Saturday, December 14, 2013

The Missing Link in Security Information & Event Management - Application Level Events Detection


Perhaps the biggest challenge for Security Information and Event management projects today is integrating application level data and events to provide detailed user-centric auditing, detect internal fraud and comply with new regulations. The ability to detect user behavior and application level events is not available with most if not all SIEM products and reduces the overall value they produced in comparison to their potential. In basic terms, Security Information and Event Management applications are looking at doorways and windows but not at the treasure room, your business applications.

Since basic application logs have insufficient data and are I/O heavy, a non-intrusive approach is required to detect, transform and route all relevant events to the SIEM applications in their required format. Providing non-intrusive event detection while offloading detection, formatting and routing from the business application server is crucial. Enabling behavioral pattern analysis using pre-defined patterns, existing SIEM logic and external data correlation for real-time detection and reaction will be the next big step to minimize internal fraud.

The SIEM market has been evolving rapidly proving its value in a complex organizational world built on a plethora of IT components of various types. The need to manage large amounts of data created by these components, document the data, archive it and detect problems and issues arising from the actual events has made SIEM applications necessary. However, for various reasons such as vendor line of business and integration issues, the focus of information gathering and correlation of events has remained on the technical components of the IT network: Routers, Switches, Firewalls, Servers, etc. There has been little if any emphasis on the actual business applications where relevant actions, business processes and potential damage and fraudulent activity can actually be performed.

The current situation with most SIEM deployemtns is indeed very problematic; all the peripherals are audited and guarded while the real honey pot, the "vault" with all the money in it, isn't taken care of. It is in the business applications that the actual actions are being performed, good or bad, and that is where the emphasis should be. Since organizations cannot dive into their application code and change it to log and route relevant events, and do it again and again when regulation or business requirements change, a non-intrusive approach is a must as long as it can provide in-depth, user-session level visibility to user-application behavior. This means application code needs no changes, log management is unnecessary, and application servers are not over-loaded by logging I/O operations which result in performance downgrade.

Additional challenges would be transforming the data before it is fed to the SIEM application to solve mapping issues and parameter definitions which must be determined to help the SIEM application understand the data it is receiving. Another main issue is the ability to deal with large throughputs for monitoring events from several applications per node, off-loading computation and I/O from them and routing and feeding events to relevant targets such as a SIEM application.

Only then will SIEM deployments be able to detect every event or specific behaviors based on predefined patterns and only then will SIEM applications fulfill their true potential. SIEM application can then gather critical, application level data and events, comply with tougher regulations and detect internal frauds by correlating this data with it existing data.

No comments:

Post a Comment