These past few weeks, I published several blogs pointing out problems with
static rule-based correlation, their current limitations, their high TCO,
etc.
Because these solutions have been sold for many years as the be all and end
all to security problems, it has created false expectations in the industry
and among clients.
But SIEM as a general discipline holds plenty of promises, so let's not throw
the baby with the bathwater.
Let's think of static rule-based correlation as the engine for the first
generation of Security Information and Event Management (SIEM).
Looking in my crystal ball, the future of SIEM is probably going to use lots
of "Business Intelligence"-like tools and methodologies, instantiated to
security issues.
These self-learning systems use mathematic modeling, statistical approaches
and data mining primitives to establish patterns of usage, and r... (more)
During these past few weeks, we have looked at several reasons why a static
rule based correlation is not the "SOC in a Box", end-all be all that many
thought it was.
Indeed what to think about a "solution" that:
Can only address a very limited set of attack scenarios Requires meticulous
consideration on how to map out the few selected attack scenarios Doesn't
guarantee you to catch attacks in progress even when one of the few selected
scenario is taking place Obliges you to think of minute details to slightly
reduce false positives Yields hundreds and thousands of basic correlat... (more)
APTs, Advanced Persistent Threats, are the anti-script-kiddies approach to
penetrating an environment. Can static rule-based correlation catch these?
APT Attackers Love Correlation Environments
You remember that "False Sense of Security," the feeling that you are secure,
but in fact you're not...?
Attackers know that an attack is a process, it is not an event. And they use
this - and they use time - to their advantage. They use time scales that
static rule-based correlation simply cannot cope with.
If you want to correlate disparate events, you need to keep state information
on th... (more)
We saw what typically happens when trying to use static rule-based log
correlation to perform real-time incident management... combinatory explosion
and lack of scalability. How do you automate non-deterministic attacks in a
few discrete steps???
Today, we'll look at more scenarios for which static rule-based log
correlation doesn't make sense.
Attack Scenario Example 2: Brute Force Attack
Let's look at another example scenario. Brute Force Attack.
- A user tries to log in to his account
- He fails many times in a row and then finally succeeds
- Then "probably" a successful Brute ... (more)
Rule-based log correlation is almost a good idea.
It sounds like a good idea, it appears to be a good idea and many people will
tell you it's a good idea, but in fact it is not.
Rule-based log correlation is very complex, limited in use and applicability,
and boasts a terrible ROI.
It will give you a false sense of security, which is a bad thing.
We'll look at the reasons why this is not a good idea, and some ways to
augment the use of logs to improve your security through pragmatic Risk
Management.
History of Logs
What is rule-based log correlation and how did it come about?
Ru... (more)
Gorka is a natural born entrepreneur with a deep understanding of Technology, IT Security and how these create value in the Marketplace.
He is today offering innovative European startups the opportunity to benefit from the Silicon Valley ecosystem accelerators.
Gorka spent the last 20 years initiating, building and growing businesses that provide technology solutions to the Industry. From General Manager Spain, Italy and Portugal for LogLogic, defining Next Generation Log Management and Security Forensics, to Director Unisys France, bringing Cloud Security service offerings to the market, from Director of Emerging Technologies at NetScreen, defining Next Generation Firewall, to Director of Performance Engineering at INS, removing WAN and Internet bottlenecks, Gorka has always been involved in innovative Technology and IT Security solutions, creating successful Business Units within established Groups and helping launch breakthrough startups such as KOLA Kids OnLine America, a social network for safe computing for children, SourceFire, a leading network security solution provider, or Ibixis, a boutique European business accelerator.
Scott Sellers
David M. Adler
Anthony Franco
Daniel Morris
Wayne Walls
Niki Acosta
Jereme Hancock
Oren Michels
Marvin Wheeler
Douglas Kim
Ken Guiberson
