The Full Potential of SIEM ... Realized

•  
• About Us
• Products
• Solutions
• Industries
• Resources
• EcoSec
• Try or Buy
• Support
•                 

Threat Detection

There's a lot of information being generated from a multitude of security devices, logs, applications, and services. Having that information available is important, but for efficient security operations, there needs to be a way to filter out the more important event information.

Event Correlation

Correlation of events, to detect larger patterns that might indicate a threat, is a key resource in threat detection. For correlation to be effective, however, the right information needs to be analyzed. While some information is available in application logs, for example, the use of an application monitor to produce events based on application content will provide much more visibility, providing a much greater capability to detect malicious behavior patterns. Effective correlation requires:

• As much source event data as possible, including:
  • Security event data
    • Exploits, injections, and other attacks
    • VPN & firewall events
    • Network & behavior anomalies
    • etc
  • Network flow data
    • Source & Dest addresses
    • Bytes transferred
    • Duration
    • etc
  • Application & protocol data
    • Application session information (e.g., email 'to' & 'from')
    • Application content (e.g., email content)
    • Document content (e.g., email attachments)
    • Protocol Anomalies (e.g., email from a non-SMTP server)
    • etc
  • Database transaction & application session data
    • Database login/logoff activity
    • Admin activity & privilege escalations
    • Schema / table changes
    • Database queries & results
    • etc
  • Vulnerability information
    • Asset information
      • Operating System, version, etc
      • Services, applications, open ports
      • Patch levels
    • Asset Vulnerabilities
    • Threat Severity, weighted by vulnerability
• A comprehensive, easily tuned correlation taxonomy

How much detail do you need? Click to show more detail

Can your SIEM do that? Click again to hide detail

While security information sources seem simple at a high level, they can quickly add up to represent tens of thousands of events per second—especially when monitoring network flows, database transactions, and application content, all of which produce large amounts of data. Unless your SIEM can support high event collection rates while maintaining real-time correlation and analysis of that data it will eventually fail.

• Read the SANS whitepaper on how to benchmark SIEM for guidance on how to measure event rates.

"Zero-Day" Correlation

No taxonomy is perfect: new threats appear every day, and without warning. That's why any threat detection system needs to allow for the manual analysis of security information—and when an analyst spots something suspicious, it needs to allow for that suspicion to investigated, in real time, and used to easily generate new correlation rules.

The concept is called "zero-day correlation," as it allows for the detection of new threats as they are discovered during the course of normal security operations. Zero-Day correlation requires:

• The ability to detect suspicious or anomalous behavior with the SIEM.
• The ability to quickly investigate, drill-in, and cross-reference suspicious events to determine the full extent of the new threat, so that a pattern can be determined.
• The ability to easily create a new correlation rule, based on the newly discovered pattern.

Looking Back

The final aspect of threat detection involves recursive analysis to see if a newly defined threat might have occurred in the past. This is an essential capability to determine what systems are at risk, and to mitigate "low-and-slow" attacks. However, because of the nature of event correlation systems, this is a difficult task. To perform recursive checks against a history of collected event data, the system must:

• Be capable of analyzing all collected data, historically, together at the same time.
• Provide the performance necessary to perform these types of long, deep queries without disrupting normal security functions within the system.

Ease of Use

NitroView ESM provides concise, easy-to-use dashboards for at-a-glance indication of network health. At the same time, every dashboard component is interactive, allowing users to drill down into any item, when further investigation is needed. Other ease-of-use features include:

• Dozens of pre-built rules and active dashboards tailored to the needs of network- and security- professionals
• Custom rules, reports and views that can be created in minutes, with no SQL knowledge required
• An easy-to-use graphical editor for the creation or modification of event correlation rules

Powerful Event Management capabilities

• Event Normalization for stronger Correlation
  • Improved threat detection
• Inclusion of network flow data for situational and locational context
  • Track attack vectors to mitigate further damage, or find the root cause of an attack
• Inclusion of database and application information
  • Correlate log and event activity with data access and application use
• Inclusion of log data for historical context
  • Proof of compliance with validated, auditable logs
  • Analyze historical data for forensic operations
• Inclusion of identity data for user context
  • Associate events and suspect activities with device, accounts and users
  • Satisfy compliance requirements of PCI, SoX, HIPAA, and others
• Inclusion of Vulnerability & Asset data
  Use asset classifications for easier & more effective correlation

Manage years of historical data using NitroView's interactive interface, immediately seeing event and network data correlations, baselines and trends. In real time. No more "coffee cup queries" or "let it run overnight" reports.

Event Correlation: Evaluation Criteria

• Database technology with in-memory performance—Our real-time data management engine allows all collected events to be correlated at the speeds similar to that of in-memory technology.
• Multi-Symptom, Multi-Source Correlation—NitroView is able to correlate data from a variety of sources, not just from IDS and IPS devices. Logs, events, and network flow information is collected from servers, hosts, routers, firewalls, IPS and IDS devices, and virtually any network device. All data is correlated, allowing for a broader range of detectable threats.
• Correlation without Data Loss—Because NitroView is built on a highly scalable data management engine, both correlated threats and the source "symptoms" are maintained in full granular detail. Drill into any correlated threat to see the individual events, instantly. Because everything occurs in real-time, there's no need to discard source detail, ever.
• Total IS awareness (logs, events, flows, assets and identities—Weighting event severity by assets and by identities improves the relevance of threat notifications. Because Nitroview collects all types of data from multiple data sources, more fields are available for analysis: including identity information, which is critical in the long-term reporting requirements of regulatory compliance for HIPAA, SOX, PCI, FISMA, and others.
• New and Adaptive Rules—Correlation rules are constantly being developed by NitroSecurity's Network Threat Analysis Center (NTAC), and are provided to all NitroSecurity customers via live signature updates. Rules can be easily customized to fine-tune them to your particular environment, and a custom rule builder allows you to quickly create new rules.

These icons link to social bookmarking sites to help share this content.

Home | Security |Compliance |Products |More Information |Try or Buy | Legal | Contact Us | 888-LOG-SIEM

©2010 NitroSecurity, Inc. All rights reserved.