Even for dedicated security personnel, it can be difficult to monitor the millions of messages and log records generated by the multiple edge devices that are generally needed to secure an organisational network. Identifying the patterns that might be developing across such a series of independent devices is even more difficult.
Security event information management (SEIM) has been delivered through dedicated platforms for a decade. Plenty of vendors offer internal management products that combine a core correlation engine, user interface and log collection capabilities.
These systems can help end customers monitor disparate security events generated by VPN software, firewalls, antivirus applications, databases, web servers, intrusion detection systems and various other pieces of the security puzzle. But prices for many of these offerings start at about $50,000 (£32,000) and can run well into the six-figure range for complex environments.
SEIM remains useful, however. This kind of offering has also evolved in response to a fundamental problem with security architecture: the fact that nearly all security offerings are designed and deployed as point solutions. As such, they are not designed to communicate with other security systems, correlate alerts, or provide a larger picture of the entire enterprise.
The need to address this issue has become far more pressing in 2011, as this year has seen hacktivism take cyber attacks to a new level. Many such so-called activist hackers have been using multi-vulnerability attacks for both political and financial gain, and we can expect to see many more of these types of attack in the future.
Examples include the loosely organised group of hackers known around the world as Anonymous. According to Wikipedia, the collective is believed not only to have targeted controversial groups such as the Church of Scientology over the years, but also organisations such as the Epilepsy Foundation and Irish political party Fine Gael.
Denial of service (DoS) and distributed denial of service (DDoS) attacks appear to be the weapon of choice for hacktivists targeting organisational networks. DoS and DDoS are far-reaching and can render the usual network security measures useless.
The answer here is, in part, to combine behavioural analysis technologies with signature detection and rate-based protection. This will require a rethink of perimeter security.
Recent hacktivist attacks have been aimed at multiple vulnerabilities in the network, including network infrastructure equipment, TCP/IP stacks and server applications.
They have combined high-volume DDoS with low and slow attacks, simultaneously generated against multiple vulnerabilities. They also combine application-based attacks such as SQL injection with server reconnaissance and enumeration flurries. These can be simple in execution and complex to fight.
The targets had intrusion prevention tools and firewalls, which proved inadequate on their own. Most had inadequate DoS and DDoS protection.
The solution lies in combining multiple defences, including anti-DoS/DDoS attack tools at the network and application layers, network behavioural analysis with real-time signature writing capabilities, intrusion prevention, app-level active defence mechanisms such as challenge and response, active emergency counterattack strategies and SEIM.
Security managers need a full view of their network and application performance, and this can be achieved through a new information layer providing enterprise-wide security awareness.
SEIM is necessary when combating multi-vulnerability attack campaigns that seek to infiltrate the network through point security offerings, exploiting blind spots that are not covered by standard, out-of-the-box security profiles.
Maintaining a thorough and effective corporate security policy across a range of point applications and offerings will also require an intelligent overlay that can provide the end-user customer with a chance to leap ahead in a world of ever-emerging threats.
This strategy can help ensure that customers have no blind spots in their IT security architecture and in their overall information security strategy. SEIM that includes detector tools for reporting and directing mitigation defences are helpful, not only in helping bind together multiple security defences.
Simon Altman is regional director for UK and Ireland at Radware
Infrastructure provider says international sales now make up 51 per cent of its revenue
Suzanne Chappell of TMS plans sailing venture after selling Oxfordshire-based TMS to acquisitive Chess
Withdrawal of credit insurance by some providers a 'reflection' of current challenge facing IT sector, according to MD Steve Soper
SMART's UK managing director joins Lenovo to boost SMB business