logo
                  

Archive for the ‘Security Management’ Category

Log Monitoring – real time or bust?

Monday, April 13th, 2009

As a vendor of a log management solution, we come across prospects with a variety of requirements — consistent with a variety of needs and views of approaching problems.

Recently, one prospect was very insistent on “real-time” processing. This is perfectly reasonable but as with anything, when taken to an extreme, can be meaningless. In this instance, the “typical” use case (indeed the defining one) for the log management implementation was “a virus is making its way across the enterprise; I don’t have time to search or refine or indeed any user (slow) action; I need instant notification and ability to sort data on a variety of indexes instantly”.

As vendors we are conditioned to think “the customer is always right” but I wonder if the requirement is reasonable or even possible. Given specifics of a scenario, I am sure many vendors can meet the requirement — but in general? Not knowing which OS, which attack pattern, how logs are generated/transmitted?

I was reminded again by this blog by Bejtlich in which he explains that “If you only rely on your security products to produce alerts of any type, or blocks of any type, you will consistently be “protected” from only the most basic threats.”

While real-time processing of logs is a perfectly reasonable requirement, retrospective security analysis is the only way to get a clue as to attack patterns and therefore a defense.

-Posted by Ananth

VN:F [1.9.2_1090]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.2_1090]
Rating: 0 (from 0 votes)

Tags: , , ,
Posted in Log Management, Security, Security Management | No Comments »

The role of host-based security

Friday, February 15th, 2008

In the beginning, there was the Internet.
And it was good (especially for businesses).
It allowed processes to become web enabled.
It enabled efficiencies in both customer facing and supplier facing chains.

Then came the security attacks.
(Toto, I’ve got a feeling we’re not in Kansas any more).
And they were bad (especially for businesses).

So we firewalled.
And we patched.
And we implemented AV and NIDS.

Are we done then?
Not really.

According to a leading analyst firm, an estimated 70% of security breaches are committed from inside a networks perimeter. This in turn is responsible for more than 95% of intrusions that result in significant financial losses. As a reaction, nearly every industry is now subject to compliance regulations that can only be fully addressed by applying host based security methods.

Security Information and Event Management systems (SIEM) can be of immense value here.
An effective SIEM solution centralizes event log information from various hosts and applies correlation rules to highlight (and ideally thwart) intrusions. In the instance of the “insider” threat, exception reports and review of privileged user activity is a critical activity.

If your IT Security efforts are totally focused on the perimeter and the internal network, you are likely to be missing a large and increasingly critical “brick in the wall”.

-Posted by Ananth

VN:F [1.9.2_1090]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.2_1090]
Rating: 0 (from 0 votes)

Tags: , , , , , , ,
Posted in SIEM, Security Management | 1 Comment »

Are you worth your weight in gold?

Thursday, February 7th, 2008

Interesting article by Russell Olsen on Windows Change Management on a Budget      

He says: “An effective Windows change management process can be the difference between life and death in any organization. Windows managers who understand that are worth their weight in gold…knowing what changed and when it changed makes a big difference especially when something goes wrong. If this is so clear, why do so many of us struggle to implement or maintain an adequate change control process?” 

Olsen correctly diagnoses the problem as one of discipline and   commitment. Like exercising regularly, its hard….but there is overwhelming evidence of the benefits.

The EventTracker SIM Edition makes it a little easier by automatically taking system (file and registry) snapshots of Windows machines at periodic intervals for comparison either over time or against a golden baseline.

Given the gap between outbreak and vaccine for malware and attacks, as well as the potential for innocuous human error when dealing with complex machinery, the audit function makes it all worthwhile. The CSI 2007 survey shows the annual loss from such incidents to be $350,000.

Avoiding such losses (and regular exercise) will make you worth your weight in gold.

-Posted by Ananth

VN:F [1.9.2_1090]
Rating: 3.0/5 (1 vote cast)
VN:F [1.9.2_1090]
Rating: 0 (from 0 votes)

Tags: , , ,
Posted in Change Management, EventTracker, Security Management | 1 Comment »