Endpoint security: beyond protection

Intel-Security-Banner

Think your endpoint security is enough to guard against today’s advanced targeted attacks? You may need to think again.

In security circles, endpoint protection has been “old news” for a few years. There’s no doubt it’s needed, but many companies—facing the veritable onslaught of malicious attacks from an increasing number of vectors—have logically stepped back and looked at the bigger security picture, turning to technology to secure the network as a whole (and often the cloud). A holistic view of security is smart, but is it time to once again look closer at securing the endpoint?

[Read more…]

(SIEM) Security Information and Event Management – A Few Correlation Rules To Get Started

Lots of organizations are deploying Security Information and Event Management (SIEM) systems either to do their due diligence or because it’s part of a regulatory requirement. One of the misconceptions that typically is derived from marketing material is that you plug it in, turn it on, and voila, instant security. This couldn’t be further from the truth.

I look at SIEM like a meta-IDS (Intrusion Detection System). It is attempting to find those needles in the haystack. Most of the deployments I’ve worked on receive millions of events per day. Many of the events are informational. Sometimes it is mandatory to send those events to the SIEM because of regulatory requirements, so my goal is always to maximize our resources and make the best of the situation. When you’re getting millions of firewall events per day, for example, you can either have them take up space on your SAN uselessly or you can try to detect misuse with them.

The first thing you need to do is identify which systems will be forwarding events, typically all switches, routers, servers, application, and security systems (Network/Host Intrusion Prevention, Firewalls, anti-malware, etc). The number of devices you forward events from to the SIEM will depend on how much money you are willing to spend on event collectors that receive and normalize events, and the storage necessary to keep all of this data around.

Deciding what events to send to your SIEM is often challenging. The system you are investigating is going to have two capacity limits to be aware of: [Read more…]

6 Things You Should Know About Choosing a SIEM Solution

So many names. It always reminds me of the line from The Devil’s Advocate when Pacino says “Oh, I have so many names.” Security Information Management, Security Information and Event Management, SIM, SIEM, Log Management, Log Aggregation. If you really like to use buzz words you could call this Big Data for Security.

This technology can be great. If implemented correctly you can find security and fault management issues in your environment as they are happening rather than trying to figure out if something has happened hours or months later, which is usually what happens if noticed at all. If you are not familiar with the technology, the basic concept is to configure all networked elements to forward events to the SIM. This allows you to:

  • Centralize events – if everything is in one place it’s much easier to search for something.
  • Normalize events – if the format of the events is the same we can actually search for things.
  • Search events – perhaps everything for a period of time or for an IP address or username.
  • Report on events – provide executive summaries on security and fault issues on a regular basis.
  • Correlate events – configure some logic so that if certain events happen within a specified period of time an alert of some sort can be generated.
Keep reading for the 6 factors that will make sure your SIM project is a success.

[Read more…]