Security Information and Event Management (SIEM) has been a critical technology part of an organization’s security posture for a long time to protect against cyberthreats ranging from insider threats, denial of service to advanced threats. The adoption of SIEM solutions is only growing and as per Gartner Forecast Analysis: Forecast Analysis: Information Security, Worldwide, 1Q18 Update, the global information security market is forecast to grow at a CAGR of 7.8% to reach $143.3 billion in 2022 with security testing, IT outsourcing and SIEM being among the fastest-growing security subsegments driving growth in the infrastructure protection and security services segments. According to Gartner, no single technology, such as, CLM, UEBA, NTA, SOAR or EDR can replace the entire set of SIEM capabilities. Additionally, Global Security Information and Event Management Market 2017-2021, estimates that the SIEM market will grow at more than 12 percent CAGR over the next four years to $5.93 billion by 2021. Since inception the promise of SIEM has been:
- Comprehensive visibility into Network, Endpoints, Data and Applications
- Correlation across point security solutions
- Contextual intelligence for response actions
- Streamlined compliance reporting
- Effective analytics and pertinent information for the security teams
Legacy SIEM: The Good, The Bad, and The Ugly
Even though SIEMs do a good job of centralized analysis and reporting by aggregating, indexing and storing logs from different data sources, correlating this information for incident investigation, and compliance reporting through analysis of historical data, yet most organizations today fail to derive the best value out of SIEM because of its implementation complexity, operational challenges, and total cost of ownership (TCO). Further, increased attack surface with the adoption of hybrid cloud networks, sophisticated threat vectors and high volume of incidents, compliance laws getting more stringent, limited security budget and security skill shortage, businesses today need SIEM technology that is driven by analytics, behavioral analysis for current & historical context, automates certain SIEM-generated tasks, provides greater visibility of network traffic moving across the organization, and understands and analyzes threat indicators to improve the overall security posture.
Modern SIEM vs. Seceon aiSIEM
To circumvent the challenges of traditional SIEM platforms, Gartner defines the modern SIEM (read: SIEM Technology Assessment) to work with more than just log data and apply more than simple correlation rules for data analysis. Some of the key capabilities include, large-scale and more robust data collection from cloud and other modern IT data sources, collect & analyze logs and data from networks & endpoints, incorporate threat intelligence feeds for correlation and enrichment, enhanced data analytics beyond rules, fast and scalable search over volumes of raw data and, most importantly, automated response.
Seceon® aiSIEM is a modern security information and event management platform built on Big/Fast Data Architecture that visualizes, detects and eliminates threats in real-time with continuous security posture improvement, compliance monitoring and reporting, and policy management. It is a powerful complement to Next-Generation Firewalls (NGFW) empowering Enterprises and MSSPs to detect and eliminate all known and unknown cyber threats in real-time and uses elastic compute power, dynamic threat models, behavioral analytics, advanced machine learning (ML), AI with actionable intelligence with proprietary feature engineering and anomaly detection algorithms without a need for daily tuning. It goes beyond using the log data, simple analysis for correlation of events and applying rules to enhance an organization’s security posture and provides a zero-trust security in a digital era, while dramatically lowering SOC operational cost.
The key salient features of aiSIEM solution are:
- Robust, large-scale data collection from cloud and all data sources (network, endpoints, identities, etc.) in streaming platform, which scales to billions of events handling per second with context
- Analyzes logs & data and incorporates threat intelligence feeds for correlation and enrichment
- Enhanced data analytics beyond rules with contextual real-time alerts for “threats-that-matter” and automated response
- Simplified licensing for comprehensive threat detection
- Scalable architecture with support for multi-tenancy & data segregation
To highlight the differences, here’s a simple comparison chart based on Gartner’s definition of modern SIEM. I have included the Legacy SIEM in the chart to provide a clear perspective on where we are coming from and where we are going.
