Page 60 - index
P. 60
However, the vendors in the information security space, especially those in the log management
and SIEM domains, are not liberal in exposing their data to third-party applications and threat
intelligence tools. Of course, the SIEM solutions have been offering provisions to import data
from varied sources, including threat intelligence solutions. But such integrations are fraught
with many limitations. In the absence of proper correlation and data processing, feeding
terabytes of data to the SIEM solution will not offer the required protection.
Even when the SIEM solution proves to be powerful, with the capability of analyzing and
correlating big data from internal and external sources, most organizations cannot afford huge
investment in big data analytics.
SIEM and log management solutions like ManageEngine’s EventLog Analyzer shatter all these
limitations when they open up their database for integration with any third-party application. The
solution’s API can let security administrators feed reams of normalized log data into any third-
party application, including crowd-sourced threat intelligence solutions, vulnerability assessment
platforms, business intelligence tools or even custom applications for advanced security
intelligence and threat protection.
The solution’s rich database can serve as the centralized warehouse of security-sensitive data,
and a Thrift IDL-based API enables administrators to pull the required data.
Security administrators can leverage this integration to bolster their security framework in such
use cases as:
Advanced threat mitigation – The normalized data from the SIEM software could be fed into
crowd-sourced advanced threat intelligence services, sandbox solutions or sophisticated
vulnerability assessment platforms. These tools can associate the SIEM solution’s security data
with the information they already possess and help mitigate emerging attacks, botnets, zero-day
threats, phishing attacks, malware attacks and APTs.
Location-based threat analysis – Integration with geolocation services could help enterprises
gain geographic context to any event. This, in turn, helps pinpoint the country of origin and
physical location of an application involved in an event. If the origin matches the countries
commonly associated with APTs, suspicious traffic could be isolated for deeper analysis.
Customized security views – Security managers could even create their own web applications
and dashboards by extracting the data critical to their needs.
Application performance tuning – Normalized data from the SIEM software could be fed into
modern business intelligence tools, which could help organizations understand the evolving
threat landscape, assess risks, and prepare mitigation strategies and an emergency response
plan in the event of attack. The data could also help drill down to overall application
performance issues and assess product usability and quality.
60 Cyber Warnings E-Magazine – July 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
