Security Event Management

Simplifying audit and extracting procedures for millions of security events.



The majority of big organizations, particularly those in finance, have made considerable investments in developing Security Event Management (SIEM) systems to increase the security of their assets from external and internal risks. These systems combine streams of security log events from resources which includes firewalls and IDS/IPS, and try to combine these to identify suspicious behaviour. The thing is similar to trying to find a needle in a haystack - generally, one particular event in 20 million outcomes in a security incident seriously worth researching.



At Security Information Event Management, we think that most SIEM systems are in essence defective as they use the blacklisting behavior framework; put simply, you need to know before hand the behavior of each and every potential malicious event and make a matching correlation rule that is to be activated because of it. The fact is that, this isn’t possible - blacklisting is the same security model as signature based anti virus systems; most Anti virus applications can filter computer viruses it knows about but is not able to filter new trojans which do not yet employ a signature; it is known as the zero day problem. In the same way, the zero day problem holds true for most <a href="http://securityinformationeventmanagement.com/">Security Information and Event Management</a> systems - the sole thing that you can be certain of is your correlation rule-base is imperfect. That’s inadequate for today’s major banking institutions and financial institutions which can be under daily attack from remarkably well-informed cyber-criminals that know SIEM solutions and have learned to avoid activating them. It is easier still to avoid them if you're an internal hacker and work in IT, perhaps as a long term contract database administrator. According to the Verizon Breach Report 17% of data breaches implicated insiders.



The same survey had some damning statistics about the effectiveness of ‘internal active’ methods of security breach detection and the amount of forensic evidence to be found in logs each time a breach was discovered. In only 6% of cases, did an organisation’s engineered security initiatives detect the breach . Worse still, in 69% of the security breaches evaluated, there was clearly forensic proof of the breach available within the audit logs nevertheless it wasn’t detected, and in 31% there wasn't any forensic evidence available at all. That contributes up to 94% ineffective discovery of security breaches - an incredibly poor return on investment in security technology.