Posted by Arun Gandhi
Arun works as the Director at Seceon leading product management and marketing with responsibility for driving strategic Go-To-Market initiatives, positioning, customer use cases, and executive engagements with customers & partners.
Prior to Seceon, Arun held various technical and leadership roles in Product Management, Strategy, Marketing and Engineering at Juniper Networks, NetBrain Technologies, and Misys Plc (now Finastra). With more than 17 years of experience with startups and global brands, Arun’s experience includes product management, business strategy, high profile customer engagements, product marketing, sales enablement, positioning of emerging technologies, strategic analysis, development & test for security, networking, and cloud technologies in the Service Provider and Enterprise Markets.
Arun presently lives in Boston and enjoys reading and spending time with family.
This piece was written specifically to demystify the somewhat confusion regarding DATA LEAK PREVENTION, DLP. I’ll therefore crave your indulgence to thoroughly peruse it contents.
Most network security products(IPS/IDS) focus on keeping the bad guys — Trojans, viruses and hackers — outside of the network, but data loss prevention (DLP) keeps the good stuff — sensitive enterprise data — in. With more business data leaks tainting the reputations of companies it’s important not only to keep your information secure but to keep it from getting into the wrong hands.
Marketers use various terms when they refer to DLP. Some examples I’ve seen are information leak prevention (ILP), content monitoring and filtering (CMF) and extrusion prevention system.
What you might ask at this point is; Is there a difference among any of those terms? I would say DLP [data loss prevention] is the industry-wide term. Usually where some of the other [terms come in] might be a company trying to differentiate themselves.
Just sure you know, there’s no difference between data loss prevention and data leakage prevention.
Another salient questions that often comes to mind is ; how does DLP fit in terms of network security, and how does [DLP] mesh in with what already [exists]? Five years ago, everything in security used to be [based on] trying to keep the bad people out…. But now the problem that enterprises are really trying to grapple with is how to protect their confidential data — whether it’s customer data from PCI, like charge card data, or it’s health records or just intellectual property — and that’s a huge problem. It’s a big business problem because as it gets out, businesses have to disclose the breach, and they have to track it down, and then it just gets nasty “nasty” being my technical term.
So there’s a big demand to help businesses make sure that their data stays secure in the data center and that as it moves around their network, there are controls in place to make sure it doesn’t escape in an unauthorized manner. In a nutshell, that’s the whole deal with DLP – just to protect the crown jewels [corporate data], so to speak. The characteristics of DLP are almost like a backward firewall . . . DLP looks at data flowing out of your network and [asks] ‘Is this data something I care about? Is it confidential?‘
In some of the presentations that I’ve made in the past, I often come across questions like, How is DLP different from Network Access Control (NAC)? Is there a difference or similarity between NAC and DLP? My answer is Yes! All the other stuff, like network access control, is more geared toward keeping malicious code out of the network. It’s more oriented toward: “Is your antivirus installed? Do you have all the right patches in place?” It comes much more from an operational integrity issue than from a data leak issue.
The characteristics of DLP are almost like a backward firewall. Where a firewall looks at data coming into the network and says, “Do I want to allow this?” DLP looks at data flowing out of your network and says, “Is this data something I care about? Is it confidential?”
In the network, it actually looks at the data packets and data flow. Instead of … looking for attacks, it finds [traffic] that’s actually confidential data and then makes a decision on whether or not to allow that to go forward. It might also interest you to note that there are others ways information leak occurs from the network besides email. DLP, also track these leaks as well.
Avenues for information leaks– The three big ways are ;
1- Email – where you send something out, usually it’s to a business partner, but sometimes mistakes happen and it doesn’t go to that person.
2- Laptop, or a USB drive – so you’ve actually made a local copy of it, and [y]our laptop gets stolen or somebody’s got something on a memory stick, and that’s got a lot of data on it.
3- Through a piece of malicious code – as with the Hannaford incident — that sits there and just sends automatically. This is spyware; it steals data and sends it out over the Internet.
