Q1 Labs highlights data within the recent 2011 Verizon Data Breach Investigations Report (DBIR) as an indicator of the problem of first-generation Security Information Event Management, (SIEM) and its failure to alert administrators to potential security problems.
“It’s shocking that 41 percent of the breaches investigated within the report already had good evidence of the incident within the victim’s log that went unnoticed,” explains Chris Poulin, CSO for Q1 Labs. “In many of these cases an intelligent SIEM would have provided early warning. Yet the problem remains that organisations still assume that log management is just a compliance requirement and not an active cyber threat detection system.” Poulin, who spent eight years in the U.S. Air Force managing global intelligence networks and developing software, believes that many organisations assume that all SIEM systems are basically the same. “A dumb SIEM that overloads an administrator with false reports is almost as bad as having no SIEM at all,” he adds.
The DBIR, an annual study conducted by the Verizon RISK Team with co-operation from the U.S. Secret Service and the Dutch High Tech Crime Unit, found that within its representative sample, only six percent of the time did an organisation’s designed IT security efforts detect the breach. According to the report’s authors, many of these technology controls are either misconfigured, in the wrong place, or not being utilized at all. “For example, one breach victim had recently purchased a SIEM system, but then let the admin go to save cost,” the authors noted. “The reality is that many organisations deploy SIEM or log management to check off compliance tick boxes such as PCI, FISMA, GLBA, SOX, and GPG 13, then do not have the resources or technical expertise to investigate and respond to alerts in any meaningful way,” explains Poulin.
“We have a customer who was using Cisco MARS, which generated 500 alerts a day; after a while he simply ignored the alarms as he knew they were mostly false alerts.” “When he switched to QRadar, our Security Intelligence Platform, that figure dropped to around a dozen real issues, which then gave him the time to actually separate the threats from the ‘noise,’ and investigate; the only change was adding intelligence to help automatically categorise the real threats.” Poulin believes that the huge mismatch between the 41 percent of breaches that had log evidence and the less than 1 percent of breaches spotted by SIEM indicates a huge opportunity for organisations to proactively address the constant and growing onslaught of cyber crime, whether internally or externally driven.
“If you consider how many large organisations have already assigned budget to log management, the idea of moving away from ‘dumb logging’ to security intelligence can be justified as a strengthening defence and not just as a compliance tick box,” he comments. “DBIR should be a wake up call to IT admins that simply ignore supposedly spurious alerts from the logging system, and instead think about better tools to bring the real threats to their attention,” Poulin concludes.