In the world of cybercrime, bad guys work together. They share information; they build attacks together.
Contrast this to most companies, in which event monitoring is often a set of disjointed data streams that someone in the local security department is responsible for reviewing. There is no coordination of monitoring activities between departments, platforms, or applications, let alone cross companies and countries -- the way the criminals operate.
Under the best of circumstances, the sheer complexity of security is the greatest challenge. Even when companies collect enormous streams of data, there is very little correlation of events across systems and, consequently, virtually no chance that those responsible for detecting attacks will recognize them and distill the flood of often incompatible data into actionable information.
We need what the attackers have: a growing intelligence network in which departments coordinate the kind of log information they capture, the products and mechanisms they use to consolidate events, and the methods they use to analyze them.
We have event-correlation expertise and tools ... if only we could adopt standards and practices to use them more effectively. Intrusion detection systems, security information and event management (SIEM) tools, and security monitoring services provide a constantly improving capability for recognizing anomalies and attacks. Unfortunately, they collect different data from environment to environment and thus can’t be used easily for comparison or correlation.
What are the obstacles that inhibit data sharing? Here are a few ideas, and some recommendations on what to do about them.
Obstacle #1: Lack of Event System Interoperability
One of the major difficulties in processing event information from multiple systems is the lack of an accepted standard for events. Operating systems, intrusion detection systems, firewalls, virus detection software, and all manner of applications emit events using different syntaxes, semantics, transports, and purposes. Log entries for similar events do not have the same structure, nor do they contain the same information.
This makes it difficult to recognize similar events from different types of systems. SIEM systems and event-analysis engines can’t even count on different types of devices generating a similar set of events (login or login failure, for example), making it difficult to correlate activities across devices.
There are numerous efforts to standardize event reporting, including MITRE’s Common Event Expression (CEE) project and ArcSight’s Common Event Format (CEF) initiative.
Standards for expressing and communicating event data would be an enormous step forward, but the information will be of little use if we can’t get to it and analyze it effectively. The problem is that there is no accepted standard for interfaces and protocols to extract data from the myriad SIEM products and systems that gather and store logged information.
There have been several efforts to address this, the newest of which is Open Security Intelligence, spearheaded by SenSage, which proposes standardizing the interface and protocol used to organize and manipulate event data. Open Security Intelligence establishes SQL as the language to express queries against event data stores and ODBC/JDBC as the standard interface for programs to gain access to the firewall, system, intrusion detection system, and application events that have been collected both in the native logs and in the SIEM products across the enterprise.
Obstacle #2: Limited Coordinated Monitoring
In addition to the incompatibility of event and logging systems, companies typically fail to appreciate the benefits of sharing information and coordinating security between departments.
Companies expend a tremendous amount of resources on security incident activity: virus- and worm-detection analysis, incident response, log analysis, and so on. Most collect log data from a variety of sources, but the data is either never analyzed or is reviewed only in a limited context. It is common, for instance, to see Windows groups monitoring Windows events, the network group monitoring the network device events, and the database group monitoring database events.
This segregation results in redundant and incomplete security efforts, and robs companies of the ability to recognize attacks that exhibit themselves across multiple technologies and organizational boundaries.
To solve this problem, organizations must build initiatives that bridge the gaps between departments. This initiative can be pushed from the top down or the bottom up. The most straightforward way to unite event-processing efforts is to win management support. If you are in a position to get management’s attention, you can demonstrate the benefits of interdepartmental cooperation, including more effective use of limited resources and better threat detection and incident response.
Some IT organizations may opt to outsource event collection and correlation, relying on managed SIEM services to carry the burden; if the services are companywide, they can help bridge disparate departments.
Obstacle #3: Lack of Cooperation With Other Companies
Companies fear cyberattackers will bring their networks and business applications down, steal intellectual property and customer information, and lead to financial loss. To defend themselves from well-coordinated attackers, it is only logical that companies should cooperate and learn from each others’ experiences.
Sharing event data that led to compromises would help them recognize the symptoms of attacks, traffic patterns that suggest intrusions, and system and application events that, if correlated, would have raised suspicions.
Companies are reluctant to share security data with their peers for many reasons, including fear of embarrassment or further compromise of sensitive information.
Yet there are many industry organizations that provide forums for discussion of security practices, and some have interest groups, including The Open Group’s Security Forum, the Information Security Forum, and the Financial Services Information Sharing and Analysis Center (FSISAC). While these organizations can’t necessarily solve our security problems, they may provide the kind of protected environment to foster information sharing.
To find out more about how event data can be shared -- and to see detailed data on enterprise attitudes and practices in collecting event information, download the free report.
Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.