SIEM: Moving Beyond Compliance

Dr. Anton Chuvakin recently wrote a white paper for RSA entitled, SIEM: Moving Beyond Compliance. While I am no fan of RSA’s Envision product (Cymbel partners with AccelOps), the white paper is quite good. As its title says, it discusses “use cases” for SIEM beyond the basic compliance requirements that drive a lot of SIEM projects. Here is the list with my comments:

  • Server user activity monitoring – It’s not always possible to collect the logs from all servers. Sometimes a network-based product like PacketMotion is needed to complement log collection.
  • Tracking user actions across disparate systems – Same comments as above.
  • Comprehensive firewall monitoring – Key capability needed by the SIEM is Active Directory integration for mapping IP addresses to users and generating reports by AD groups.
  • Malware protection – I think this would be better termed “Malware behavior detection” since a SIEM cannot actually detect malware itself as an Intrusion Protection/Detection System would. Ideally, the SIEM should provide a behavior anomaly detection capability.
  • Web server attack detection – A SIEM can provide “detection” capabilities to complement the “protection” capabilities of a Web Application Firewall (Cymbel partners with Barracuda) whose logs also ought to be captured and correlated.
  • Incident response enablement – In addition to SIEM, Cymbel recommends a Full Packet Capture product be deployed. Cymbel partners with Solera Networks.

Anton closes with the three “worst practices” he has seen. Based on my six years of SIEM experience, I agree:

  • Storing logs for too short a time
  • Trying to prioritize logs and store “just what’s important”
  • Trying to use advanced SIEM features before establishing success with basic log collection and reporting

Advanced Persistent Threats and Ponemon

Last week the Ponemon Institute announced the results of a survey they did,funded by Netwitness, entitled Growing Risk of Advanced Threats: Study of IT Practitioners in the United States.

I agree with the concerns expressed by Richard Bejtlich in his blog post, Ponemon Institute Misses the Mark, regarding the use of the term “advanced threat” and “Advanced Persistent Threat” (APT). In reality the Ponemon research used the term “advanced threat” to include almost anything including APT. I agree with Richard that Ponemon seems to be creating confusion rather than clarity.

I certainly have no argument with the value of a full packet capture product in the investigation of APTs. Full disclosure, Cymbel is a partner with a competitive full packet capture product manufacturer, Solera Networks. However, I am sensitive to marketing FUD, to which unfortunately our industry is prone. I wrote about the meaning of Advanced Persistent Threats in my personal blog last February. It’s bad enough without conflating it with other serious security threats. Here is the final paragraph of that post:

In summary then, APTs do represent techniques that are more difficult to detect because the adversary, when faced with an above average defense, does not move on to a weaker target. The adversary is persistent and will escalate tactics. Second, the focus is on stealing intellectual property rather than money to advance the adversary’s strategic technical, economic, political, and military goals.