You are here: Home / Archives for security

(SIEM) Security Information and Event Management – A Few Correlation Rules To Get Started

August 30, 2012 by Leave a Comment

Lots of organizations are deploying Security Information and Event Management (SIEM) systems either to do their due diligence or because it’s part of a regulatory requirement. One of the misconceptions that typically is derived from marketing material is that you plug it in, turn it on, and voila, instant security. This couldn’t be further from the truth.

I look at SIEM like a meta-IDS (Intrusion Detection System). It is attempting to find those needles in the haystack. Most of the deployments I’ve worked on receive millions of events per day. Many of the events are informational. Sometimes it is mandatory to send those events to the SIEM because of regulatory requirements, so my goal is always to maximize our resources and make the best of the situation. When you’re getting millions of firewall events per day, for example, you can either have them take up space on your SAN uselessly or you can try to detect misuse with them.

The first thing you need to do is identify which systems will be forwarding events, typically all switches, routers, servers, application, and security systems (Network/Host Intrusion Prevention, Firewalls, anti-malware, etc). The number of devices you forward events from to the SIEM will depend on how much money you are willing to spend on event collectors that receive and normalize events, and the storage necessary to keep all of this data around.

Deciding what events to send to your SIEM is often challenging. The system you are investigating is going to have two capacity limits to be aware of: [Read more...]

Filed Under: Servers, Storage and Networking Tagged With: , , , , , ,

6 Things You Should Know About Choosing a SIEM Solution

August 30, 2012 by 2 Comments

So many names. It always reminds me of the line from The Devil’s Advocate when Pacino says “Oh, I have so many names.” Security Information Management, Security Information and Event Management, SIM, SIEM, Log Management, Log Aggregation. If you really like to use buzz words you could call this Big Data for Security.

This technology can be great. If implemented correctly you can find security and fault management issues in your environment as they are happening rather than trying to figure out if something has happened hours or months later, which is usually what happens if noticed at all. If you are not familiar with the technology, the basic concept is to configure all networked elements to forward events to the SIM. This allows you to:

  • Centralize events – if everything is in one place it’s much easier to search for something.
  • Normalize events – if the format of the events is the same we can actually search for things.
  • Search events – perhaps everything for a period of time or for an IP address or username.
  • Report on events – provide executive summaries on security and fault issues on a regular basis.
  • Correlate events – configure some logic so that if certain events happen within a specified period of time an alert of some sort can be generated.
Keep reading for the 6 factors that will make sure your SIM project is a success.

[Read more...]

Filed Under: Servers, Storage and Networking Tagged With: , , , , , ,

HIPS: Protecting Against The Modern Zero-Day Threat [Sophos]

August 28, 2012 by Leave a Comment

Long gone is the perceived image of the malware perpetrator as an outcast-teenager sitting in his parent’s basement. Today’s internet thieves are more organized and technically savvy than ever.

Years ago, security threats were simpler. There were Trojans, worms, and rootkits – and the differences between each were clear.  Now known collectively as “malware”, the differences between these sophisticated threats have become blurred. The threats your organization faces today are fast-moving and targeted, and you require equally sophisticated protection to stop malware before a specific detection update can be released.

Have you met HIPS?

[Read more...]

Filed Under: Enterprise Software Tagged With: , , , , ,