The "RISKY BUSINESS" Blog

I'm an unabashed fan of Security Information Event Management (SIEM).  As an Information Security Auditor, any solution that can simplify the process of compliance is alright in my book.  One of the strengths of most modern SIEM solutions is the ability to leverage correlation rules to detect security incidents in near-real time.

The challenge with correlation rules is that in a sense they are "signature based" in that you largely have to know the situation you are trying to detect.  For example, "monitor my five external firewalls and tell me if you see port scans from the same public net block on more than 3 of my firewalls in the same 30 minute period."  

An approach we find far more promising is Anomaly Detection. Its advantage is that it doesn't watch for anything specific, rather it attempts to identify any patterns of security events which are unusual based on previously base lined performance. Interestingly, anomaly detection is based on the meta-data from events -- not the events themselves - although the events themselves can be retereived based on the meta data.

A call last week with a client best illustrates the value of Anomaly Detection.  A client called to tell me that our Anomaly Detection was "wonky, because its telling him about unusual FTP traffic on a server that isn't running FTP anymore".  A quick FTP connection attempt confirmed that FTP was indeed responding on the server and a few more minutes of sleuthing determined that a Windows reboot had restarted the FTP service a few hours prior.  Within an hour a hacker had initiated a brute force admin password attack on the server.  Anomaly Detection noted the unusual FTP pattern (as compared to the previous months baseline) and thwarted the security incident before any impact.

Find a video link and everything SIEM on our resource page!