Endpoint security: beyond protection

Intel-Security-Banner

Think your endpoint security is enough to guard against today’s advanced targeted attacks? You may need to think again.

In security circles, endpoint protection has been “old news” for a few years. There’s no doubt it’s needed, but many companies—facing the veritable onslaught of malicious attacks from an increasing number of vectors—have logically stepped back and looked at the bigger security picture, turning to technology to secure the network as a whole (and often the cloud). A holistic view of security is smart, but is it time to once again look closer at securing the endpoint?

[Read more…]

How Will You Handle a Cyber-Attack? What to Do When You’re Under Fire

How Will You Handle a Cyber-Attack? What to Do When You're Under Fire

You likely use security event management tools to gather, organize and report on security data in your environment. The trick is traditional management processes are manual, costly, and limited in scalability. How does your current solution make it easy for you to work together to diagnose and fix issues? In this post, I discuss why Softchoice likes McAfee’s Enterprise Security Manager, and what you can do to ensure you will react efficiently when threats place your environment under fire. [Read more…]

(SIEM) Security Information and Event Management – A Few Correlation Rules To Get Started

Lots of organizations are deploying Security Information and Event Management (SIEM) systems either to do their due diligence or because it’s part of a regulatory requirement. One of the misconceptions that typically is derived from marketing material is that you plug it in, turn it on, and voila, instant security. This couldn’t be further from the truth.

I look at SIEM like a meta-IDS (Intrusion Detection System). It is attempting to find those needles in the haystack. Most of the deployments I’ve worked on receive millions of events per day. Many of the events are informational. Sometimes it is mandatory to send those events to the SIEM because of regulatory requirements, so my goal is always to maximize our resources and make the best of the situation. When you’re getting millions of firewall events per day, for example, you can either have them take up space on your SAN uselessly or you can try to detect misuse with them.

The first thing you need to do is identify which systems will be forwarding events, typically all switches, routers, servers, application, and security systems (Network/Host Intrusion Prevention, Firewalls, anti-malware, etc). The number of devices you forward events from to the SIEM will depend on how much money you are willing to spend on event collectors that receive and normalize events, and the storage necessary to keep all of this data around.

Deciding what events to send to your SIEM is often challenging. The system you are investigating is going to have two capacity limits to be aware of: [Read more…]