 |
Evolution is a powerful thing. Change in our external surroundings affects our genetic makeup over time. Humans have adapted over millions of years by dropping our tails, standing upright and acquiring language. Nature’s way of making sure only the strongest traits, functions and cells survive dictate how we interact and sustain ourselves every single day. Appendicitis? Not to worry. We don’t need that organ any more (well, that debate isn’t over – but that is for a different blog). Today it is all about survival of the fittest (or most useful). Tools evolve over time as well. Partially due to the evolving humans and animals that are creating the tools, but also because of the different challenges we face as time marches on. Can you imagine a scientist in 2015 utilizing the same tools as one did in 1915? Or even 2000? Our technical tools aren’t necessarily net new inventions, but they are evolutions of existing ones. Aircraft is a great example. Orville and Wilbur Wright’s core invention is still the backbone of any global flight today. The Boeing 787 Dreamliner is very different from their first 600 lb. flying machine, but not completely unrelated. So, how is it that security teams continue to miss attacks that impact their organization? The security tools we have relied upon are failing us. Yes, the threat landscape has evolved as well and we are not operating in the same world we were, even 5 years ago. However, it seems that investments in security infrastructure have continued to increase without the desperate relief we all seek. Successful attacks bypass each layer of prevention that we have put in place because they often use valid user credentials, trusted access paths, or new exploits, thus going unnoticed by our preventative controls. Given the speed of which cyber attackers are able to create new security threats, companies must evolve their approach to security. The hard truth is that a center piece to security, SIEMs, have not evolved to meet the security challenge. SIEMs have longed been used for compliance and log management as well to detect and investigate attacks. However, SIEMs have several flaws that make it difficult to detect successful attacks and even more difficult to investigate them. Now, I must make myself clear at this point. I am really talking about LOG-centric SIEMs. Logs lack deep visibility and detail to understand what is truly happening in an environment. Logs can’t detect the use of unauthorized tools like Tor or BitTorrent, non-standard network traffic or SSL over unusual ports. Logs may trigger an alert about abnormally long query strings or unauthorized encryption and tunneling, but they do not have full visibility to understand and detect the specific activity with context so in the end it just looks like noise. Logs are still very important and it is necessary for organizations to collect and analyze them. However, we must evolve beyond just logs. The threat landscape has evolved, so must our tools. Organizations need to augment their log-centric SIEMs with additional visibility, investigation, and workflow capabilities; or risk being unable to protect their business adequately. RSA Security Analytics is the only platform that can correlate security data across logs and packets from on premise and the cloud (as well as endpoints, NetFlow, application and mobile data, and malware analysis). Event correlation can now occur between a mix of both log and raw packet data allowing the analyst to view events at the defensive perimeter as well as within the legitimate and unauthorized network traffic that bypassed preventative controls provided by defense in depth. This offers organizations a unified platform for incident detection, deep dive investigations, compliance reporting, and advanced security analysis. With RSA Security Analytics security teams can go from an alert to investigation to breach response faster and with more detail than any other tool. Finally, SIEM has evolved.
The post The Evolution is Here: Moving Beyond Log Centric SIEM appeared first on Speaking of Security - The RSA Blog and Podcast. |
|
|
