Information about security breaches needs to be carefully preserved, as it can be used to diagnose any communications weaknesses, as well as any flaws in policy or practice.
Security company Attachmate’s Rick Logan told a security seminar, held in Wellington recently, that to be secure organisations need to look to both “security event management” (SEM) and “security information management” (SIM).
By linking these two a comprehensive SIEM picture can be built up, said Logan. SEM is concerned with real-time data collection and correlation, while SIM looks at historical analysis and reporting.
“Event correlation is a defining characteristic of SIEM technology,” said Logan. “Correlation establishes relationships between messages and events generated by devices, systems or applications. [It is] based on characteristics such as the source, target, protocol or event type.” Correlation can be either statistical or based on rules specific to a site or investigation.
Referring to Gartner’s analysis of the SIM/SEM market, Logan said the two should be combined into “a single footprint”.
“Requirements [in the security market] are changing rapidly as the technology is adopted broadly to solve compliance and security gaps,” said Gartner in its report on the topic.
The analyst company adds that “Ease of deployment and support, and the ability to analyse more detail over a longer period have become key.”
SEM should also look to the long term storage of security data, said Logan.
This will see it catering to the increasing demand for regulatory compliance and greater top-level responsibility for breaches.
Weeding out irrelevant, verbose systems’ messages is important here, said Logan, as 80% of a raw log can consist of routine messages such as “Windows authentication successful”.
Timeliness and prioritising when it comes to patching are also important — particularly for organisations with limited resources. Flaw analysis should be done at the same time as the patch vendor is asked which patch is most critical.
Also, if there is a lack of control, on-the-spot decisions, such as: “While I’m in this part of the system doing this, I might as well apply this other patch.” This should be resisted, said Logan. Otherwise, patches may be applied in the wrong order or unnecessarily.
It’s often said that most threats are internal rather than external. Of course, both need to be watched, but many internal breaches are accidental or the result of ignorance and could mean staff need more training, said Logan.
Over the past few years, Attachmate has built up a portfolio of companies specialising in network connectivity, security and PC management.