Category: SIEM
Posted by Melissa Stevens in In the Industry, Log Management, Security Intelligence, SIEM
What mysteries lie solved in the mounds of unstructured data in our world? What value is there in standardizing data, as the World Health Organization is attempting to do with medical service codes?
In his latest contribution to Security Week, Chris Poulin asks these questions and delves into the value normalization could bring to data, especially in a security context. Imagine if event data followed a standard classification system, instead of being a mish-mash of vendor specific formats made up by software developers? Could event data then be more easily used to your advantage?
“There are already taxonomies for classifying vulnerabilities in the form of the Common Vulnerability Enumeration (CVE) database and Open Source Vulnerability Database (OSVDB), but not so with events. Every vendor creates their own log formats and many vendors have many formats, perhaps from acquiring multiple software applications or simply not having a development standard. In many cases the software developers just make up their own events, following neither a prescribed format for the fields nor the text within the fields. This makes parsing and categorizing events from a wide range of vendors difficult, and yet it’s a critical undertaking: normalization is the foundation of cross-system data mining and correlation.
There are a couple of main strategies for dealing with the lack of event standardization:
• Store it, perhaps making a best effort to parse the data into common, or normalized, fields, and wrap a flexible search engine around it;
• Invest significant effort into parsing and normalizing the data
The first is the simpler of the two but is largely relegated to post-event analysis; the latter requires more effort but lends itself to real-time correlation and early threat detection. The difference is log management vs. SIEM.”
Click here to read the full article, “Working toward a Unified Security Model.” To learn more about the difference between log management and SIEM, and to gain an understanding of what a next generation security intelligence solution can bring to your organization, read this whitepaper, “The IT Executive Guide to Security Intelligence: Transitioning from SIEM to Total Security Intelligence.”
Posted by Melissa Stevens in Cybersecurity, Log Management, SIEM, Threat Management
image via prweb.com
Businesses today can’t afford to ignore the customer insight and connections they can gain through social media. Being able to connect with your customers and prospects where they already are offers unprecedented access into their lives and lets you build relationships that extend the value of your brand. But aside from the great benefits you can gain, there’s also a dark side organizations need to consider and be prepared to address.
We’ve moved on from the age-old discussion of social media the “time- drainer”, and whether or not employee access should be blocked for productivity reasons. The conversation instead should be about something much more serious: protecting the vital information and assets of your organization from breach. In this article from USA Today, some very staggering statistics are cited that remind us that social media isn’t simply the utopian data-mine we’ve heard of. The information that businesses are finding so valuable for building relationships is also giving power to hackers just waiting to break in. Some highlights:
- “In most of the high-profile breaches we’ve seen in the past 12 months, hackers used social engineering to get an initial foothold inside the company,” says Hugh Thompson, RSA conference program committee chair. “It isn’t a generic stranger trying to deceive your employees; it’s someone who knows them through online reconnaissance.”
- Web traffic of 5,500 PC users in 20 nations was analyzed and it was found that 1 : 60 Facebook postings and 1 : 100 Twitter posts carried malicious code.
- “Companies now routinely permit employees to connect their personally owned smartphones and tablet PCs into company systems, creating a myriad of fresh pathways into corporate networks. A recent Juniper Networks survey of applications available for all mobile device operating systems [found] 28,472 malicious mobile apps in 2011, a 155% increase from the 11,138 malicious apps that existed in 2010.”
So what can you do about these new persistent threats?
You need to adopt security intelligence to monitor activity and content to and from social networks and independent devices. You need a security intelligence platform that can monitor your entire network, giving you complete visibility into everything going on across your network. Preferably, you need a solution that can automatically detect new devices and provide instant monitoring. You want to be alerted to new risks and vulnerabilities as they appear. And you want context to be able to understand what the data you are collecting means, and access to advanced reporting and analytics that can help you dive into and address redflags immediately.
To learn more, and to evaluate what a next generation log management and Security Information and Event Management (SIEM) solution can do for your organization, download this white paper, “Five Practical Steps to Protecting your Organization Against Breach.”
Posted by Michael Applebaum in Cybersecurity, Q1 Labs, Security Intelligence, SIEM, Threat Management
Today, IBM announced the first major deliverable from the acquisition of Q1 Labs back in October – a new and dramatically enhanced QRadar Security Intelligence Platform. The new release combines deep analytic capabilities with real-time data feeds from hundreds of different sources to give organizations the ability to help proactively protect themselves from increasingly sophisticated and complex security threats and attacks.
This is exciting news for many reasons, including that QRadar continues to define the frontier of security intelligence, offering new capabilities for instant search, massive scalability and intelligent data policy management. In addition, QRadar will tap security analytics and threat intelligence from more than 400 sources. IBM X-Force, one of the world’s largest repositories of threat and vulnerability insights, provides an intelligence feed to QRadar based on the real-time monitoring of 13 billion security events per day. This insight can flag behavior that may be associated with new and emerging threats, all in real-time. Whether it’s the newest strain of malware or an advanced exploit technique first being seen halfway around the world, QRadar will monitor this intelligence and correlate it with what’s happening in your own environment, large or small.
