Originally published in the July 2014 SNS Journal (ePO Edition)
Let's face facts: In today's threat environment, attackers aren't stopped by traditional perimeter and signature-based defenses. Many security professionals now readily admit the possibility of a security breach is just a matter of when, not if.
This realization, as well as recent reports of long-term stealth breaches in well-known companies, is driving a different question: "Have we already been breached and just don't know it?"
It's possible. But either way, enterprise security goals should be reevaluated. Because cybercriminals have proven that enterprise perimeters are penetrable, and because security professionals more readily admit the possibility of undetected breaches, it's critical to embrace detection as a central cybersecurity strategy — exposing threats early to minimize damage.
SIEM Next-Generation Detection
Detection is nothing without actionable intelligence, and that's where Security Information and Event Management (SIEM) systems come into play. SIEMs were originally designed as a central place to gather and store security data (log and event info) to streamline incident investigation and compliance reporting. With the advent of advanced evasion techniques (AETs) and advanced persistent threats (APTs)(see "Under the Radar: AETs Sneaking in APTs", April SNS Journal, ePO Edition), traditional SIEM solutions are shown to have information and device limitations, assessments gaps and blind spots.
Next-generation SIEM solutions can deliver pervasive situational awareness and faster response times by integrating these four capabilities.
- Big Data Scalability. The latest SIEMs have the speed, extensibility, and scalability to enable better and faster threat detection and response. Designed for big data speed and volume requirements, these solutions are able to expand data capture with more feeds from more sources; process larger, more dynamic, and more diverse data sets at high event rates; and store billions of events, logs, and flows for real-time and historical data analysis.
- Dynamic Context. The security professional's objective is to focus monitoring efforts on valuable assets with the highest risk. Advanced SIEM systems filter out irrelevant noise while zeroing in on threat risks that matter most. Global threat intelligence feeds real-time threat data into the correlation engine while extensible dynamic watch lists store context information and continually categorize external and internal systems based on risk and past behavior.
- Advanced Analytics. SIEM makes immediate analysis and intelligent prioritization easy, reducing incident identification and response times. With access to all data, searches can be widened across longer periods of time, or focused on a particular moment, with all event details preserved according to forensic best practices. Integration of SIEM with other security solutions enhances its predictive capabilities even further. For example, by pulling in vulnerability data, SIEM can map asset vulnerabilities against confidentiality, integrity, and availability factors, as defined by company policies.
- Ease of Use.Next-generation SIEM systems provide flexible hybrid delivery options. Centralized management offers improved accessibility through a central web user interface (UI) that allows multiple IT teams to see the big picture. It becomes easier for IT to correlate data, gauge risk, or drive an instant, automatic remediation, such as issuing new configurations and deploying software updates. Integrated tools are included for configuration, change, and case management while compliance is simplified with built-in dashboards, complete audit trails and reports.
As part of a larger, security connected framework, a SIEM solution enables better threat detection and response. It plays an important role in making security more strategic and valuable to the business by enabling better decision making and faster, more effective threat response and mitigation.
To learn more about McAfee SIEM solutions go to www.mcafee.com/SIEM.