Security is a Holistic Proposition

Gorka Sadowski

Subscribe to Gorka Sadowski: eMailAlertsEmail Alerts
Get Gorka Sadowski: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: Security Journal, SOA & WOA Magazine, Java Developer Magazine


Why Rule-Based Log Correlation Is Almost a Good Idea: The Future of SIEM

Part 7: SIEM as a discipline is great

These past few weeks, I published several blogs pointing out problems with static rule-based correlation, their current limitations, their high TCO, etc.

Because these solutions have been sold for many years as the be all and end all to security problems, it has created false expectations in the industry and among clients.

But SIEM as a general discipline holds plenty of promises, so let's not throw the baby with the bathwater.

Let's think of static rule-based correlation as the engine for the first generation of Security Information and Event Management (SIEM).

Looking in my crystal ball, the future of SIEM is probably going to use lots of "Business Intelligence"-like tools and methodologies, instantiated to security issues.

These self-learning systems use mathematic modeling, statistical approaches and data mining primitives to establish patterns of usage, and recognize both short-term and long-term abnormalities. Some of the best algorithms today are even able to perform (basic) predictive analysis and provide an early-warning system as soon as actual behavior deviates from the prediction.

This is not a silver bullet either, and it will necessitate some very smart people working very hard to get something going. And if not properly baby-sitted, these algorithms can sometimes go very wrong... as experienced in automated stock market trading decisions.

The required effort is at the heart of the catch 22 that the Industry is facing. SIEM vendors and customers are not pushing and adopting BI-like and data mining approaches because it is very complex to develop, to market, to support and because there is "market inertia" with static rule based correlation.

It is easier to market a high number of default correlation rules than spending the time and effort to educate the market, articulate the value proposition and develop sophisticated yet easy to use tools that offer great protection with low TCO.

Advances in static rule based correlation have attempted to make the "programming" of these scenarios easier, for example by providing natural language specification for the rules, and frameworks with powerful User Interfaces, leveraging normalization of logs and contextual drop-down menus. But sometimes this merely displaces difficulty with steep learning curves for whole new development paradigms.

Solutions that account for the issue of combinatory explosion of scenarios and exceptions (as eluded to earlier in this series) can be more or less elegant, but nonetheless at the heart of these solutions there are hundreds and thousands of checks and decisions at the machine level.

Moving forward into new approaches, several vendors have lately proposed statistical calculations and establishment of time-based patterns as a way to complement/supplement static rule based correlation. As of now these can be rough at the edges, with for example a coarse time granularity and limited time spans, but they are an indication of what is to come.

The future of SIEM is great!  Well, actually the future is what we make out of it, let's make sure we build ourselves a nice future!!!

Anyways, you bought a static rule based correlation solution, or are about to purchase one, and you are wondering how to get the most out of it? Read on...

More Stories By Gorka Sadowski

Gorka is a natural born entrepreneur with a deep understanding of Technology, IT Security and how these create value in the Marketplace. He is today offering innovative European startups the opportunity to benefit from the Silicon Valley ecosystem accelerators. Gorka spent the last 20 years initiating, building and growing businesses that provide technology solutions to the Industry. From General Manager Spain, Italy and Portugal for LogLogic, defining Next Generation Log Management and Security Forensics, to Director Unisys France, bringing Cloud Security service offerings to the market, from Director of Emerging Technologies at NetScreen, defining Next Generation Firewall, to Director of Performance Engineering at INS, removing WAN and Internet bottlenecks, Gorka has always been involved in innovative Technology and IT Security solutions, creating successful Business Units within established Groups and helping launch breakthrough startups such as KOLA Kids OnLine America, a social network for safe computing for children, SourceFire, a leading network security solution provider, or Ibixis, a boutique European business accelerator.