If we're to believe the movies, all it takes is a few keystrokes and, voila, those silver-screen hackers have total pwnage of their target. But this is real life. Most hackers don't look like Angelina Jolie and breaking into a corporate or government network is a long grind.

"There's a lot of failure that precedes actual success," says Michael Maloof, CTO at TriGeo Network Security.

For companies or government agencies that are the targets of these attacks, that's a good thing. Security pros often have enough time to stop an incident before critical information is damaged or stolen--if they're vigilant enough to spot the tell-tale signs that real-world hackers leave behind. Most IT systems, particularly security software, already gather large amounts of data and compile it into system logs that can offer valuable clues about activity in the infrastructure to those who know how to decipher the data. But, of course, in real life, there's always a catch.

In this case, the logs produce so much data and it's so scattered around the company that the task of going through it all and connecting the dots can quickly become overwhelming. In order to get the most out of their logs and effectively meet threats, IT organizations must efficiently manage the logs and correlate the data using a range of best practices and security information and event management tools. SIEM tools use advanced algorithms to analyze the avalanche of data coming from different devices, making it possible to see patterns in the way users and machines usually interact with the infrastructure, in order to pinpoint unusual behavior.

"In and of itself, a log-on failure is a meaningless event, no one cares about it--but 50 of them in 30 seconds at three in the morning trying to get onto a critical server, now that should get your attention," Maloof says. Hackers generate a lot of activity as they try to gain control, and IT will be completely oblivious to it if it isn't monitoring, preferably in real time and with tools that can correlate the activity, he says.

Use Compliance Dollars For Real Security

If effective log management were easy, everyone would be doing it. But that's not the case. Though most companies have log systems, less than a quarter of the IT market is doing a good job monitoring them, estimates John Burnham, VP of marketing at SIEM vendor Q1 Labs.

SIEM tools originally were developed to provide actionable information to protect critical infrastructure--particularly in government settings. Now regulators in many industries mandate their use. Unfortunately, most organizations don't do much more than what's required to prove that the logs have been collected, stored, and verified. In the scramble to comply, they forget the original intent of logging--security.

But since these systems are needed for compliance, they tend to be adequately funded. And now, the smartest companies are using this software for prevention, by monitoring in real time what's hitting networks, rather than just for after-the-fact, forensic analysis.

SIEM Success

Maximize Your Monitoring Investment
Become an InformationWeek Analytics subscriber and get our full report on how to maximize your SIEM monitoring investment.

This report provides :

• Guidance on developing a SIEM strategy
• Information on identifying and prioritizing assets to monitor
• A step-by-step approach to making the most of your SIEM system

Get This And All Our Reports

1 of 3