Newsletters
|
| For media and analyst queries, please contact:
Harmala Singh-Francois Phone: (443) 539-3773 hfrancois@prismmicrosys.com |
EventSource February 2008 – Threatscape 2008; Computer security survey results
Featured Article
Understanding where SIM ends and log management begins
By Mike Rothman, President, Security Incite and author of the Pragmatic CSO and Security Mike’s Guide to Internet Security
http://securityincite.com, www.pragmaticcso.com, www.securitymike.com
In my travels, I tend to run into two types of security practitioners. The first I’ll call the “sailor.” These folks are basically adrift in the lake in a boat with many holes. They’ve got a little cup and they work hard every day trying to make sure the water doesn’t overcome the little ship and sink their craft.
The others I’ll call the “builders,” and these folks have gotten past the sailor phase, gotten their ship to port and are trying to build a life in their new surroundings. Thus, they are trying to lay the foundation for a strong home that can withstand whatever the elements have to offer.
Yes, there is a point to these crazy analogies. When you are talking about security management, the sailors don’t have a lot of time to worry about anything. They do the least amount necessary to keep whatever limited security defenses they have up and running. The idea of security information management, log management, configuration management or pretty much [anything] followed by the word management, just isn’t in their vernacular.
In this piece I’m going to focus on the builders. These folks are looking for something a bit more strategic now and they are asking questions like, “do I need SIM?” and “what about log management?” If you are in that camp, consider yourself lucky because many practitioners don’t get there.
To be clear, the title is a little bit disingenuous. I don’t really think that SIM ends and log management begins anywhere. All of these disciplines are coming together into a next generation security management PLATFORM, and based on these platforms I see a lot of security professionals finally starting to make some inroads. You know, more effectively managing their environments.
I don’t have the space to tell the full history of security management, so in a nutshell the discipline has evolved from stand-alone consoles that were built specifically to manage a class of device (firewall, VPN, IPS, etc.) to a central console mentality. This has mapped cleanly to the evolution of most network security vendor’s product lines. They started as a specialist focusing on one discipline (firewall, IPS, etc.) and now they have broadened their offerings into integrated devices that offer multiple functions. Their management consoles reflect that.
But that doesn’t really solve most customer’s problem, which is that they’ve got a heterogeneous set of security devices and it’s neither time nor resource efficient to manage those devices separately. So an overlay management console dubbed SIM (security information management) was built, to integrate the data coming from these specific devices, correlate it, and then tell the administrator what they need to focus on.
This was a bit better (although first generation SIMs cost too much and took too long to get value) – it still didn’t address an emerging problem. That was the need for forensically clean information that could be used for compliance and incident investigations. Thus a few years ago, the log management business was born.
Now many practitioners want the best of both worlds. The nerve of you folks! Basically, you want to be able correlate operational data so you can react faster to imminent attacks, but make sure the data is gathered and stored in a way to ensure it’s useful for investigations and compliance reporting.
The good news is that isn’t too much to ask for, and a number of vendors are now bring these next generation security management platforms to market. What are some of the characteristics of these new offerings? Basically, I believe the PLATFORM must be built on a log management foundation.
Why? Because data integrity is paramount to ensuring the information will stand up in a court of law. So that means the log records (or any other gathered info like Netflow data or transactions) must be cryptographically signed and sequenced. This ensures the data hasn’t been tampered with and creates evidence that cannot be questioned, even by the savviest of vultures – I mean, defense attorneys.
You also want to make sure the data isn’t reduced. With first generation SIMs, the vendors didn’t have a choice but to use data reduction techniques in order to get on top of the sheer volume of information. That’s not really a problem due to the constant march of Moore’s Law on the technology industry. Now ALL of the data can be stored, and it should – at least for a certain amount of time.
Finally you want to make sure the security management platform’s management environment will fit into your own personal workflow. That’s absolutely critical because you’ll have to live in this tool a large portion of every working day. Does it provide you with the ability to customize the environment and provide the information YOU need, not what the vendor thinks you need?
Sounds like a cool vision, no? It is, but it’s usually a pretty big project to get there. So I advocate a phased approach allows you to focus on what problem you need to solve TODAY and build towards the future. It’s kind of like building a house. You may not need a pool today, but if that’s something you think you’d like – you better make sure there is space in the back yard to accommodate those plans.
That’s why I take a platform approach to building your security management environment. Take an application-centric approach, built on top of a common foundation (that’s the platform). SIM is an application. So is network behavior analysis and configuration management. These applications can be driven by the data stored in the platform and the platform can be extended to meet all of your requirements over time.
Industry News
Other key findings:
- Financial fraud overtook virus attacks as the source of the greatest financial losses.
- Another significant cause of loss was system penetration by outsiders.
- Insider abuse of network access or e-mail edged out virus incidents as the most prevalent security problem, with 59 and 52 percent of respondents reporting each respectively.
Visa adds to its list of payment apps that improperly store card data
Update puts three more vendors on the list, which now includes more than 50 products from a total of 22 companies.
Societe Generale: A cautionary tale of insider threats
The $7.2 billion in fraud against French banking giant Societe Generale wasn't your garden variety cyber attack, but it illustrates an insider threat that gives IT pros nightmares.
FERC approves cyber security standard for power grid
Developed by the North American Electric Reliability Corp in 2006, the standard emphasizes log retention and review in sections R5.1.2, 6.4 and 6.5. Access a copy of the Cyber Security Standard for Systems Security Management here.
Log Talk
Get the latest insight on all things related to Log Management on the new Prism Microsystems blog. Feel free to leave comments and share your thoughts.
Is Log Management enough?
More thought on SIEM vs. IT search
Featured Webinars
Date: March 26, 2008 Time: 12:00 pm Eastern
New trends include targeted attacks and a rise in insider abuse. Financial loss from these have doubled in the last 12 months to an average of $350K. Integrated solutions that include change detection, log management and correlation features offer a practical way for administrators to manage business critical IT assets.
Attend this webcast, anchored by Security Incite's Mike Rothman and learn:
• New trends in security management
• Why do-nothing is the most dangerous posture
• Defense against the Dark Arts, which features are critical
• Practical approaches to navigating the threatscape
Industry Trends Webinar: Implementing Log and Change Management Strategies to Secure Your Organization
Date: February 13, 2008 Time: 1:00pm Eastern
Jagat Shah, CTO of Prism Microsystems, will discuss how to put in place an enforceable strategy with EventTracker to protect your organization from both inside and outside threats. This strategy helps prevent security breaches and the unauthorized, unplanned and malicious changes that can open up security holes in your enterprise for potential future attacks.
Legal
This document is provided for informational purposes only. The information contained in this document represents the current view of Prism Microsystems, Inc. on the issues discussed as of the date of publication. Because Prism must respond to changes in market conditions, it should not be interpreted to be a commitment on the part of Prism and Prism cannot guarantee the accuracy of any information presented after the date of publication.
INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND FREEDOM FROM INFRINGEMENT.
The user assumes the entire risk as to the accuracy and the use of this document. This document may be copied and distributed subject to the following conditions: 1) All text must be copied without modification and all pages must be included; 2) All copies must contain Prism's copyright notice and any other notices provided therein; and 3) This document may not be distributed for profit. All trademarks acknowledged. Copyright Prism Microsystems, Inc. 2005.
Prism Microsystems, Inc.
6990 Columbia Gateway Drive Suite 250
Columbia MD 21046