Over the past several weeks we have examined ways to protect your organization from malware and other malicious code throughout the corporate environment. If it is not evident at this point - we are examining data from a multitude of devices scattered throughout the corporate IT infrastructure. We find that the devices and software used for this task are both diverse and disjointed. These devices include Firewalls, laptops, desktops, multifunction devices, A/V software, basically anything that is connected to the network. These devices and software provide valuable information in the form of logs that can be used to trigger alerts based on multiple inputs.
In order to effectively consume the various data points provided by software and hardware in an orderly fashion preferably in a single pane of glass. By rolling all security related information into a central system of record we are able to enrich the information provided by each software or hardware element with additional data from other systems. By adding context to events that occur on the network we are able to quickly and accurately pinpoint the issue and resolve prior malicious activity spreading to other systems. By utilizing a properly tuned SIEM (Security Information and Event Management System) we have a single system to view pertinent information emanating from various sources. Alerting and tracking can be managed from this tool as opposed to logging into several systems to patch together the entire analysis of a given event.
There are many options to choose from in this product arena making the decision making process quite complex. The first order of business is to document your requirements to ensure the long process of installing and configuring the system does not need to be repeated. Items to take into consideration aside from your companies GRC (Governence, Risk, and Compliance) posture are:
- Do I have appropriate staffing
- What expectations have I set with management
- Would I use an on premises or cloud based solution
- Do I want to manage this or make use of a managed service
Answering these questions will assist in narrowing down your choices from dozens to a handful.
For on premises solutions, QRadar and Splunk offer very powerful collection and analysis platforms. One of the keys to a good security program is being able to collect and analyze as much information as possible without being distracted by insignificant details. IBM’s QRadar Security Intelligence Platform prioritizes information into actionable intelligence so that users do not need to look into random details, helping to prioritize IT management time. Breaches can quickly be identified in real time. Your IT team can re-create the step by step actions of an attacker and reconstruct data in its original form and then take action to prevent successful attacks from happening again. With vulnerability management, you can scan the network to identify vulnerabilities. With risk management, collect data to discover errors and identity potential attack paths. QRadar provides deep insights into security breaches and helps prevents future attacks.
Splunk Enterprise collects data from all sources- logs, clickstreams, sensors, stream network traffic, web servers, custom applications, hypervisors, containers, social media and cloud services. Splunk then enables you to search, monitor and analyze the data to discover powerful insights across multiple use cases like security, IT operations, application delivery, industrial data and IoT, giving you valuable intelligence across your entire organization. Splunk Enterprise scales to hundreds of terabytes per day to meet the needs of any organization, and supports clustering, high availability and disaster recovery configurations. All of this—while keeping your data secure with role-based access controls, secure data handling, auditability and assurance of data integrity.
For cloud based and managed services products Alert Logic provides a relatively quick implementation time and by leveraging existing content and rules allows the organization to have useful information in very short order. Alert Logic Log Manager is ideal for fighting ransomware that has the potential to fly below the radar. The log manager collects, aggregates and normalizes log data 24/7. All data is available to analyze in the easy and accessible dashboard. Within the dashboard, IT staff can correlate events and set automatic alerts to enable rapid response to security events. Alert Logic Threat Manager monitors network traffic and analyzes billions of events - using intelligent multifactor correlation, Alert Logic identifies security events requiring attention. After validation by a SOC analyst, Alert Logic notifies you with recommended actions and responses within 15 minutes for critical issues.
This concludes our 5 part Security Series, please check out previous posts listed below!
- Malware Blog Series Introduction
- Part 1 of 5- Detecting and Blocking Malware at the Gateway Before Users are Affected
- Part 2 of 5- Educating the User and Social Engineering
- Part 3 of 5- Hunting Hidden Malware in your Datacenter
- Part 4 of 5- Complete Endpoint Solutions