Sunday, October 24, 2010

SIEM needs a new name

In my mind there is a point where a SIEM becomes something more than being constrained by the “S” especially as you move into a context of smaller enterprise environments. No doubt the majority of SIEM purchasers have done so with the idea of using it for security and/or compliance of one flavor or another – at least initially. Maybe another way to approach this is if SIEM is sort of the next gen implementation of log management do you have to constrain yourself to just a security based use of the product to the exclusion of the other groups within the IT shop? At the end of the day you have a box/system/appliance/magical holder of a whole lot of events. It is the security mentality you bring to those events that defines how you use those logs. If you are already tracking user movement in and out of ACL groups so that you could do security minded things like overlay that data with successful and failed logins to certain systems or keep an eye on particularly sensitive groups why not spend just a few minutes to slice and dice the data so into something a program manager can use? Alternatively if you track the source address where people have logged in you have a vestigial IDM which can be used for security stuffs but it isn’t a hard stretch to cross into BI or resource usage tracking.

Friday, October 22, 2010

Does it really take a "cyber security" mindset?

Here is the theme of a conversation between a couple of us and a couple users associated with a particular computer.

Us: It looks like this computer keeps getting infected by an infected USB drive
Them: ….
Us: Is someone taking a USB drive home, plugging it into their home box, and then plugging it back into the work PC?
Them: Well that’s weird because no one is taking a USB drive home. I don’t know what it could be.
(pause)
Them: Now that I think about it, we do have a USB drive that we use between this computer and some stand alone lab machines. Do you think that could be source?
Us: Do those machines have an anti-virus program loaded on them?
Them: …….No
Us: /smack forehead

I’m all for user training (which we do) but outside of that at some point you would think people might put two and two together when every time they plug in a particular thumb drive that they get a popup from the AV running on the box. Cracks me up everytime I think of this.

Wednesday, October 20, 2010

SIEM dashboards and what time slices you use to display data

This isn’t what I was going to post but I’m still toying with that one. There are some discussions, topics, and people that make me just a lil frustrated and full of hate so instead of possibly tipping my hand too far I’ll divert and post this since it seems like forever since I have posted anything. Lots going on at work and at home (I know I’m unique there right?).

One of the challenges of being in a smaller shop is having tools but maybe not having them open all the time. Anyone in a smaller shop have their SIEM console open all day while at work? One thing I struggle with for dashboards covering things like firewall drops or failed logins is what timeframe should the information cover. If you aren’t looking at the dashboard but once a day having it focus on the last hour’s events doesn’t make a whole lot of sense to me. One option is to have the timeframe cover midnight to the current time. Another, maybe more common(?), is to cover all of yesterday. The third is a continuously rolling timeframe of say the last 24hr hours. All have their strengths. Ideally you would have a multi column approach where the first shows the current count going back however far you like with subsequent columns covering previous time slices. Last hour, previous 24hrs, average per day over the last week for example. This would allow for a quick visual on a rise or fall relative to its own average. That’s a little beyond tricky to do in ArcSight (or other/many/some/lots of other SIEMs).

In the mean time one thing you can do if you have ArcSight ESM 4.5 or beyond is develop these sorts of dashboards to cover whatever time slice ya please and then develop and link a series of query viewers to perhaps break up those counts by hour over the last 24hrs. That quick drill down capability would at least allow you to dive into what otherwise is just a number.

I would be curious how others have tackled this.