NewslettersRelated Resources
EventSource June 2008 – EventTracker review; Zero-day attack protection and more Featured Article Creating lasting change from security management Over the past year, I’ve dealt with how to implement a Pragmatic approach to security management and then dug deeper into the specifics of how to successfully implement a security management environment successfully. Think of those previous tips as your high school level education in security management. Now it’s time to kiss the parents, hug the dog, and head off to the great unknown that represents college, university or some other secondary education. The tools are in place and you have a quick win to celebrate, but the reality is these are still just band-aids. The next level of your education is about creating lasting change that results constant improvement of your security posture. Creating this kind of change means that your security management platform needs to:
I know those two objectives may seem a long way off when you are just starting the process, but let’s take a structured approach to refining our environment and before you know it, your security management environment will be a well-oiled machine, and dare I say it, you will be the closest thing to a hero on the security team. Step 1: Revisit the metrics Keep in mind that in the initial implementation (and while searching for the quick win), you gathered some data and started pulling reports on it to identify the low-hanging fruit that needed to be fixed right now.This is a good time to make sure you are gathering enough data to draw broader conclusions. Remember that we are looking mostly for anomalies. Since we defined normal for your environment during the initial implementation, now we need to focus on what is “not normal.” Here are a couple of areas to focus on:
Step 2: Refine the Thresholds Remember the REACT FASTER doctrine? That’s all about making sure you learn about an issue as quickly as possible and act decisively to head off any real damage. Since you are gathering a very comprehensive set of data now (from Step 1), the key to being able to wade through all that data and make sense of it are thresholds.To be clear, initially your thresholds will be wrong and the system will tend to be a bit noisy. You’ll get notified about too much stuff because you are better off setting loose thresholds initially, then missing the iceberg (yes, it’s a Titanic reference). But over time (and time can be measured in weeks, not months), you can and should be tightening those thresholds to really narrow in on the “right” time to be alerted to an issue.The point is all about automation. You’d rather not have your nose buried in log data all day or watching the packets fly by, so you need to learn to trust your thresholds. Once you have them in a comfortable place (like the Three Bears) not too many false positives, but not too few either. Then you can start to spot check some of the devices, just to make sure.Constant improvement is all about finding the right mix of data sources and monitoring thresholds to make an impact. And don’t think you are done tuning the system – EVER. What’s right today is probably wrong tomorrow, given the dynamic nature of IT infrastructure and the attack space. Step 3: Document thyself Finally, once your system is operating well, it’s time to revisit all of those reports you generate. Look from a number of different perspectives:
Congratulations, you are ready for your diploma. If you generally follow some of the tips and utilize many of the resources built into your security management platform, you can make a huge impact in how you run your security environment. I won’t be so bold as to say you can “get ahead of the threat,” because you can’t. But you can certainly REACT FASTER and more effectively. Good luck on your journey, and you can always find me at http://blog.securityincite.com. Industry News Adobe zero day flaw being actively exploited in wild The widely used Adobe Flash Player has a zero day flaw that is being targeted by a number of attackers who set up more than 200,000 Web pages to exploit the flaw. Exploiting Security Holes Automatically Software patches, which are sent over the Internet to protect computers from newly discovered security holes, could help the bad guys as well as the good guys, according to research recently presented at the IEEE Symposium on Security and Privacy. The research shows that attackers could use patches to automatically generate software to attack vulnerable computers, employing a process that can take as little as 30 seconds. Learn how you can protect your IT systems from zero-day attacks There is always a lag between the time a new virus hits the web and the time a patch is created and antivirus definitions updated, which often gives the virus several hours to proliferate across thousands of machines (The Adobe flaw is a perfect case in point). In addition, virus signatures are changing constantly and often the same virus can come back with a slight variation that is enough to elude antivirus systems. Hot Topics Prism Microsystems positioned in Magic Quadrant by leading analyst firm. Prism Microsystems, a leading provider of SIEM solutions to the midsize enterprise market, today announced that it has been positioned by Gartner in the recently published ‘Magic Quadrant for Security Information and Event Management, 1Q08’ report. Information Week Magazine Review: Prism EventTracker Log Management Systems We put version 6.0 of EventTracker to the test and found it on par with rivals in ease of use, and ahead in scalability. Log Management and Change Monitoring Team-up in EventTracker It's pretty astonishing what shows up knocking on your firewall trying to get in. Even so, data in the second half of 2007 showed that the internal threat, while less frequent, is more expensive. With insiders now added to a list of threats that includes mutating viruses and target-specific attacks… Featured Case Study Autoscribe uses integrated Log and Change Management for broadest coverage of PCI requirements and to detect emerging attack vectors such as zero-day and mutating malware. Read case study at . Legal |
© 2010 Prism Microsystems, Inc. • Privacy • Terms of Use