Next Generation Security: No, Dorothy, there is no magic wand Hardly a day passes without some kind of major security breach. The type of attack that was once considered staggering in scale has now become the norm. When a Yahoo! breach was found to have lost a billion accounts, it seemed the only thing anyone found unusual about it was that Yahoo! had a billion accounts to lose. Don’t …
I think the upcoming change to SIEM is their clash with UBA type companies (Exabeam, etc.) and I believe one of these was just bought by Splunk. Making a baseline would definitely help correlation as opposed to writing correlation rules yourself.
The CASB side is interesting and are merging with modern day proxy vendors already. Bluecoat bought Elastica (and was then itself bought by Symantec), Zscaler are partnering with Skyhigh and Forcepoint just acquired Imperva Skyfence.
"There is no clash between SIEM and UBA"
There is if a customer has budget and requirement for only one. Fundamentally they both address the requirement for security monitoring and gaining awareness of malicious activity. How they do it and how well they do it varies, but both address the requirement and therefore compete in the market.
"Fundamentally they both address the requirement for security monitoring and gaining awareness of malicious activity".
Not quite, a SIEM aggregate logs/flows, most commonly through reading event viewer data, receiving standard feeds from SNMP traps or Syslog with the help of agents coming from user devices, network switches, servers, firewalls, anti-virus software, intrusion detection/prevention systems and much more, it can also run centralised reports that help meet strict regulatory compliance requirements.
So inessence it really depends on the size of your environment and the business you're in, however a UBA is complementary to SIEM, which as previously stated you can get for FREE!
The reality being you probably already have a SIEM
The main problem with security (or lack thereof) in my opinion is people no longer taking the time (nor effort) to get to know whatever it is they're using. And with that I mean actually knowing what you're doing; actually understanding the underlying logic.
I see too many people who know exactly that in order to do "A" you need to perform "B" but unfortunately without having the foggiest clue as to why that is so. The same kind who would approach security as if it were a product instead of a procedural environment.
I disagree with your opinion on SIEM; Nagios is not a SIEM. Its a monitoring tool that checks the health status of a system. The open-source comparative you could reference would be something like Greylog.
A SIEM collects, analyses and reports log data across an enterprise, showing you operational security events that need further analysis, as well as allowing you to automate reporting for compliance standards such as PCI, GPG or HIPAA.
Do you really want a single ID around the internet? Should your bank ID be the same as your Amazon ID or your Register handle?
Do you trust a provider to never leak your credentials?
An online provider may well analyse your behaviour for security purposes. Fair enough, it might be able to detect attempts at impersonation that way, but would you trust it to not also use the analysis for its own commercial ends such as ad-slinging?
"Do you really want a single ID around the internet? Should your bank ID be the same as your Amazon ID or your Register handle?"
Does your average punter give-a-shit when faced with the prompt to 'create an account' or 'login with faceache"? I don't expect the banks to offer that but plenty of online service providers legitimately do and obviously the goals for data mining between the ID Provider and the Service Provider (it was in T+Cs biatch) go through the roof.
Backup is integral to security and should not be ignored in an article like this. (Don't forget the security triad: Confidentiality, Security and Availability)
The impact of ransomware, the current IT security big/bad de jure, is greatly reduced by having properly working backup solutions for all IT components from the desktop to the switch configurations.
Plus yes mostly to Anonymous Coward #3 about reducing the desktop security attack surface, but remember virus software don't care about whether the logged-on user has local admin, or domain admin for that matter. It will just use known vulnerabilities to escalate privilege both locally and remotely to the DC. The fix for that of course is a process for patch installation and monitoring, and modern tools for achieving this were also not mentioned in this article.
From the article: The bad guys are still iterating far faster than the antivirus companies can keep up, next-generation or not. The best defence against ransomware is still proper backup software. This is true today and it will be true for all the foreseeable tomorrows.
Also: I didn't mention patch management for three simple reasons:
1) the tools aren't particularly easy to use.
2) They almost always operate on the mentality that "having all the patches is the most important thing", which simply isn't the case because patches often break things, and patch management systems needs to be able to cope with this
3) Microsoft took a great big steaming dump in the middle of the patch management ecosystem. Their new rank madness regarding patches means that if they accidentally break your whole company with a bad patch your choices are to go out of business or remain unpatched. In the real world you can't make Microsoft fix their patches or any of the developers of your other applications adapt to Microsoft's idiocy, so you just get screwed.
So that's why I don't talk about patch management. Patch management is the process of paying money to realize nobody cares about and you're probably doomed. And if you talk about this publicly you get lynched for it.
Yay.
Thanks for correcting me, clearly I didn't read the original article closely enough!
Personally I love patch management partly because it's hard to do, so it is very rewarding when you get it right. Microsoft is Microsoft, they are the once-and-always King of FUBAR patching processes, that's all just part of the game. I was there for the release of NT4 SP6a, now that was a party!
Ransomware isn't dangerous because it encrypts stuff.
It is dangerous because crims are starting to recognize that botnets, credit card theft, bitcoin wallet theft and so forth is so much less rewarding than simply holding the IT assets of any entity hostage.
From there to infrastructure attacks ... interesting indeed.
The vendors keep over-promising and under-delivering, and it is unfortunately symptomatic of a growth industry. Whenever some cries 'Gold Rush', cow boys appear and greed marginalises ethics. Customers are becoming more sceptical and distrusting, as quite rightly, they now have the extra task of stripping rhetoric from reality.
Anyway my main point was that vendors keep hyping technology as the answer, when in my opinion the answer to a better security defence; is more about taking the right approach! For instance the UK Governments (Cyber Essentials) advice to Business's is based on 5 common sense and well established recommendations, that are designed to reduce risk by some 80%. OK not 100%, but at least its not claiming to be 100%, unlike the Security vendors who tout 100% and are last seen disappearing over the horizon to the next Gold field.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
