back to article Next Generation Security: No, Dorothy, there is no magic wand

Hardly a day passes without some kind of major security breach. The type of attack that was once considered staggering in scale has now become the norm. When a Yahoo! breach was found to have lost a billion accounts, it seemed the only thing anyone found unusual about it was that Yahoo! had a billion accounts to lose. Don’t …

  1. Anonymous Coward
    Anonymous Coward

    SIEM vs UBA

    I think the upcoming change to SIEM is their clash with UBA type companies (Exabeam, etc.) and I believe one of these was just bought by Splunk. Making a baseline would definitely help correlation as opposed to writing correlation rules yourself.

    The CASB side is interesting and are merging with modern day proxy vendors already. Bluecoat bought Elastica (and was then itself bought by Symantec), Zscaler are partnering with Skyhigh and Forcepoint just acquired Imperva Skyfence.

    1. returnofthemus

      Re: SIEM vs UBA

      There is no clash between SIEM and UBA, UBA is merely a SIEM component FREE in some cases https://youtu.be/ARVsuQaSF9E

      1. Anonymous Coward
        Anonymous Coward

        Re: SIEM vs UBA

        You dare contradict the talking heads of Gartner?

        http://blogs.gartner.com/anton-chuvakin/2016/11/07/the-coming-uba-ueba-siem-war/

        1. Doctor Syntax Silver badge

          Re: SIEM vs UBA

          "You dare contradict the talking heads of Gartner?"

          Are you sure you've got the right part of the anatomy?

      2. Anonymous Coward
        Anonymous Coward

        Re: SIEM vs UBA

        "There is no clash between SIEM and UBA"

        There is if a customer has budget and requirement for only one. Fundamentally they both address the requirement for security monitoring and gaining awareness of malicious activity. How they do it and how well they do it varies, but both address the requirement and therefore compete in the market.

        1. returnofthemus

          Re: SIEM vs UBA

          "Fundamentally they both address the requirement for security monitoring and gaining awareness of malicious activity".

          Not quite, a SIEM aggregate logs/flows, most commonly through reading event viewer data, receiving standard feeds from SNMP traps or Syslog with the help of agents coming from user devices, network switches, servers, firewalls, anti-virus software, intrusion detection/prevention systems and much more, it can also run centralised reports that help meet strict regulatory compliance requirements.

          So inessence it really depends on the size of your environment and the business you're in, however a UBA is complementary to SIEM, which as previously stated you can get for FREE!

          The reality being you probably already have a SIEM

  2. Anonymous Coward
    Pint

    Know your environment!

    The main problem with security (or lack thereof) in my opinion is people no longer taking the time (nor effort) to get to know whatever it is they're using. And with that I mean actually knowing what you're doing; actually understanding the underlying logic.

    I see too many people who know exactly that in order to do "A" you need to perform "B" but unfortunately without having the foggiest clue as to why that is so. The same kind who would approach security as if it were a product instead of a procedural environment.

  3. Anonymous Coward
    Anonymous Coward

    Half these products wouldn't be necessary if people didn't: give admin rights to their users; log on with their everyday account in the domain admins group; and chose longer, better passwords

  4. Anonymous Coward
    Anonymous Coward

    I disagree with your opinion on SIEM; Nagios is not a SIEM. Its a monitoring tool that checks the health status of a system. The open-source comparative you could reference would be something like Greylog.

    A SIEM collects, analyses and reports log data across an enterprise, showing you operational security events that need further analysis, as well as allowing you to automate reporting for compliance standards such as PCI, GPG or HIPAA.

  5. Anonymous Coward
    Anonymous Coward

    There is a magic wand...

    *runs cock and balls over keyboard*

    Anyone care to use my PC now?

    1. John G Imrie Silver badge
      Joke

      Re: There is a magic wand...

      *Plugs in his own keyboard* OK.

    2. Brian Miller

      Re: There is a magic wand...

      And to think that you did that right after I sprayed it with urushiol "disinfectant."

      Really, that should be in the BOFH's playbook. "I got this rash, all I was doing was using my keyboard and mouse..."

  6. Doctor Syntax Silver badge

    IDaaS

    Do you really want a single ID around the internet? Should your bank ID be the same as your Amazon ID or your Register handle?

    Do you trust a provider to never leak your credentials?

    An online provider may well analyse your behaviour for security purposes. Fair enough, it might be able to detect attempts at impersonation that way, but would you trust it to not also use the analysis for its own commercial ends such as ad-slinging?

