Many organizations have begun to implement Security Information and Event Management (SIEM) solutions. Most vendors of such solutions offer strong event log management features. Is it enough?
The Gartner Group estimates that 75% of enterprises will be infected this year with targeted malware that evades their traditional defenses. You might be in that section of the market that is specifically targeted by internet criminals, industrial espionage, or terrorists such as Banks, Telecom, Utilities, DoD and F-1000 companies. The issue is that normal AV products do not find those signatures , since the malware was specially made to penetrate only your defenses. Your problem becomes quickly: “HOW do I find out if a file is malicious?”
You have a special problem to defend against - tailor-made trojans that were developed to penetrate only YOUR organization. Also, keep in mind that attacks on your networks are continuous and never-ending because advanced attack code is automated and mutates on its own till it finds a soft spot.
Log management in itself is necessary (a brick in the wall) but not sufficient. Configuration change detection is a critical element. This is recognized by the PCI-DSS standard where Section 10 is all about Log Management but Section 11.5 specifically requires configuration change detection.
Takeaway: When considering SIEM solutions, bear the configuration change detection requirement in mind. It most likely will be procured and implemented by the same team.
-Posted by Ananth
Tags: Change Management, Configuration, EventTracker, Log Management, PCI-DSS, Prism Microsystems, SIEM, trojans
