Tuesday, February 28

Rule-Based Log Correlation: An Alternative Approach

In an article at SYSCON Media, Gorka Sadowski writes about SIEM technologies and specifically about the complexity of event correlation.

Why Rule-Based Log Correlation Is Almost a Good Idea: The Future of SIEM

He points out that there are some challenges with static rule-based correlation. But, he calls it "the engine for the first generation of [SIEM]". That sounds about right. What scares me is that the future solutions to which Sadowski alludes look even more complicated. So, there may be a trade off to get the perceived increase in value.

I have an alternative solution that simplifies things for the SIEM. Over the past few years at NetVision, we've had a number of organizations interested in the NVMonitor solution (now called StealthINTERCEPT) because of its advanced filtering and from-the-source event collection. It doesn't rely on logs and enables a highly advanced ability to filter events as they happen eliminating the need for after-the-fact correlation.

For example, when looking at Active Directory Security Group events, you can return only changes to high-risk groups or changes to business-line groups that are not made by a specified subset of users (even if they may be a domain administrator). These events are pre-filtered and sent to the SIEM only when appropriate. It can also block events, btw, and send the event to the SIEM as an "attempt" rather than an actual event. And of course, it has it's own alerting and response mechanisms built in for real-time, contextual response.

Improved data collection on key source systems may be a better alternative to mathematic modeling from the event archive. Perhaps not in every case, but on core security infrastructure like Active Directory where rules are definable and today's challenge lies in the ability to implement, it's not only better, it's here today and already proven in production environments.

Tuesday, February 14

Finding & Closing Open File Shares

My team has been working on an advanced workflow for finding and closing down open file shares. I think we've really nailed it. At a few customer environments, we've scanned thousands of servers, performed the analysis to discover and prioritize high-risk file shares, and have the complete workflow to tighten the controls and/or shut them down as appropriate. If you have a need in this area, shoot me a note. I'd love to walk through it with you and see if we can help.

Monday, February 13

Is the era of Identity Management behind us?

From a forthcoming paper I'm working on:
The era of identity management is behind us. It’s not that we don’t still need it, but there are plenty of mature solutions on the market to help organizations manage user accounts across systems. Over the past decade, we built the core technologies, added features and workflow, and built numerous useful solutions on top of the platforms. It has all led to this. We’re now in the age of Access Governance.
What do you think? Am I overstating it? The point is simple. We've done a pretty good job figuring out how to help organizations centrally manage user accounts. The question has now shifted to management and audit of rights across the enterprise. It goes beyond the typical Identity Management sandbox. It's not just user accounts in various repositories. It's unstructured data. It's evaluating security policies in addition to share and folder permissions to figure out true file system effective rights. Or where user accounts are being used to run Windows services. Or where they have GPOs applied to them. This is the new frontier.

More to come.