Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Next Generation Of SIEMs? Ease Of Use, Analyze More Data
Newest First  |  Oldest First  |  Threaded View
mharrison392
mharrison392,
User Rank: Apprentice
10/22/2013 | 8:42:50 PM
re: Next Generation Of SIEMs? Ease Of Use, Analyze More Data
I don't think I want a plug and play SIEM solution. The complexity of all the interconnected parts in unique environments is not something that I am comfortable with a SIEM understanding. It is important that someone in the organization understand how these pieces work together whether a SIEM is implemented or not.

A SIEM solution is a TOOL. It makes the job easier, but it's still a hard job. Knowledge is still required. They used computers in 1969 to put a man on the moon. The people designing the systems and working at mission control still had to know the pieces and parts. They still had to know what they were doing.

The problem is that most people want to purchase a solution that they can install and forget. A SIEM takes care and feeding on a regular basis. A properly installed and configured SIEM requires tuning regularly. However, most SIEM implementations I've seen have had the proverbial "kitchen sink" worth of logs thrown at them day one or week one. It takes time to do this properly. You have to add one feed at a time and spend some time getting to know it and tuning it, then move on to the next log feed.

I believe you could make the argument that anyone wanting a plug a play SIEM should outsource their security operations. The fact of the matter is that real, effective security requires knowledgeable, dedicated, warm bodies. Most organizations are unwilling to accept that.
MarciaNWC
MarciaNWC,
User Rank: Apprentice
10/21/2013 | 11:09:31 PM
re: Next Generation Of SIEMs? Ease Of Use, Analyze More Data
You'd think after this long in the market, SIEMs would have become easier to use. Although, as the story notes, the marketing line with SIEMS has always been the opposite.
AccessServices
AccessServices,
User Rank: Apprentice
10/21/2013 | 12:28:10 PM
re: Next Generation Of SIEMs? Ease Of Use, Analyze More Data
From someone that has lived and worked in the trenches, I agree with Robert. SIEMs are complicated beasts. They capture data from multiple devices so the person setting up the rules needs to understand the relationship between databases, networks, web servers, load balancers, firewalls, AD, etc.... The biggest problem I've seen is training. Companies will purchase a nice vehicle to move a company forward and then won't pay to teach one of two employees how to drive it. Then when it crashes, blame the IT group.

Even if the SIEM is just capturing the data, a company has made progress. The forensic and troubleshooting capabilities are significant. There have been several times when I've solved issues by going to an "unused SIEM" or logging device. For what to correlate, the SANS Institute has written several papers on what to look for.

Jeff Jones
Abacus Solutions


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file