To fight cyber attacks today, the threat landscape demands a different approach. Reporting and logging of events are good for compliance report generation. But, if we have to mitigate threats in real-time, we need to have systems that go beyond these. At NETMONASTERY we have had to rescue a large number of failed deployments where customers expected their log analytics tools to deliver serious threat defense. In this blog we make an attempt to probe all the “must haves” to turn a log management system into an accurate threat detection and management engine.
Storage and reporting of event logs through a dashboard and search interface can hardly be considered for threat management. Log Management / Threat Analytics tools lack the basic correlation capabilities to identify real threats from false positives. Security Event Management (SEM) systems have event collection, indexing, storage, classification and reporting capabilities, but they fail to correlate events from disparate sources that are responsible for attacks. A well-configured correlation engine is a must have for any form of real-time threat management, and the lack of one hurts the customer expectations in a big way.
Those who deploy SEMs have to severely rely on highly skilled operational staff to achieve quality threat detection. But, as the world has already witnessed through the cases like Target, manual monitoring and threat detection can fail miserably. Target’s security infrastructure had flagged the security team in Minneapolis about the route taken by the hackers to invade its systems. But, operations staff failed to analyse the escalation and mitigate this risk in time.
In case of SEMs, the user searches relevant conditions, identifies threats and builds scenarios to identify events of interest (EOI’s). The first challenge for an enterprise is to staff its operations team with personnel with skills to detect attack symptoms (EOI’s) using mere search interface. The second (and an impossible) challenge is ensure the team is alert and delivers a high level of consistency in executing the threat identification process. Dependency on human consistency in detecting threats from the noise is clearly a bad solution.
Security Incident and Event Management (SIEM) systems deliver a better solution to traditional log management tools and SEMs for threat detection. Primarily the inclusion of a correlation engine makes the difference in capability; the correlation engine has the capability (if configured correctly) to detect EOI’s from the flood of events. Automated processing of data and application of rules bumps up the consistency of the process and does not require any dependency on human resources. An effective SIEM also has integration with threat intelligence feeds that are able to react to attack trends, this visibility allows defence and detection to be dynamic and sensitive to the external world.
Watch lists shared across the network, queries and correlation engines give SIEMs an upper hand in threat analytics. SEMs need managers as well as skilled operations team for accurate detection of attacks. SIEMs, on the other hand, only need experienced management as attack detection is largely automated.
A major motivation for organisations to choose SEMs over SIEMs is the perceived cost. The important question you must ask yourself is, are you looking at all the costs when you choose an SEM? Upfront cost is not a level playing field to compare systems which are technologically different. SEMs may be cheaper than the traditional SIEM, but brings the requirement of hiring a highly skilled workforce that usually results in a doubled cost structure. Additionally, SEMs rely on humans who are bound to make mistakes. This results in huge losses far too often.
There are SIEM services in the market such as NEMONASTERY’s CNAM, which employ the SaaS model to penetrate this cost barrier. These SaaS services bring the best security modules to organisations across the spectrum at affordable costs.
The focus should be on decreasing human dependency while simplifying the detection process for end-users. To successfully mitigate all heterogeneous threat vectors, complete automation of threat analytics should be the aim.
© 2015-2016 All Rights Reserved. NETMONASTERY™ and CNAM™ is a registered trademark of NETMONASTERY NSPL.