To provide one example of how we’re bridging silos, consider the following scenario: An external attacker (or even an insider) compromises a number of user accounts, seeking access to a sensitive corporate database. After failing to login to the database with the first four accounts, he successfully logs in with the fifth account (a privileged user), downloads the organization’s customer list and emails it from the compromised account to a suspicious domain. Most organizations would struggle to piece together these actions into a cohesive picture of the attack and the impact, and almost certainly would not see it in real-time.
But with the combination of QRadar, IBM Guardium Database Security and IBM X-Force threat intelligence, the attack is detected and impact identified immediately. Guardium provides the continuous database monitoring and sends alerts to QRadar SIEM, which enriches the view of the incident with network flows and logs it has collected. It then observes activity involving an IP address (the receiving domain) that IBM X-Force has identified as suspicious. QRadar QFlow also provides insight into the content actually sent by the attacker, via deep packet inspection. And if the organization wanted to apply automated remediation to prevent the data exfiltration, it could even use QRadar to have the perimeter security devices block the data transmission. In sum, the incident is detected in real-time and the impact understood – or even prevented.
We view this as an important step forward in bridging security silos and applying greater intelligence and automation. What do you think?
For more information on today’s announcement, please see the press release here.
Posted by Melissa Stevens in Cybersecurity, Log Management, Security Intelligence, SIEM
This morning I read an article on Computing.co.uk that asked, “How can organizations be prepared for cyber security incidents they can’t predict?”
I think this is a question a lot of CISOs ask themselves – and certainly, they should be. In the recent Data Protection & Breach Readiness Guide, published this January by the Online Trust Association (OTA), a key take away is “If a business collects data it will experience a data loss incident at some point.” That said, maybe you can’t predict how you will be breached, but it’s reasonable to assume that you will. This is the first step in a comprehensive network security strategy.
There are plenty of tools out there that can help analyze network configurations and identify the vulnerabilities that are creating entry points. You can run simulations and tests, hire white-hat hackers to break into your systems, and monitor network activity until you’re blue in the face. There are some breaches you can prevent, and there are some that you will never see coming.
The key is to have capabilities that will help you respond to the breach and limit your organization’s exposure as quickly as possible. How many horror stories have we heard over the past year of high profile breaches that lasted for months before they were spotted? How long did it take to find out what really happened? When breached, you immediately want to know who, what, when and how, so you can brief your constituents (customers, executives, board members, etc) about what has occurred along with your remediation plan. This is where Security Intelligence comes in.
A Security Intelligence solution like QRadar can help keep you safe. It can be a part of your walled fortress, collecting information from across your entire infrastructure and alerting you when anomalies occur or improper configurations create new vulnerabilities. But more importantly, it can act as a stop gap, the tool you use to help stop the ship from sinking. Knowing immediately that you have been breached and what has been compromised; knowing how the breach occurred and where it originated from; seeing where the information has been distributed, in real-time; all of this knowledge can help you respond and stop the threat from spreading further. And since it’s only a matter of time before a breach occurs, better response preparation could be the competitive advantage you’re looking for.
For more information about breach response best practices, please read Five Ways to Prepare for Your Data Breach. As always, share your comments and questions below!
Posted by Heather Howland in Retail, Security Intelligence, SIEM
Welcome to the final part of our “customer use perspective” series, where one of our biggest retail customers talks about using network flow data to add a whole new dimension to their security posture. When we talk about network flow, it’s not limited to the typical formats – i.e. NetFlow, J-Flow and sFlow. While standard network flow is useful for establishing a general understanding of network conversations, it doesn’t provide deep visibility into network activity beyond basic network characteristics such as IP address and protocol transport.
To help fill this gap, there is QRadar QFlow, which provides Layer 7 visibility (application layer) and stateful classification of applications and protocols such as voice over IP (VoIP), social media, ERP, database, and thousands of other protocols and applications. While this information is powerful on its own, it becomes extremely useful when correlated with network and security events as part of a SIEM and Log Management solution.
Watch the clip to hear how our customer is using QRadar QFlow in their environment:
What can you do with QRadar QFlow?
- Detect zero-day threats through traffic profiling
- Comply with policy and regulatory mandates via deep analysis of application data and protocols
- Monitor social media traffic
- Advanced incident analysis via correlation of flow and event data
- Continuous profiling of assets
Learn more about QRadar QFlow and be sure to listen to the full webcast to hear more about how our customer is utilizing the QRadar Security Intelligence Platform to help meet compliance regulations, centralize logs, correlate network events, and detect anomalies that other solutions might miss.
Related: 80,000 Credit Cards Hacked (Why Authentication Alone is Insufficient)
The latest on Cyber Security