Audit and Monitoring
Context: Network Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) have been traditionally been leveraged with varying degrees of success at the infrastructure perimeter, using rules-based approaches to identify misuse, as well as anomaly based approaches that establish normal baseline behaviour and track patterns that deviate from them.
However as the notion of security as solely a walled perimeter decreases, the need for ever-improving security monitoring approaches that protect key critical infrastructures is necessary – and IDS/IPS approaches need to be complemented with other monitoring approaches that start from the assumption that a given infrastructure has already been breached.
SIEM solutions are aligned to this holistic notion, supporting security monitoring in regulated industries in particular while also supporting audit compliance requirements. SIEM solutions support aggregation of log formats, supporting real time and aggregate analysis, generate complex events data from atomic logs using Complex Event Processing (CEP) approaches, yielding actionable intelligence and supporting IT decision making.
Challenges – Technology Gaps: IDS, IPS and SIEM-based approaches can suffer from false positives where legitimate behaviours are mistakenly interpreted as malicious or negative. Minimising such false positives is key to increasing effectiveness and adoption potential of such solutions. Increasing robustness of monitoring solutions to withstand flooding via DDOS attacks, or malicious disablement of the monitoring approach also need to be considered. Monitoring packets or payloads that have encryption already applied also can lead to undetected attacks.
Next generation SIEM approaches are significantly impacted by emerging technology infrastructures (Cloud, IoT, Big Data) and the advent of the future internet. Cloud computing use creates the potential need for SIEMs to be deployed in more distributed, shared network infrastructures involving co-ordination of multiple parties. Big Data trends are greatly increasing the scale and volume of security data that SIEMs need to manage, as well as the nature of events generated in line with new kinds of threat – however Big Data platforms are also facilitating more advanced forms of analytics within SIEM featuresets, such as predictive analytics and monitoring [GAR12]. Gartner, Information Security Is Becoming a Big Data Analytics Problem, 23 March 2012.. Multi-layer analysis (physical, business, application, and service level) is also a desired goal (as targeted by the MASSIF FP7 project). Other desired advancements include improved functionalities around decision support and simulation to understand feasibility and impact of potential attack countermeasures, advanced security visualisation and usability, and increased elasticity and scalability of SIEM processing – improving on existing commercial solutions such as IBM QRadar, HP ArcSight, Symantec and Novell Sentinel among others.
Existing auditing and monitoring technologies also need to be sufficiently robust and resilient to handle new potential threats to critical information infrastructures (CIIs). This involves endowing systems with the capacity of defeating extreme adversary power (severe and continued threats) and sustaining perpetual and unattended operation, ideally in a systematic and automatic way.
[GAR14] Gartner, Information Security Is Becoming a Big Data Analytics Problem, 23 March 2012.
Back to Security SOTA