That’s pretty much it. The challenge with DLP is [figuring out] … how to look at everything in the network. Also, once the data gets to a laptop — which you usually have to do for an employee — or desktop, how do you make sure that it gets cleaned up from that endpoint so that it doesn’t sit on a local drive or sit on a removable drive?
Please note that some vendors describe DLP as being broken up into three essential parts: network endpoint security, endpoint protection, and the discovery. With this background information, you might be tempted to ask, what is the most important component of DLP?
I think data discovery is the most important. Because I find that if IT knows what is there, they can do a reasonably good job of either putting technology in place or of educating the user. Much of the time, IT doesn’t really know what or where all the sensitive data is, from a security standpoint. So just being able to say, “There’s confidential data in this database or around this file share or SharePoint,” is useful information for the security [team] to have, because then they can put controls in place so that only authorized people can access it. Then those authorized people are educated as to what their responsibilities are…
The reason I think discovery is the most important is that if security knows where the confidential data is, then they can put a little bit extra vigilance into making sure that the access control policies are in place. They can make sure that all the accounts are active, that people who do access it know their responsibilities and the rules, that there is a little bit of social education a little bit above and beyond what they would normally do: They might look and be a little bit tighter with their audits of machines if they know they have consumer data on them, for instance. They would audit them more often or change the policy or look for things that don’t belong there. As an operator in the financial services sector for instance, you might have 10,000 applications, with 10,000 databases, so it helps to narrow it down to the ones that should get special attention.
The last myth I would like to clear is , ok now that we have DLP , what else does the network admin have to do? Is it just to find that material and make a stronger algorithm for it? Sure Yes, find the security controls around it.
When I talk to security people on the enterprise, I think they’ve been pretty good if they know there’s a problem: They want to do the right thing. So if they know a company is at risk, they’ll take care of it. It’s just that if they don’t know, what can they do? So half the game is letting them know that there’s a resource like a database or a file or information that really needs some TLC ( Top Level Control) — some extra care.
Thank you for your time. As always, your comments, questions are well appreciated!
Organisations are becoming ever-more aware of the need to defend their computer networks from Cyber attacks, there have been recent warnings from governmental agencies and regulatory bodies of the increasing threat – 51% of malicious software threats that have ever been identified occurred in 2009
Threats from externally based criminals are not the only risks faced, increasing numbers of varied devices are being attached to the enterprise network by remote workers, contractors or those requiring guest access- meaning insider threats. Whether deliberate or wrought unwittingly by out of compliance machines – can force organisations to have to face up to huge losses due to downtime, financial remediation costs and loss of public confidence, what is needed is a way to control who can access crucial systems and sensitive data…
ForeScout’s CounterACT is a military-grade security system, many aspects of which have been developed in collaboration with the U.S Military and CounterACT has an existing common criteria certification at EAL2 with EAL4+ in progress. As well as protecting the U.S military, ForeScout are also a trusted partner of the U.S government and Federal bodies, further information upon its Government and Department of Defense credentials can be found at: http://www.forescout.com/solutions/dod_gov.html
Other benefits from CounterACT include:
• In-built IPS – based upon patented ActiveResponse Technology that detects attackers’ reconnaissance and responds to them with counterfeit information which eliminates the need for signature updates
• Centralised visibility of ALL devices on the network giving the ability to control data leakage
• Proactive security that notifies, controls or blocks users that do not comply with policies and co-ordinates management of security infrastructure by integrating with wireless, anti- virus, VPN and many other technologies
• Vendor Agnostic – an out-of-band, network-based appliance that works with existing network infrastructures – no switch upgrades, no network reconfigurations. CounterACT integrates with all major enterprise switches, both 802.1x and non-802.1x. so unlike other products that require considerable network/infrastructure modifications before installation CounterACT can be installed in one day.
Other product specifics
• Clientless – No agent software download required. Enables the device to identify, track and monitor ALL devices connected to the network, including guests /contractors.
