Digitalization means that more and more valuable information is being stored, while the technical boundaries between companies and the cloud are becoming blurred. This creates significantly more attack surfaces against companies where protective security measures are no longer sufficient. In view of the constantly changing threat situation and complexity, many companies are repositioning themselves and forming cyber defense and security operations center teams. Human intelligence is required when it comes to maintaining the ability to act and avert damage in an emergency. Damage can only be averted by keeping up to date with the current threat situation, reliably identifying attacks and knowing your own vulnerability. However, security teams depend on reliable systems to be able to act promptly and adequately.
Reducing security to a common denominator
Every company’s IT security system typically consists of a large number of isolated solutions. Ultimately, the IT infrastructure, the network and access to business solutions, portals and services, whether internal, hosted or from the cloud, must be effectively protected against unauthorized access. Firewalls, email gateways, mobile device management systems, web application firewalls, identity and access management, anti-spam solutions, unified threat management, user directories, operating systems and servers… The list of products and solutions for IT security is long. Each of these components contributes to the party, but are primarily of a preventative nature and are there to prevent attacks.
The whole is more than the sum of its parts
IT security is not, or not only, achieved through the use of preventive tools. In view of the current threat situation, every functioning cyber defence organization is dependent on a balanced combination of the IT security landscape, consisting of systems for prevention, identification and response. The rapid identification of incidents and the appropriate response to them is essentially a question of functioning processes that must go hand in hand with suitable tools. This includes, for example, a central Security Information and Event Management System (SIEM), which is a key tool for dealing with threats and greatly facilitates risk management. SIEM brings together all the threads that are important for a well-founded analysis of security risks: SIEM tools are therefore a meta-tool that combines the internal view from vulnerability management and logging and monitoring with the external view of the threats (threat intelligence) and makes it efficiently usable.
Interoperability as a key factor
SIEM can take IT security to a new level and is a further decisive step towards improving information security for companies that already use all traditional prevention tools. Only if a high level of interoperability is achieved across the entire security infrastructure can SIEM projects be successful within a reasonable period of time. When it comes to SIEM tools, interoperability is more than just an empty phrase. It is the key that makes it possible to use all the information provided by security products (e.g. logs, events, audits) in a meaningful way or to increase the benefit of each individual security component a little more.
The role of logs and sensor data
SIEM tools need “food” to make them really good. The more versatile and high-quality the feed, the better the performance of SIEM tools. This is where the clever SIEM tool manufacturers rub their hands, whose license models are based on the amount of data processed per unit of time. When companies in SIEM euphoria make as much data as possible available for their security information event management, the cash registers ring. But data is only one side of the coin. Logic is the other: More important than the highest possible volume of data is the selection of truly relevant data and its logical processing into usable information.
Firewall log data is some of the most useful and frequently collected information for detecting attacks on the corporate network. Firewalls have direct access to network nodes and examine a large part of a company’s data traffic. This access makes it possible to see into the activities of the company and thus detect malicious activities.
Data from LDAP and other user directories or data from web application firewalls are also extremely useful when it comes to discovering the source of misuse, narrowing it down and taking targeted measures against it.
One of the main sources for detecting anomalies in a company network is data from Netflow. Netflow logs all address data of the IP data stream and contains the metadata of all communication in a (distributed) network, i.e. it shows who has communicated with whom and when via which route in a network.
Interoperability is important
The effectiveness of a Security Defense Center must not be undermined by non-existent standards. A very important criterion in the procurement of IT security solutions is therefore compatibility in the area of data exchange. The solutions should be able to transfer their recorded data to other tools in the IT security landscape as simply as possible. This requires suitable interfaces and data formats with which the logged data can be automatically imported into SIEM, for example, with just a few clicks in order to combine it into an overall picture.
Smart tool selection is rewarded (example WAF and SIEM)
Today, nothing works without a web application firewall (WAF): it stands centrally in front of all applications, portals and services accessible via the Internet and protects them from unauthorized access. Thanks to the upstream role of a WAF in the application landscape of many companies, it is important that the data collected there can be transferred simply and easily to a security information and event management system.
The USP Secure Entry Server®, Web Application Firewall from United Security Providers, supports out-of-the-box integration with common external IT security systems thanks to a central intelligent data layer with the latest big data technology. This can be clearly illustrated using the example of HP ArcSight: The relevant data is available in a standardized USP key-value format (key-value pairs). If required, they can be easily translated into the Common Event Format (CEF) supported by HP ArcSight, which allows close integration with this SIEM solution. The Splunk App developed by terreActive for the USP Secure Entry Server® is available as a monitoring and analysis tool. The USP Secure Entry Server® also communicates easily with tools such as Kibana and monitoring tools such as Icinga and Nagios, which enables Security Operation Centers to ensure seamless monitoring of the infrastructure with few resources.
Conclusion: those who stay agile win
The threat situation will continue to intensify and change even more dynamically. Being able to react quickly to new, unexpected challenges will therefore become even more important in the future. Flexibility and interoperability are important tools when it comes to ensuring a minimum level of security. Security vendors must take the needs of cyber defense teams into account and can score points with the high compatibility of their products and the insight that they only ever function as part of a whole in the security system.