristics of data, such as velocity, veracity, andm most of all, variety. Advances in analytics and processing speed both mean that you can integrate more inputs, more logs, and more systems. Some products are getting good at normalizing data and being more agnostic about where it comes from.

Adding intelligence. Wait, wait, before you set off the hype alarm again. By this I mean that more companies are integrating the results of their human research, not just aggregating IP addresses and sticking reputation labels on them. More data sources also allows confidence ratings, which you can’t really do if you only have the one set of logs to work with.

More analyst-friendly work benches. SIEMs are getting better at allowing advanced users to customize reporting, play with data models, and visualize the data in different ways that can draw out previously unnoticed relationships. Thank goodness, the era of the pie chart and red-yellow-green bar graphs is almost over.

More integration and feedback channels. It’s so much better if you can take the output from a vulnerability scan, put it together with real-time data from the SIEM, and figure out which of your vulnerabilities are in the most danger of being exploited -- right now. Even better if you can show those attempts to your management; it has a wonderful way of suddenly freeing up the budget and resources that you’ve been asking for all this time.

So that’s the good news. I’ll leave the bad news as an exercise for the reader; feel free to comment below or on Twitter. Just for a moment, let’s try to bask in the glow of a little optimism.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy.

Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
2/11/2013 | 5:49:29 PM
re: SIEMs Legit
Wait, there's good news in security? ;-) Sounds like it may be time to redefine how we look at SIEM.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web