Perimeter
2/8/2013
03:38 PM
Wendy Nather
Wendy Nather
Commentary
Connect Directly
RSS
E-Mail
50%
50%

SIEMs Legit

Enough picking on SIEM; what are we doing right?

You really have to be on your toes when you’re talking to the PaulDotCom crew. Not only do they come up with weird questions, they also come up with seemingly simple ones that are actually tough to answer. One of them they tossed my way was, "In the [SIEM] space, what are people doing right? What are people doing wrong?"

Putting aside the preposterousness of my telling a whole industry what they’re doing wrong with a particular technology, I thought it was time to talk about what’s going well and what does work -- well, for some definition of “work,” because the other preposterous thing is trying to declare that any security product totally defeats the APT.

What do I think are good signs of progress with security monitoring? Here are a few.

Moving up the stack. SIEMs and their associated analytics are taking on the application layer, which is extremely important because, in many cases, you can’t get enough context around events until you get up around the business layer. Even something as innocuous as a server talking to an unexpected port somewhere else may be easily explained by the application team: "Oh, we meant to do that." Or: "Wow, nobody knew that the application used that port, too. It wasn’t documented anywhere." (That never happens in real life, right?)

Bringing in more data sources. Say what you like about "Big Data" hype; it has also prompted more innovation and discussion around the other characteristics of data, such as velocity, veracity, andm most of all, variety. Advances in analytics and processing speed both mean that you can integrate more inputs, more logs, and more systems. Some products are getting good at normalizing data and being more agnostic about where it comes from.

Adding intelligence. Wait, wait, before you set off the hype alarm again. By this I mean that more companies are integrating the results of their human research, not just aggregating IP addresses and sticking reputation labels on them. More data sources also allows confidence ratings, which you can’t really do if you only have the one set of logs to work with.

More analyst-friendly work benches. SIEMs are getting better at allowing advanced users to customize reporting, play with data models, and visualize the data in different ways that can draw out previously unnoticed relationships. Thank goodness, the era of the pie chart and red-yellow-green bar graphs is almost over.

More integration and feedback channels. It’s so much better if you can take the output from a vulnerability scan, put it together with real-time data from the SIEM, and figure out which of your vulnerabilities are in the most danger of being exploited -- right now. Even better if you can show those attempts to your management; it has a wonderful way of suddenly freeing up the budget and resources that you’ve been asking for all this time.

So that’s the good news. I’ll leave the bad news as an exercise for the reader; feel free to comment below or on Twitter. Just for a moment, let’s try to bask in the glow of a little optimism.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy.

Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
2/11/2013 | 5:49:29 PM
re: SIEMs Legit
Wait, there's good news in security? ;-) Sounds like it may be time to redefine how we look at SIEM.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.