Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

40 Percent Of Security Breaches Have Evidence In The Logs

Q1 Labs : 21 June, 2011  (Technical Article)
Q1 Labs sets out the case for the use of Security Information Event Management to bring logged incidents to the attention of IT Security managers and prevent security breaches

Q1 Labs highlights data within the recent 2011 Verizon Data Breach Investigations Report (DBIR) as an indicator of the problem of first-generation Security Information Event Management, (SIEM) and its failure to alert administrators to potential security problems. 


“It’s shocking that 41 percent of the breaches investigated within the report already had good evidence of the incident within the victim’s log that went unnoticed,” explains Chris Poulin, CSO for Q1 Labs. “In many of these cases an intelligent SIEM would have provided early warning. Yet the problem remains that organisations still assume that log management is just a compliance requirement and not an active cyber threat detection system.” Poulin, who spent eight years in the U.S. Air Force managing global intelligence networks and developing software, believes that many organisations assume that all SIEM systems are basically the same. “A dumb SIEM that overloads an administrator with false reports is almost as bad as having no SIEM at all,” he adds.  


The DBIR, an annual study conducted by the Verizon RISK Team with co-operation from the U.S. Secret Service and the Dutch High Tech Crime Unit, found that within its representative sample, only six percent of the time did an organisation’s designed IT security efforts detect the breach.  According to the report’s authors, many of these technology controls are either misconfigured, in the wrong place, or not being utilized at all. “For example, one breach victim had recently purchased a SIEM system, but then let the admin go to save cost,” the authors noted. “The reality is that many organisations deploy SIEM or log management to check off compliance tick boxes such as PCI, FISMA, GLBA, SOX, and GPG 13, then do not have the resources or technical expertise to investigate and respond to alerts in any meaningful way,” explains Poulin.


“We have a customer who was using Cisco MARS, which generated 500 alerts a day; after a while he simply ignored the alarms as he knew they were mostly false alerts.” “When he switched to QRadar, our Security Intelligence Platform, that figure dropped to around a dozen real issues, which then gave him the time to actually separate the threats from the ‘noise,’ and investigate; the only change was adding intelligence to help automatically categorise the real threats.”  Poulin believes that the huge mismatch between the 41 percent of breaches that had log evidence and the less than 1 percent of breaches spotted by SIEM indicates a huge opportunity for organisations to proactively address the constant and growing onslaught of cyber crime, whether internally or externally driven.


“If you consider how many large organisations have already assigned budget to log management, the idea of moving away from ‘dumb logging’ to security intelligence can be justified as a strengthening defence and not just as a compliance tick box,” he comments. “DBIR should be a wake up call to IT admins that simply ignore supposedly spurious alerts from the logging system, and instead think about better tools to bring the real threats to their attention,” Poulin concludes.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo