Incident Detection

When Security Tools Cry Wolf

With the recent Target and Nieman Marcus breaches, we have seen that the attacks did not go without detection by the retailers’ security tools. However, both cases reveal a larger problem: With the rising number and complexity of security tools at our fingertips, sometimes everything looks like an alert so nothing becomes actionable.

The increasing number of alerts is the result of the increasing number of events triggered by multiple products by disparate vendors all essentially speaking different dialects, if not completely different languages. These tools constantly scream at us, making it difficult to hear the voices that matter in indicating incidents we should be paying attention to.

The solution to the problem is not to introduce additional tools, but to get the tools we have to talk to each other, or pass through to an intermediary that can make sense of what is happening on the network that is paired with other variables, such as business risk of an asset, in order to filter out the noise.

More Tools More Problems

I Should Buy A SIEMThe tool many turn to in order to provide this context might be a SIEM. However, many of the “Big SIEM” tools on the market today actually exacerbate the problem adding complexity and if not implemented correctly introducing false positives, or complete failure to report the correct incidents at all.

There is also the high price of these systems and resources required to implement and maintain the solutions. It is not uncommon to find security teams spending more time trying to debug and integrate their SIEM solution than they do actually working on the incident response and mitigation tasks they were hired for.

Another tricky point about SIEMs and other detection tools is that they can only identify known patterns and signatures. The nature of today’s attacks are that they are highly polymorphic, always changing and many times highly customized for a target environment. Being able to retroactively review machine data and other evidence quickly when there is an indicator of a breach is critical to a good incident detection program.

Not every suspicious event requires an immediate alert. Flagging or associating metadata with an event of interest provides stronger intelligence capability for Log Management and SIEM systems to correlate with other related events. This type of correlation frees security teams up to focus on events that matter, particularly when individual events are happening in the context of a larger attack.

Tripwire Log Center: Less Noise More Signal

One of the key goals for Tripwire Log Center has been to bring the best SIEM and big data analytics into a single easy to deploy, manage and configure package. Security teams deal with enough complexity and massive amounts of data, so it is important to provide context and meaning to this data coming from disparate systems to identify what is important.  The intelligence that Tripwire Log Center provides can then generate alerts, automate actions and/or pass this data up to a SOC (Security Operations Center) for further analysis. 

Previous post

Create iPhone Rootkits Like You're the NSA

Next post

Speeding Up Grep Log Queries with GNU Parallel

Ken Westin

Ken Westin

Your Pundit of Paranoia