Tag Archives: Big data analytics

To be successful a SIEM implementation should follow the ISO 27001 approach

20 July 2015

Last Wednesday I participated in a workshop on Production IT Security in Frankfurt. The presentations about Security Assessments, SIEM solutions, Next Generation Firewalls and Threat Intelligence were very interesting, but, as always, I got the most valuable information from the discussions with the other attendees during coffee break. It was really amazing to hear that the attendees, although they came from different companies, talked about the same mostly negative experiences in their SIEM projects.

During my ride back to Leverkusen I had time to think about this. Expectation management was a big issue in the discussions. The PowerPoints of the vendors suggest a quick and easy installation and start-up, and with some days training in Big Data methods the SIEM operator can set up dashboards which show the current security status of your company. Far from it!

The key capabilities of a SIEM solution are:

(1) Data aggregation and correlation:  Collect event data from various sources, correlate them, and integrate them with other information sources to turn the data into useful information.

(2) Compliance: Gather compliance data to support security, governance and auditing processes.

(3) Retention and Forensic analysis: Long term storage of historical event data for correlation over time and forensic analysis in the case of a security incident.

(4) Dashboard: Turn aggregated and correlated data into informational charts to aid security staff in identifying abnormal usage patterns.

(5) Alerting: Automated analysis of correlated events and production of alerts, to notify recipients of immediate issues.

The implementation of each function requires a big effort in preparation and operation. Let me show this by the means of two examples:

(4) Dashboard. In order to find abnormal usage patterns you have to define normal usage patterns first. This takes not only time. It is really hard to find relevant patterns from the ocean of events that systems create during normal operation. To ensure fast start-up it is required to cleanup your systems of e.g. event errors created by mis-configured services before you start operation.

(5) Alerting is probably the most interesting capability of a SIEM system. It allows you to act directly upon security incidents. To get the most of alerting you have to set up an incident response process, ideally depending on the classification of the information assets to prevent wasting of time and effort.

This requires that all assets are listed in an asset repository, classified and an asset owner is assigned, before your SIEM solution goes into production.

In addition it is required that your SIEM operations group is sufficiently staffed, the operators are well-trained, and enabled to take proper actions on an incident, e.g. alerting your server operators or shutting down a server to prevent larger damage.

Sounds like the preparations required for the implementation of an Information Security Management System due to ISO 27001.

With this my advice is: For a successful and quick SIEM implementation you should follow the major steps for implementation of an ISMS.

Bonne semaine!

E-book review: Staying Ahead in the Cyber Security Game

28 August 2014

Some weeks ago I attended the webinar ‘Staying Ahead in the Cyber Security Game: What matters Now’ sponsored by IBM and Sogeti.
The webinar is a good introduction to the free e-book with the same title. And the e-book is absolutely worth reading.

Chapter 10 is entitled ‘The data scientist will be your next security superhero’. Wow! Superhero reminds me always of the Queen song ‘Flash Gordon’:

Flash a-ah
Savior of the universe

In verse ‘Seemingly there is no reason for these extraordinary intergalactical upsets’ the work of a big data Analyst is well described. My favourite verse is at the end of the song:

Flash Flash I love you
But we only have fourteen hours to save the Earth

I love this song, I would really love to be a superhero … ;-). Back to the e-book!

‘We may have effective detection tools to reduce the impact of the attacks. But the real revolution will be with big data: We will be able to more finely analyze what is normal and what is not normal.’

This statement gives me pause. How long does it take to find a hint where seemingly is none? Do we really have fourteen hours in the case of an unknown attack to save the company? Would big data analytics have prevented the eBay or Code Spaces disaster? Should we rely on the good brains of a big data analyst only?

My answer is: Don’t just rely on a single technology! And don’t believe that everything is as easy as it sounds.

Big data technology can support us in boosting IT security but, of course, it will take some time before clear indications to data breaches could be generated.

First, you have to set up data sources like firewall or Windows event logs. In parallel, your analysts and your system must start learning what is normal to recognize what is abnormal, because abnormal events are a strong indicator of an advanced threat or breach. And finally you should make an incident response plan to do the right things when your systems detects an incident.

Sounds like a plan, doesn’t it?

By the way: The first security superhero was David Levinson in ‘Independence Day’. In an ocean of electromagnetic signals he detected an alien signal and identified it as countdown, and all within a few minutes. A true superhero!