I just returned from a weeklong trip to Europe, where I contributed my voice to the wildly successful series of RSA Security Summits. With near unanimity in London and Zurich the audience accepted our premise that as a result of the changing IT landscape – including cloud, mobile, big data, extended workforce, supply chains – and the realities of today’s sophisticated attackers, the approach to security in organizations needs to dramatically change. Furthermore there was also general agreement that today’s preventive security systems, that are largely perimeter and signature-based, no longer provide sufficient defenses, and that to compensate organizations must improve their detective and response focused security controls. This quickly led to the practical and real challenge of how organizations can best make those improvements. How in an environment of fixed security budgets can organizations invest to create or significantly enhance their monitoring and response capabilities?
Security Information and Event Management (SIEM)
A great way to get value out of a SIEM, a log management platform, or even a syslog server you can query is to spend the time to document use cases for monitoring. For simplicity I’m going to say SIEM here but I do mean all of those other options too. Monitoring use cases should not be specific to your SIEM but should be specific to the data you have (and, to a lesser extent, data you want to have) and the types of events your organization wants to detect. It’s never too late to define and implement good use cases but it is simpler to do when you’re first setting up a SIEM.
A common issue seen in many of our Advanced Cyber Defense (ACD) engagements are customers who have reasonably mature monitoring and incident response procedures but are inefficient in their capabilities of putting context around the artifacts of an incident.
When it comes to defending our networks we have to be right 100% of the time but a cybercriminal has to be right just once. We must shift this balance if we are ever going to be in a position to truly protect and defend our networks. In fact, defence is probably no longer appropriate [...]
Every year we seem to have a new buzz term in security. As someone who lives in the security product marketing world I’ve seen trends come and go. Terminology that was once mandatory in every piece of collateral suddenly becomes stale and cringe-worthy (APT is becoming one of these). We’ve had a bunch of buzzwords and phrases; some were pretty good and some were really terrible. I should know I helped propagate some of these buzzwords.
For years risk management types of have been preaching the gospel of establishing CMDBs and promoting asset criticality matrices. If you’ve done this and maintain it regularly, you’re ahead of the game. If your organization has not endeavored toward doing so you may wish to reconsider that point as we progress through this blog. Understanding your organizational asset inventory is of paramount importance to all information security professionals especially those tasked with monitoring the enterprise in reactive and proactive scenarios.
The NetWitness team at RSA is proud to announce the launch of our brand new NetWitness User Community. The Community is a central location where our users can interact with the people behind the product, other users in the community and industry experts.
In the case of security, organizations need to understand where the risks are, where the infections have landed, where the attacks are in process, and what they should do about them, fast. This has lead security organizations directly into the challenge/opportunity of Big Data, now.
It is a well known that if you want someone or something to change, just apply pressure over a period of time. This is true for organizations, people, and even earthly matter, such as carbon (diamonds) and formerly living plants (hydrocarbons). Markets also transform when under pressure. I believe this is precisely what is happening to the SIEM market right now.
I recently had the pleasure of attending the annual EMC World user conference in Las Vegas, NV. And it was, in my opinion, immensely informative, not just for me but for EMC, RSA and all of its partners and customers. The sessions and Solutions Pavilion were lively and engaging, the keynotes had the production value worthy of most Hollywood movies and the topics were relevant for today’s IT and security managers.