Page 61 - index
P. 61
You also can't be sure that your SIEM is capturing all the interesting information within your
network. Disabling monitoring and logging software is often one of the first steps intruders take
once they've gained access. There's just no way to know for sure that your internal logs are
capturing every interesting event in your network.
SIEMs are reactive, not proactive
By definition, SIEMs capture data about events that have already occurred. It's important to
know about them to prevent them from recurring and to mitigate damage, but it's far more
important to know about upcoming threats in order to prevent them from impacting your
business.
Even while a SIEM captures historic data, it doesn't necessarily retain that data for a significant
time — logs are often kept for only a short window. Since sophisticated attacks can extend
across a long period, throwing out data after such a short time eliminates the possibility of
identifying ongoing bad behavior in the network.
In addition, SIEM can only provide information about the network you already have. But network
engineering is an ongoing process. Ideally, your network design changes are reviewed for
security concerns before they are implemented, but SIEM won't tell you in advance if a change
introduces a vulnerability.
SIEMs Provide Descriptive Data
SIEMs describe events that occurred on the network, but it doesn’t assess the impact to your
business or inform you how to respond to an attack. As a result, you can't be sure you are
focused on the important issues or have addressed all their impacts. Unfortunately, this missing
output is really the key information you need to get value from your information security process.
Three Steps to Move Beyond the SIEM and Achieve a Complete Security Solution
There are three steps to achieving security against advanced persistent threats, in addition to
implementing a SIEM.
First, both internal and external data should be captured and analyzed comprehensively and
collectively; it's important to be able to integrate SIEM data with other threat intelligence feeds
like iSight Partners Threatscape or Symantec Deepsight, in order to obtain a full picture of
current threats. A thorough threat analytics process can correlate the disparate data sources so
effectively that specific IP addresses that have been compromised can be identified.
This allows infosec leaders to quickly see where to place resources with maximum efficiency
from a cost and time standpoint based on the reality of the present threats.
61 Cyber Warnings E-Magazine – May 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
