Welcome Guest. | Log In | Register | Membership Benefits

Can Companies Share Security Data? New Report Says Yes

Emerging standards, industry initiatives could enable enterprises to collaborate on security

May 07, 2011 | 02:09 AM | 

By Richard Mackey, Jr., Contributing Writer

[The following is excerpted from "Collaborative Security: Safe Ways To Share Event Info," a new report posted this week on Dark Reading's Security Monitoring Tech Center.]

In the world of cybercrime, bad guys work together. They share information; they build attacks together.

Contrast this to most companies, in which event monitoring is often a set of disjointed data streams that someone in the local security department is responsible for reviewing. There is no coordination of monitoring activities between departments, platforms, or applications, let alone cross companies and countries -- the way the criminals operate.

Under the best of circumstances, the sheer complexity of security is the greatest challenge. Even when companies collect enormous streams of data, there is very little correlation of events across systems and, consequently, virtually no chance that those responsible for detecting attacks will recognize them and distill the flood of often incompatible data into actionable information.

We need what the attackers have: a growing intelligence network in which departments coordinate the kind of log information they capture, the products and mechanisms they use to consolidate events, and the methods they use to analyze them.

We have event-correlation expertise and tools ... if only we could adopt standards and practices to use them more effectively. Intrusion detection systems, security information and event management (SIEM) tools, and security monitoring services provide a constantly improving capability for recognizing anomalies and attacks. Unfortunately, they collect different data from environment to environment and thus can’t be used easily for comparison or correlation.

What are the obstacles that inhibit data sharing? Here are a few ideas, and some recommendations on what to do about them.

Obstacle #1: Lack of Event System Interoperability
One of the major difficulties in processing event information from multiple systems is the lack of an accepted standard for events. Operating systems, intrusion detection systems, firewalls, virus detection software, and all manner of applications emit events using different syntaxes, semantics, transports, and purposes. Log entries for similar events do not have the same structure, nor do they contain the same information.

This makes it difficult to recognize similar events from different types of systems. SIEM systems and event-analysis engines can’t even count on different types of devices generating a similar set of events (login or login failure, for example), making it difficult to correlate activities across devices.

There are numerous efforts to standardize event reporting, including MITRE’s Common Event Expression (CEE) project and ArcSight’s Common Event Format (CEF) initiative.

Standards for expressing and communicating event data would be an enormous step forward, but the information will be of little use if we can’t get to it and analyze it effectively. The problem is that there is no accepted standard for interfaces and protocols to extract data from the myriad SIEM products and systems that gather and store logged information.

There have been several efforts to address this, the newest of which is Open Security Intelligence, spearheaded by SenSage, which proposes standardizing the interface and protocol used to organize and manipulate event data. Open Security Intelligence establishes SQL as the language to express queries against event data stores and ODBC/JDBC as the standard interface for programs to gain access to the firewall, system, intrusion detection system, and application events that have been collected both in the native logs and in the SIEM products across the enterprise.

Obstacle #2: Limited Coordinated Monitoring
In addition to the incompatibility of event and logging systems, companies typically fail to appreciate the benefits of sharing information and coordinating security between departments.

Companies expend a tremendous amount of resources on security incident activity: virus- and worm-detection analysis, incident response, log analysis, and so on. Most collect log data from a variety of sources, but the data is either never analyzed or is reviewed only in a limited context. It is common, for instance, to see Windows groups monitoring Windows events, the network group monitoring the network device events, and the database group monitoring database events.

This segregation results in redundant and incomplete security efforts, and robs companies of the ability to recognize attacks that exhibit themselves across multiple technologies and organizational boundaries.

To solve this problem, organizations must build initiatives that bridge the gaps between departments. This initiative can be pushed from the top down or the bottom up. The most straightforward way to unite event-processing efforts is to win management support. If you are in a position to get management’s attention, you can demonstrate the benefits of interdepartmental cooperation, including more effective use of limited resources and better threat detection and incident response.

Some IT organizations may opt to outsource event collection and correlation, relying on managed SIEM services to carry the burden; if the services are companywide, they can help bridge disparate departments.

Obstacle #3: Lack of Cooperation With Other Companies
Companies fear cyberattackers will bring their networks and business applications down, steal intellectual property and customer information, and lead to financial loss. To defend themselves from well-coordinated attackers, it is only logical that companies should cooperate and learn from each others’ experiences.

Sharing event data that led to compromises would help them recognize the symptoms of attacks, traffic patterns that suggest intrusions, and system and application events that, if correlated, would have raised suspicions.

Companies are reluctant to share security data with their peers for many reasons, including fear of embarrassment or further compromise of sensitive information.

Yet there are many industry organizations that provide forums for discussion of security practices, and some have interest groups, including The Open Group’s Security Forum, the Information Security Forum, and the Financial Services Information Sharing and Analysis Center (FSISAC). While these organizations can’t necessarily solve our security problems, they may provide the kind of protected environment to foster information sharing.

To find out more about how event data can be shared -- and to see detailed data on enterprise attitudes and practices in collecting event information, download the free report.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



Security Monitoring Reports

report Fundamentals of User Activity Monitoring
Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand.

report Does SIEM Make Sense For Your Company?
A security information and event management system serves as a repository for all the security alerts and logging systems from a firm's devices. But this can be overkill for a company that is understaffed or has overestimated its security information needs. In this report, we discuss 10 questions to ask yourself in determining whether SIEM makes sense for you--and how to pick the right system if it does.

report Monitoring Tools and Logs Make All The Difference
It's no longer a matter of "if" you get hacked, but when. In this special report, we take a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape.

Other reports from the Security Monitoring Tech Center:

Related Content

Security Management 2.0: Time to Replace Your SIEM?
Is it time? Are you waving the white flag? Has your first gen SIEM failed to meet expectations despite your investment? If you are questioning whether your existing product or service can get the job done, you are not alone. Read this Securosis white paper to learn how easy it can be to replace your SIEM with a next generation solution.

IT Executive Guide to Security Intelligence: Transitioning from SIEM to Total Security Intelligence
Read this whitepaper to learn how adopting a next generation SIEM solution provides security intelligence, to allow organizations to maintain comprehensive and cost-effective information security. Discover how security intelligence enables critical concerns in five key areas: Data silo consolidation, threat detection, fraud discovery, risk assessment/risk management, and regulatory compliance.

The Return on Security of QRadar: Improving Operational Efficiencies in Federal Government
In this study, IANS interviewed two Q1 Labs customers using QRadar to assess their Return On Security (ROS). The two customers were providers of service to the U.S. Government and had highly secure environments dealing with extremely sensitive data. The data yielded from the interviews showed substantial benefit to the organizations for the cost, both in money and staff time.

SANS What Works Webcast: Worldwide Retailer Boosts Privacy with Security Intelligence
A leading retailer with stores worldwide was seeking a more innovative tool to protect customer privacy and intellectual property. PCI compliance mandated log collection, but a vast number of different tools generated an overwhelming amount of log data, making it difficult for the small security team to review it effectively. The solution the company chose had to fit into a diverse network, provide intelligent reporting and offer a centralized management console.

Learn How Security Intelligence Can Help Combat WikiLeaks Stuxnet and Advanced Threats
WikiLeaks and Stuxnet have illustrated a few fundamental IT security issues that have underscored the need for Total Security Intelligence to counter advanced threats and to detect anomalous behavior. See how government and commercial organizations are using QRadar as an integral component of their IT security program to identify emerging threats based on context and situational awareness.




Featured Webcasts
Featured Whitepapers
Featured Reports