Information Security Blog

Security Incident Detection Leveraging SIEM Anomaly Detection

I’m an unabashed fan of Security Information Event Management (SIEM). As an Information Security Auditor, any solution that can simplify the process of compliance is alright in my book. One of the strengths of most modern SIEM solutions is the ability to leverage correlation rules to detect security incidents in near-real time.

The challenge with correlation rules is that in a sense they are “signature based” in that you largely have to know the situation you are trying to detect. For example, “monitor my five external firewalls and tell me if you see port scans from the same public net block on more than 3 of my firewalls in the same 30 minute period.”

An approach we find far more promising is Anomaly Detection. Its advantage is that it doesn’t watch for anything specific, rather it attempts to identify any patterns of security events which are unusual based on previously base lined performance. Interestingly, anomaly detection is based on the meta-data from events — not the events themselves – although the events themselves can be retereived based on the meta data.

A call last week with a client best illustrates the value of Anomaly Detection. A client called to tell me that our Anomaly Detection was “wonky, because its telling him about unusual FTP traffic on a server that isn’t running FTP anymore”. A quick FTP connection attempt confirmed that FTP was indeed responding on the server and a few more minutes of sleuthing determined that a Windows reboot had restarted the FTP service a few hours prior. Within an hour a hacker had initiated a brute force admin password attack on the server. Anomaly Detection noted the unusual FTP pattern (as compared to the previous months baseline) and thwarted the security incident before any impact.

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

Substantiate the net effectiveness of a mature control environment
Prove to a third party that an environment is secure/trustworthy
Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
To validate that significant changes did not have unanticipated results

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

How to deal with increasing threats
How to manage multiple regulatory requirements
How to handle client requests for attestation
To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

Simplify compliance monitoring/reporting
Vastly improve Incident Detection & Incident Response
Contextualize event information with other business relevant information

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.