Analytics
9/20/2012
04:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

RSA Report Offers A Blueprint For Next-Generation SIEM

New report co-authored by RSA, CSC, Terremark, and Verizon calls for a "big data"-driven early warning system

Traditional security information and event management (SIEM systems) just don't cut it anymore with the types of persistent attacks many enterprises face every day.

That's not to say all SIEM systems are trapped in time as gatherers of forensics: some SIEM and log management systems are now beginning to detect attacks in real-time, security experts say. SIEM is gradually evolving into a real-time analysis and alarm technology, some experts say.

This next-generation SIEM is the subject of a new report sponsored by RSA and co-written by CSC, RSA, Terremark, and Verizon, called "Transforming Traditional Security Strategies into an Early Warning System for Advanced Threats." And one of the key ingredients for this new SIEM model is so-called "big data" analytics, where threat detection capabilities come from reams of information from various sources analyzing behavioral and other trends rather than old-school signature-based technology.

SIEM needs to add "pervasive" visibility via network packet-capture and session reconstruction, the reports says, and analytics that drills down and look at risk specific to an organization, and compares behaviors; scalability; and a centralized repository that provides security data.

Eddie Schwartz, vice president and CISO, RSA, the security division of EMC, says it's all about taking the best of SIEM – such as correlation and handling large amounts of data – and combining that with features such as contextual analysis, and external threat intelligence, which NetWitness offers, for example. "This mirrors the move we have been making from technology at RSA ... that addresses the ongoing benefits of SIEM, with big data on the back-end, and unifying security management on the front-end with a console that brings together capabilities of investigating, correlation, and malware analysis," he says.

The report calls the next-generation SIEM's visibility to be able to fully reconstruct activity in the network or systems to better ID malware, track the bad guy's movements once he's inside, and the ability to confirm that malicious activity is under way.

Also, SIEM systems should be able to gather and use data from various sources to detect advanced attacks. "For example, security analytics systems should search for behavior patterns and risk factors, not just static rules and known signatures. Security analytics systems should also consider the relative value of enterprise assets at risk, flagging events associated with high-value assets," the report says.

So these tools need to be able to scale well. "Security analytics platforms must include features such as a distributed n-tier storage architecture and an analytics engine that normalizes and processes large, disparate data sets at very high speed. Data storage and analytics must scale together linearly," the report says.

They also should be able to automatically integrate threat intelligence from various sources in a centralized way, according to the report.

"Breaches aren't really smash-and-grab anymore. The vast majority of breach and compromise cases last year occurred over a period of months. Our experience shows it's more valuable to get a complete view of what happened over the long haul and take mitigation steps than to get a near real-time

analysis of events," says Jonathan Nguyen-Duy, director of global security services at Verizon Business, who co-authored the report.

The full SIEM security brief is available here for download (PDF).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JCharles
50%
50%
JCharles,
User Rank: Apprentice
1/25/2013 | 3:39:35 PM
re: RSA Report Offers A Blueprint For Next-Generation SIEM
So the futur of the SIEM is... the Big Data SIEM. Well such solutions are already out there like Secnology. But hire a Security Expert because the magic box or software aren't.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.