You bought a static rule-based correlation and you want to get the most out
of it, or are you planning on getting and deploying one? There are some
simple steps you can take to maximize its efficiency.
Ask Yourself If You Can Really Afford In-house Real-Time Incident Management
The main use case for correlation is real-time incident management, so you
need a 24x7x365 team of forensics experts to validate and follow-up on alerts
- in real time.
No need to have real-time correlation if you only have a 9-5 operation...
If an alarm goes on at 3.a.m., do you have the skilled staff to act on it? If
the answer is no, can you afford such a team? If you can't afford a 24x7
staff of experts, ask yourself if correlation is really the most appropriate
effort for you.
In other words, is this the best way for you to go about buying security? Are
there better ways to spend your bud... (more)
The answer is Logs.
Logs are the only metadata that exists today that:
Is widely available Is 100% collectable Is 100% storable On which we can run
intelligent reports Allows us to understand the kinetics aspects of this
For example logs allow us to understand if a data has had several versions
and iterations and, for each iteration:
Who created, modified or deleted the data When was the information
created/modified/deleted What device was used for the
creation/modification/deletion Was that creation/modification/deletion
authorized It even gives us some cont... (more)
First-party fraud involves fraudsters who apply for credit cards, loans,
overdrafts and unsecured banking credit lines with no intention of paying
them back. It is a serious problem for banking institutions. U.S. banks lose
tens of billions of dollars every year (1) to first-party fraud, which is
estimated account for as much as one-quarter or more of total consumer credit
charge-offs in the United States (2). It is further estimated that 10%-20% of
unsecured bad debt at leading US and European banks is misclassified, and is
actually first-party fraud (3).
Contrary to third-part... (more)
Trust is the fundamental business enabler.
It is absolutely necessary for clients to trust their Cloud Providers.
Without trust, business relationships cannot exist. Without
trust, existing relationships cannot blossom.
Trust becomes an issue as soon as there are potential conflicts of
As a client, do you think it's unfair that your Cloud Provider is also the
entity generating reports on actual usage for Pay-per-Use billing
calculations? Do you think it represents a conflict of interest?
How about when your Cloud provider also generates reports on his level of
Rule-based log correlation is based on modeling attack scenarios
Back to the visibility aspect.
"By managing all your logs you get universal visibility in everything that is
happening in your IT infrastructure." Yes, this is a true statement.
But to tell that you can easily flag security attacks using rule-based
correlation is a major overstatement.
Rule-based correlation essentially automates the "If this is happening here"
and "That is happening there" then "We have a problem." More precisely, "If
this precise event is taking place at this particular time in this specific