Monday, September 15

Situational Awareness in Logs & Events

Anton Chuvakin put together a great list of reading on logs. Are they useful? Are they painful? And more. Included in the list is Michael Baum's brilliantly titled post Life after SIEM. Situational Awareness is next. Baum discusses SIEM technologies and the next evolution. I love his idea of bringing situational awareness into the equation. It's a great way to describe what happens when your monitoring solution does more than compile data. When it is intelligent.

At NetVision, one way that we're working to achieve intelligent monitoring is to limit our scope to the core network platforms. This is where your employees authenticate each morning and their entry point into the network. I see the network authentication as the launchpad into the network. And once you're in, you have potential access to systems and assets.In the real world, this usually means Microsoft Active Directory or Novell eDirectory (and their respective file systems). These core systems are incredibly strategic to overall information systems security. And I posit that they deserve more careful consideration than simple log scraping. Many of our customers agree. They feed our data into their enterprise SIEM or log management solution.

In many smaller organizations (SMEs), full-blown SIEMs and massive log management solutions may not be necessary. For them, full insight into the core network system (often Active Directory and Windows) provides answers to most of their security audit questions. This is especially true if Active Directory is considered strategic and is used by other systems for authentication or authorization (as is often the case with Sharepoint). And also true in environments that rely on Active Directory to feed accounts, attributes, or group memberships into a provisioning system.

To get back to the point, the more an organization leverages Active Directory strategically, the more valuable the concept of situational awareness can be within the monitoring solution. For us, it means having different business rules depending on event variables or policies that update in real time based on environmental changes.

I don't agree that SIEMs are dead. But organizations seem to want more than stockpiles of data. And it's extremely important to use context when processing events from core systems.

No comments: