Moving Beyond Log Management and SIEM

The concept of security intelligence is partially realized in security information and event management (SIEM) tools, which correlate and analyze aggregated and normalized log data. Log management tools centralize and automate the query process, but lack the flexibility, and sophisticated correlation and analysis capabilities of SIEM and, ultimately, security intelligence.
But SIEM should be regarded as a way point rather than a destination. The end goal is comprehensive security intelligence. SIEM is very strong from an event management perspective and plays a particularly important role in threat detection. Comprehensive security intelligence must encompass and analyze a far broader range of information: it requires continuous monitoring of all relevant data sources across the IT infrastructure and evaluating information in contexts that extend beyond typical SIEM capabilities.

Security intelligence should include a much broader range of data, leveraging the full context in which systems are operating. That context includes, but is not limited to: security and network device logs; vulnerabilities; configuration data; network traffic telemetry; application events and activities; user identities; assets, geo-location and application content.
This produces a staggering amount of data. Security intelligence provides great value in leveraging that data to establish very specific context around each potential area of concern and executes sophisticated analytic to accurately detect more and different types of threats.

For example, a potential exploit of a Web server reported by an IDS can be validated by detection of unusual outbound network activity detected by network behavioral anomaly detection (NBAD) capability, and vice-versa.

Or, you have a report that a server has a potential vulnerability that has just been disclosed. But it’s one of hundreds in your organization, so how do you evaluate the threat for this particular server? Security intelligence can analyze all available data and tell you:

1. The presence or absence of the vulnerability;
2. The value the organization assigns to the asset and/or data;
3. The likelihood of exploit based on attack path threat models;
4. Configuration information, which may indicate, for example, that the server is not accessible because a default setting has been changed;
5. The presence of protective controls, such as an IPS;

Or, consider the insider threat. The 250,000 diplomatic cables given to WikiLeaks were obtained by a user, Pfc. Manning, who was acting within his authorized privileges. Chances are any given security mechanism would fail to detect this kind of action, but analysis of correlated data, applying contexts from multiple sources, may have stopped the leak before it could cause damage.