• Signature-less IPS – Monitors for malware activity specifically reconnaissance behaviour. This is then blocked.
• Out-of-Band – The appliance is located next to a core or distribution switch connect to a span port i.e. out of line
• Tailored Enforcement – A granular approach to policy enforcement dependant on a policy breach :
1) HTTP browser hijack presents a message/warning to user
2) VLAN assignment
3) Virtual Firewall – using TCP resets to block some or all traffic originating from a device
4) Switch port disable – Using SNMP, we instruct the access layer switch to turn off the port users are connected to
• Non disruptive deployment – CounterACT connects at the core or distribution layer requiring a mirrored port on the switch that it connects to.
• End Point X-Ray – end point posture for policy compliance i.e. check for things you need to see on the device (e.g. AV s/w) and things you don’t want to see (e.g. Skype)
• Reporting – A vast array of reports can be generated by the CounterACT device, from high level overviews to detailed information on compromised devices.
• Pre Defined Policies – Predefined, common place policies are available for download from the ForeScout web site.
• Integration-Seamless integration into most environments. Interoperate with most major vendors, including Cisco, Aruba, HP, Nortel, Juniper and may others.
The ForeScout Approach
ForeScout CounterACT is an integrated network security appliance that delivers real-time visibility and control of all devices on your network. CounterACT is deployed out-of-band of your real-time network data flows and through receiving mirrored traffic, or by integrating directly with network layer devices (Routers, Switches, Wireless Controllers, Authentication Services, etc.). ForeScout CounterACT is able to automatically identify who and what is on your network and controls access to your network resources from any host or segment, measuring compliance with your security policies and remediating or mitigating endpoint security and policy violations when they occur.
ForeScout CounterACT employs a proven approach for IT risk management, as shown in the diagram below. Every device that accesses the network is identified, inspected, remediated (if you wish), and continuously monitored.
ForeScout CounterACT revolutionizes Network Access Control (NAC) technology by eliminating deployment obstacles of typical solutions, such as costly hardware upgrades and lack of interoperability with existing infrastructure. Unlike other solutions, ForeScout CounterACT installs quickly and easily. It seamlessly integrates with any network environment. No software to install. No hardware upgrades.
CounterACT is 100% agentless, which means there is no software to install on endpoints. It works with all of your existing endpoints – managed and unmanaged, known and unknown. And CounterACT can control access to your network with or without 802.1X. In Summary;
Key advantages of CounterACT can be best summarized as follows:
1. Clientless Network-based Enforcement: unlike 802.1x-based network access control systems which require a desktop agent, the CounterACT system offers clientless, network-based enforcement.
2. Clientless Remediation: CounterACT can check and remediate company domain member devices (i.e. update OS and applications) without the need for an agent. To help remediate guests or other non-domain member devices, CounterACT offers its thin, dissolvable SecureConnector™ client via a web HTTP welcome screen.
3. Standards-based and Infrastructure Agnostic: CounterACT’s ability to work across heterogeneous network infrastructures has made it a favored solution for insurance, banking and financial networks. It deploys quickly without imposing costly upgrades or retrofits to the existing infrastructure: no prerequisites — such as switch upgrades, 802.1x deployment, client installation, or OS upgrade – are required. This eliminates the overhead imposed by inline solutions which take advantage of “vendor lock-in”.
4. Threat Detection: CounterACT comes with built-in threat detection and prevention technology that can determine if connecting devices are malicious or infected with self-propagating malware. This capability is recommended in Gartner’s 2008 Market Scope:
“To achieve the maximum benefits of network access control, enterprises must do more than just check for vulnerable endpoints. They must be able to detect and quarantine malicious-software-infected endpoints that can do damage to their network.” –John Pescatore, Gartner Market Scope
5. Discovery of Hidden Infrastructure: Rapid detection of rogue or unauthorized devices is a top concern in large networks. Recognized as possibly the strongest network sensor on the market today, CounterACT has demonstrated its ability to quickly and accurately identify and report details on all infrastructure components – both hidden and known. By monitoring network traffic and communicating with the switch infrastructure without the use of a client, CounterACT can see all IP devices on the network. This is a significant differentiator for ForeScout’s customers.
