Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

4/8/2011
11:15 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Connect The Log Data Dots

Effective use of SIEM tools can help spot the bad guys as they’re attacking, not just investigate after the fact.

If we're to believe the movies, all it takes is a few keystrokes and, voila, those silver-screen hackers have total pwnage of their target. But this is real life. Most hackers don't look like Angelina Jolie and breaking into a corporate or government network is a long grind.

"There's a lot of failure that precedes actual success," says Michael Maloof, CTO at TriGeo Network Security.

For companies or government agencies that are the targets of these attacks, that's a good thing. Security pros often have enough time to stop an incident before critical information is damaged or stolen--if they're vigilant enough to spot the tell-tale signs that real-world hackers leave behind. Most IT systems, particularly security software, already gather large amounts of data and compile it into system logs that can offer valuable clues about activity in the infrastructure to those who know how to decipher the data. But, of course, in real life, there's always a catch.

In this case, the logs produce so much data and it's so scattered around the company that the task of going through it all and connecting the dots can quickly become overwhelming. In order to get the most out of their logs and effectively meet threats, IT organizations must efficiently manage the logs and correlate the data using a range of best practices and security information and event management tools. SIEM tools use advanced algorithms to analyze the avalanche of data coming from different devices, making it possible to see patterns in the way users and machines usually interact with the infrastructure, in order to pinpoint unusual behavior.

"In and of itself, a log-on failure is a meaningless event, no one cares about it--but 50 of them in 30 seconds at three in the morning trying to get onto a critical server, now that should get your attention," Maloof says. Hackers generate a lot of activity as they try to gain control, and IT will be completely oblivious to it if it isn't monitoring, preferably in real time and with tools that can correlate the activity, he says.

Use Compliance Dollars For Real Security

If effective log management were easy, everyone would be doing it. But that's not the case. Though most companies have log systems, less than a quarter of the IT market is doing a good job monitoring them, estimates John Burnham, VP of marketing at SIEM vendor Q1 Labs.

SIEM tools originally were developed to provide actionable information to protect critical infrastructure--particularly in government settings. Now regulators in many industries mandate their use. Unfortunately, most organizations don't do much more than what's required to prove that the logs have been collected, stored, and verified. In the scramble to comply, they forget the original intent of logging--security.

But since these systems are needed for compliance, they tend to be adequately funded. And now, the smartest companies are using this software for prevention, by monitoring in real time what's hitting networks, rather than just for after-the-fact, forensic analysis.

Maximize Your Monitoring Investment

Become an InformationWeek Analytics subscriber and get our full report on how to maximize your SIEM monitoring investment.

This report provides :
  • Guidance on developing a SIEM strategy
  • Information on identifying and prioritizing assets to monitor
  • A step-by-step approach to making the most of your SIEM system
Get This And All Our Reports


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.