Cyber-attacks are compounding in number and complexity every day. Securing your cyberspace will often require finding a needle in a haystack; that is identifying dangerous unauthorized accesses among several legitimate ones, attempts of intrusion from unusual user behavior and so on. To borrow from a euphemism of a certain chief of operations “we need a differential magnetometer here!”
Businesses always have sensitive information that must be kept safe either from attempted industrial espionage, hindering and delaying operations, or from the acquisition of personal information that can place individuals in personal danger. And this necessitates an approach that will cover all aspects of keeping this information safe.
It’s all in the analysis
In a previous article in this series of presentations, we discussed the first part of SIEM which is the security information management (SIM) and how, even though it is not really helpful, it is an integral part in this process, by gathering the information, creating the platform and the database to put it in, and with the proper configuration and updating it can provide the basis upon which the actual security will be built.
The data collected by SIM is the haystack. Some of it is just unusable and inconsequential. Some of it may indicate incidents of concern which may be attributed to normal operations and common errors made by the administrators and the employees of a company. And some of it may be attributed to the intentional distraction to divert attention from a real threat.
To sort through this data is where analysis is needed. There is creativity, security intelligence, and most importantly a human intellect that goes into analyzing this steady stream of data to detect threats.
How it works
First of all a business would need to have a mix of the right tools, the right personnel, and a clear definition of the policies and procedures to be followed. Qualified security analysts are needed to create the algorithms that can automate collection of data and generation of alerts. Afterwards they will need to take charge of the actions needed to resolve any and all incidents.
These algorithms must expand the use cases of the SIM process and implement the right rules that will correlate the events, so that they become coherent and enable detection of real threats. The same algorithms will also be the ones discarding the aforementioned inoperative information, and prioritize the remaining data to deliver actionable results.
To begin with, event management would require for some context for alerts the information to be processed. Then this context must be fed with real time intelligence. All recent updates on existing threats and up-to-date monitoring rules must be included in this process.
Refinement of the information
The data analysis begins by taking advantage of the processing of the information offered by devices like routers, IPS systems, and firewalls. These actually discard a lot of the inoperative information on their own (if they are properly configured). Based on this advantage, the correct network behavioral analysis detection and database activity monitoring (and consequently data loss prevention) algorithms can be formed.
The remaining data is still in need of refinement. And this is done by removing any false positives and prioritizing the remaining security events. Incidents are rated based on the urgency with which it must be dealt with over those that would require some more monitoring to verify that there is a real threat hidden behind it.
Through such algorithms, it is possible to handle threats automatically without human intervention. But in some cases, even flags that have all the indications of a real security threat maybe the result of a simple human error by an administrator or an employee, who may not be well trained in the policies and procedures implemented in reference to security. Human intervention would be needed in such cases.
What is left must be the real threat
The entire point of security event management is to determine the actual threats to the resources that a business wants to keep safe. In order to do that, the people handling the assessment process must be creative enough to create the algorithms that can be plugged into the SIEM, so timely alerts are generated.
But sounding the alert is not only a matter of making sense out of the information. It’s also a matter of building a security score, based on the rules of engagement that, when certain limits are exceeded, will provide the appropriate warnings. How this security score is built is an entirely different concept which will be discussed in the third and last piece of this series.
About the Author
Over the last thirty years Tom has held various senior IT executive positions, successfully leading the design, development, implementation, and support of technology-based products and managed security programs. Tom is currently the Vice President for US Enterprise Security at Paladion Networks