6. Extensive Experience in Large, Global Network Deployments: ForeScout customers include some the largest, most globally distributed companies in the world. For such companies, scalability, reliability and information security are of equal importance. CounterACT is chosen for its ability to address many industry-specific requirements; for example, its comprehensive PCI (Payment Card Industry) compliance solution together with its centralized policy management capabilities help address many bank and retail audit requirements.
7- CounterACT offers Multiple Protection Tools by:
• ActiveScout IPS Protects Internet-Exposed Services
• VPN Integration
• Guest Management
• Spoof Detection
• Unauthorized Device Detection
• Role-based Access
• Espionage Detection
8- CounterACT Finds and Fixes Weaknesses within the network by doing the following;
• Updates Microsoft Patches
• Updates Anti-virus Definitions
• Configures the Desktop Firewall
• Blocks Peer to Peer (P2P) or Instant Message (IM)
• Signature-less IPS Blocks New Worms
• Signature-less IPS Blocks Custom Worms
9- CounterACT Deters Data Leakage by doing the following;
• Inventory Monitoring for missing devices
• Kill Peer to Peer (P2P) and Instant Message (IM)
• Multi-homed wireless detection
• Unauthorized application on desktop
• USB Drive, CD/DVD-R, iPod enforcement.
10 – In disabling USB Memory Drive ( According to your policies), CounterACT do the following;
• Detects when memory drive is inserted
• Disconnects drive
• Command to make drive read-only
• Script to audit drive files
• New feature: block USB memory when offline
ForeScout CounterACT makes you smarter, your network more secure, and your staff less busy by automating tasks that are currently laborious. CounterACT is in use by over 500 of the world’s most secure enterprises and military installations with global deployments spanning 37 countries. ForeScout CounterACT is based on third generation Network Access Control (NAC) technology. Unlike other solutions, ForeScout CounterACT installs quickly and easily. No software (agent-less). Works with existing network infrastructure.
Why ForeScout’s CounterACT NAC Solutions?
• Do you have a Cisco network? Is it self-defending yet?
• Can your network protect against guests and contractors plugging their laptops into open network ports?
• Can your network automatically ensure that every endpoint is compliant with your security policies – antivirus, DLP, encryption, patch level, configuration, etc.?
• What if you could buy a simple network appliance that would work with your existing network infrastructure and give it the intelligence to fix both of these problems?
• Wouldn’t it be embarrassing if your organization learned – the hard way – that you’ve got gaps in protection? That the security agents you spent lots of money for are not installed and working properly on 100% of your endpoints? What if you could buy an appliance that would totally eliminate this risk?
• Do you have policies in place to prevent data loss? (e.g. prohibit use of P2P applications or USB drives) Do you have real-time visibility into how many of your users are violating data loss policies?
• Are you responsible for security audits? Do you have an automated system for reporting on the compliance of devices on your network?
• Do you have a tool that will tell you how many iPhones are connected to your network?
ForeScout CounterACT keeps unwanted visitors and rogue devices off your network. This helps you keep your network more secure. ForeScout CounterACT is very popular because it is so easy to deploy. Everything is contained in a simple appliance. It works with your existing IT infrastructure. No software to install, no hardware to upgrade. Some of the world’s largest enterprises have their endpoint securely managed by us, see www.forescout.com for details.
If you do require further detailed information on this product/solution (with a possible Proof Of Concept Implementation) do not hesitate to contact me directly or visit our homepage at www.smsamic.net
You may also wish to check out some exclusive IT Security resources at the RESOURCE CENTER found on our website.
Navian is a stunning theme for building just about any type of website.
- 121 King Street, Melbourne
VIC 3000, Australia