    1. Anonymous Coward
      Anonymous Coward

      Re: IDaaS

      How else are the spooks going to monitor what you do and impersonate you, unless you have a cloudy-account they have access to.

    2. Anonymous Coward
      Anonymous Coward

      Re: IDaaS

      "Do you really want a single ID around the internet? Should your bank ID be the same as your Amazon ID or your Register handle?"

      Does your average punter give-a-shit when faced with the prompt to 'create an account' or 'login with faceache"? I don't expect the banks to offer that but plenty of online service providers legitimately do and obviously the goals for data mining between the ID Provider and the Service Provider (it was in T+Cs biatch) go through the roof.

  7. Aunty Dan

    What about backup? Won't someone please think about backup

    Backup is integral to security and should not be ignored in an article like this. (Don't forget the security triad: Confidentiality, Security and Availability)

    The impact of ransomware, the current IT security big/bad de jure, is greatly reduced by having properly working backup solutions for all IT components from the desktop to the switch configurations.

    Plus yes mostly to Anonymous Coward #3 about reducing the desktop security attack surface, but remember virus software don't care about whether the logged-on user has local admin, or domain admin for that matter. It will just use known vulnerabilities to escalate privilege both locally and remotely to the DC. The fix for that of course is a process for patch installation and monitoring, and modern tools for achieving this were also not mentioned in this article.

    1. thecakeis(not)alie

      Re: What about backup? Won't someone please think about backup

      From the article: The bad guys are still iterating far faster than the antivirus companies can keep up, next-generation or not. The best defence against ransomware is still proper backup software. This is true today and it will be true for all the foreseeable tomorrows.

      Also: I didn't mention patch management for three simple reasons:

      1) the tools aren't particularly easy to use.

      2) They almost always operate on the mentality that "having all the patches is the most important thing", which simply isn't the case because patches often break things, and patch management systems needs to be able to cope with this

      3) Microsoft took a great big steaming dump in the middle of the patch management ecosystem. Their new rank madness regarding patches means that if they accidentally break your whole company with a bad patch your choices are to go out of business or remain unpatched. In the real world you can't make Microsoft fix their patches or any of the developers of your other applications adapt to Microsoft's idiocy, so you just get screwed.

      So that's why I don't talk about patch management. Patch management is the process of paying money to realize nobody cares about and you're probably doomed. And if you talk about this publicly you get lynched for it.

      Yay.

      1. Aunty Dan

        Re: What about backup? Won't someone please think about backup

        Thanks for correcting me, clearly I didn't read the original article closely enough!

        Personally I love patch management partly because it's hard to do, so it is very rewarding when you get it right. Microsoft is Microsoft, they are the once-and-always King of FUBAR patching processes, that's all just part of the game. I was there for the release of NT4 SP6a, now that was a party!

  8. c1ue

    Ransomware isn't dangerous because it encrypts stuff.

    It is dangerous because crims are starting to recognize that botnets, credit card theft, bitcoin wallet theft and so forth is so much less rewarding than simply holding the IT assets of any entity hostage.

    From there to infrastructure attacks ... interesting indeed.

  9. adam 40

    proper backup software?

    if you're using software to do backups, you're doing it wrong.

    Keep it simple with a few shell scripts - and maybe a cron job - that way you are less likely to have a write-only mess.

    1. Anonymous Coward
      Anonymous Coward

      Re: proper backup software?

      That's just how me mum does it. Oh no hang on moron she uses a computer like you probably use a car. Or do you have a hand-built rubber-band powered helium wingcar because that way 'you know how it works?'

  10. Nig3

    Take the right approach, Not one solution

    The vendors keep over-promising and under-delivering, and it is unfortunately symptomatic of a growth industry. Whenever some cries 'Gold Rush', cow boys appear and greed marginalises ethics. Customers are becoming more sceptical and distrusting, as quite rightly, they now have the extra task of stripping rhetoric from reality.

    Anyway my main point was that vendors keep hyping technology as the answer, when in my opinion the answer to a better security defence; is more about taking the right approach! For instance the UK Governments (Cyber Essentials) advice to Business's is based on 5 common sense and well established recommendations, that are designed to reduce risk by some 80%. OK not 100%, but at least its not claiming to be 100%, unlike the Security vendors who tout 100% and are last seen disappearing over the horizon to the next Gold field.

  11. well meaning but ultimately self defeating

    Come on guys

    Mentioning Mandiant and Fireeye on the same list as competitors, and including Nagios as a SIEM damages credibility of article - makes me doubt the bits I don't know already.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019