SECURITY MONITORING: BE EVERYWHERE AT ONCE

Transcription

1 E-Guide SECURITY MONITORING: BE EVERYWHERE AT ONCE SearchNetworking

2 P ervasive security improves on defense in depth by layering security according to risk and assigning it specifically to each critical point of your system. Learn more on how pervasive security takes adds depth, and breadth, to security systems. PAGE 2 OF 6

3 SECURITY MONITORING: BE EVERYWHERE AT ONCE John Burke The idea of layered security defense in depth is old and incomplete. Pervasive protection takes that idea and expands it. The notion pushes IT to not just have several layers of defense but to layer them according to risk. It then builds on that strategy by placing security around each critical system and data repository and across each critical network nexus. With so many layers of security in place, you get pervasive security monitoring data. And boy, do you ever get a lot! So much so that you strain the seams of (if you ve been keeping up already) your SIEM and IDS/IPS tools. (And if you haven t been keeping up, you re already ignoring mountains of security logging data. Now you have a whole new range of mountains you ll be ignoring.) More important, you strain the capabilities of these tools. You need these systems to sift through the chaff of security logs to uncover the wheat of actual threats, a function they perform exceedingly well. Then, you need your SIEM/IDS/IPS platforms to help you make bread out of the wheat, turn PAGE 3 OF 6

4 detection of events into actionable intelligence. Here, these traditional tools are increasingly less helpful. As threats multiply and become multichannel, and as security systems proliferate, SIEM and IDS/IPS products begin to lose the race: To get what you need, you either focus them too narrowly to reduce the overall load, or scale them so that it is no longer affordable. The solution? Defense intelligence in depth to go with your defense in depth. To deal with the enormous increase in data flowing into your security monitoring platforms, you need to practice layered defense analysis by adding systems (or capabilities) to the mix. Two crucial ones are advanced security analytics (ASA) and user behavior analytics (UBA). ASA systems literally live on top of existing log management and SIEM systems to provide an additional layer of analysis of the stream of alerts and alarms they raise. They are focused solely on navigating through these streams of data to provide IT with actionable knowledge about possible attacks that are of the most crn. ASA is essentially the marriage of big data analytics technique to the security data set. While many large organizations began doing this using homegrown tools; commercial offerings are now coming to market. UBA systems are a specialized subset of ASA tools. They focus exclusively on users behavior patterns; they flag changes deemed suspicious. They can, for PAGE 4 OF 6

5 example, understand why an accountant might be furiously accessing client data at midnight during the last week of the fiscal year, but will flag as questionable similar behavior if it happens on a Saturday in the middle of a quarter. User in this context can include not just humans but also systems that engage in machine-to-machine interactions. This latter aspect can be hugely important in a data center undergoing a transformation to a services-, or microservices-,-oriented architecture. In an SOA or microservices environment, systems will be talking to each other far more frequently than they used to, which can make it very challenging for a person to spot anomalies in the pattern of communication. UBA tools can see these things clearly. By stepping up the monitoring toolset to use layers of analysis to add new levels of intelligence to the automated parsing of security data, IT can again keep up with the flood of data created by adopting risk-driven pervasive protection. John Burke is CIO and principal research analyst with Nemertes Research. With nearly two decades of technology experience, he has worked at all levels of IT, including end-user support specialist, programmer, system administrator, database specialist, network administrator, network architect and systems architect. He has worked at The Johns Hopkins University, The College of St. Catherine, and the University of St. Thomas. PAGE 5 OF 6

6 FREE RESOURCES FOR TECHNOLOGY PROFESSIONALS TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. WHAT MAKES TECHTARGET UNIQUE? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. PAGE 6 OF 6