In the previous post, we announced that Paul Truitt, Vice President of Cybersecurity and Chief Security Officer at SageNet, will join a panel of experts to discuss “Technical Tools for Data Protection” at this week’s NACS (National Association of Convenience Stores) Show in Atlanta. Part of Mr. Truitt’s presentation will focus on security logging and monitoring, and the importance of pulling all logs into a centralized system for correlation, review and alerting.
This session at the NACS Show is generating buzz because the deck is stacked against IT security managers. A study from PwC found that 38 percent more security incidents were detected in 2015 than 2014. As networks continue to grow in size and complexity, threats and attacks grow in number and sophistication. Security products that were designed to solve one problem and can’t communicate or integrate with other products have made it difficult to respond to today’s security challenges.
Logging and monitoring are essential techniques in IT security — you can’t guard against threats if you aren’t aware of them. Because log data is constantly pouring in from a variety of systems and security tools, organizations have traditionally used security information and event management (SIEM) systems to make sense of it all. Today, however, an SIEM system alone is incapable of protecting the corporate network. Security analytics tools are required to precisely measure the level of risk, prevent incidents through correlation and analysis, and accelerate incident detection and remediation through real-time monitoring.
This big data approach to security uses integrated data analytics to provide contextual intelligence, which can help spot and prioritize vulnerabilities and identify risky user behavior – quickly and precisely. Contextual intelligence can be easily applied across an organization to improve efficiency and focus efforts on the most dangerous threats. Security analytics tools are configured to support an organization’s security policy, and integrated with other security solutions such as firewalls.
A critical component of effective security analytics is the sharing of threat intelligence. Threat intelligence is evidence-based information about various types of current or future attacks. This data is organized, analyzed and shared to help organizations understand and guard against specific threats. Threat intelligence can include context, threat indicators, threat actors, bad IP addresses, exploits, and other information about threats that target users, applications and infrastructure. This data is constantly updated to include information on the latest threat.
Because threats are constantly emerging and evolving, threat intelligence from a variety of sources is essential to keeping up with the latest attack methods and malicious software. Threats include SQL injections, distributed denial of service (DDoS), zero-day exploits, advanced persistent threats, phishing and web application attacks. Security analytics tools automatically compare monitored traffic and collected data with threat intelligence to identify malicious activity. This allows you to connect the dots between seemingly isolated, unrelated incidents to spot trends and stop future attacks.
SageNet runs its Security Operations Center, and many customer environments, on SIEMonster — an open-source SIEM solution with security analytics capabilities. Utilizing modern SIEM and security analytics doesn’t have to consume your entire security budget.
Security analytics and threat intelligence arm organizations with the information they need to alert security teams to threats. Then what? In the next post, we’ll discuss the importance of having a documented incident response plan for addressing threats and attacks.