Perimeter
2/8/2013
03:38 PM
Wendy Nather
Wendy Nather
Commentary
Connect Directly
RSS
E-Mail
50%
50%

SIEMs Legit

Enough picking on SIEM; what are we doing right?

You really have to be on your toes when you’re talking to the PaulDotCom crew. Not only do they come up with weird questions, they also come up with seemingly simple ones that are actually tough to answer. One of them they tossed my way was, "In the [SIEM] space, what are people doing right? What are people doing wrong?"

Putting aside the preposterousness of my telling a whole industry what they’re doing wrong with a particular technology, I thought it was time to talk about what’s going well and what does work -- well, for some definition of “work,” because the other preposterous thing is trying to declare that any security product totally defeats the APT.

What do I think are good signs of progress with security monitoring? Here are a few.

Moving up the stack. SIEMs and their associated analytics are taking on the application layer, which is extremely important because, in many cases, you can’t get enough context around events until you get up around the business layer. Even something as innocuous as a server talking to an unexpected port somewhere else may be easily explained by the application team: "Oh, we meant to do that." Or: "Wow, nobody knew that the application used that port, too. It wasn’t documented anywhere." (That never happens in real life, right?)

Bringing in more data sources. Say what you like about "Big Data" hype; it has also prompted more innovation and discussion around the other characteristics of data, such as velocity, veracity, andm most of all, variety. Advances in analytics and processing speed both mean that you can integrate more inputs, more logs, and more systems. Some products are getting good at normalizing data and being more agnostic about where it comes from.

Adding intelligence. Wait, wait, before you set off the hype alarm again. By this I mean that more companies are integrating the results of their human research, not just aggregating IP addresses and sticking reputation labels on them. More data sources also allows confidence ratings, which you can’t really do if you only have the one set of logs to work with.

More analyst-friendly work benches. SIEMs are getting better at allowing advanced users to customize reporting, play with data models, and visualize the data in different ways that can draw out previously unnoticed relationships. Thank goodness, the era of the pie chart and red-yellow-green bar graphs is almost over.

More integration and feedback channels. It’s so much better if you can take the output from a vulnerability scan, put it together with real-time data from the SIEM, and figure out which of your vulnerabilities are in the most danger of being exploited -- right now. Even better if you can show those attempts to your management; it has a wonderful way of suddenly freeing up the budget and resources that you’ve been asking for all this time.

So that’s the good news. I’ll leave the bad news as an exercise for the reader; feel free to comment below or on Twitter. Just for a moment, let’s try to bask in the glow of a little optimism.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy.

Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
2/11/2013 | 5:49:29 PM
re: SIEMs Legit
Wait, there's good news in security? ;-) Sounds like it may be time to redefine how we look at SIEM.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4725
Published: 2014-07-27
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.

CVE-2014-4726
Published: 2014-07-27
Unspecified vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.8 for WordPress has unspecified impact and attack vectors.

CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-2625
Published: 2014-07-26
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

CVE-2014-2626
Published: 2014-07-26
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.