Centralizing alerting from multiple devices and speeding up incident response are just some of the critical issues solved by investing in SIEM technology (more on choosing the best SIEM for your environment HERE).
There are many SIEM vendors however I continue to be impressed by what Splunk is doing in regards to their open source APPs developed by customers and Splunk engineering. I wrote a blog post HERE that showcases a Cisco management APP that can correlate events from various security products such as Cisco ISE, WSA, Firewalls, Sourcefire and so on. There isn’t a Cisco manager of managers so doing things like running a report on high level events against any security product for a particular IP address can only be accomplish by a SIEM solution. Continue reading →
Most Security solutions leverage a combination of signature and behavior based technology (more HERE). This worked in the past however today these solutions are not good enough regardless if you layer multiple products that are built upon similar scanning methods. There are many ways to bypass point Security products such as throttling behavior and masking the known fingerprint of the attack code. A example of a technique used to hide malware from popular Anti-Virus packages is leveraging Dynamic Obfuscation software.
Here is a post from my friend Aamir Lakhani’s blog about RSA NetWitness. The original can be found at Cloud Centrics (http://www.cloudcentrics.com/). Really good post on NetWitness.
RSA NetWitness is a unique solution that captures, store and analyze network data traffic. This gives you the able to see exactly what comes in and goes out of the network in real time . In simple terms, RSA offers to you a Network CCTV. Not only that, NetWitness also allows you to see the traffic in action as it reconstructs the data that flows through the network into its original format according to its own type or application. This helps you strengthen your security measures by taking appropriate action. On top of that, since all traffic is captured and stored, you will be able to go back to a particular period of time and conduct historical data analysis. Nothing escapes undetected. Continue reading →
There isn’t a single “silver bullet” product that addresses Continuous Monitoring. There are too many factors to consider, which require multiple security elements to function as a single solution. A good approach to continuous monitoring is securing all threat vectors and having those solutions provide data to a central reporting engine. Once data is centralized, things like risk level auditing and policy enforcement can take place. My team has developed a Continuous Monitoring Reference Architecture based on research from customer requirements and testing various security products. Continue reading →
Researchers such as Gartner labels SIEM Technology as a booming business. The average network administrator is afraid they don’t have visibility to network threats, which is probably true. SIEM solutions are a step in the right direction but by no means a silver bullet for identifying all attacks. SIEM vendors are also NOT equal in capabilities . If a vendor claims their solution can do it all including being you’re all in one continuous monitoring solution, thank them for the free lunch and walk away. This piece contains an overview of SIEM technology and what to consider while evaluating SIEM solutions. Continue reading →