This month, the focus is on analysis. We look at the network through the lens of the SIEM, and we look at digital incidents and cybercrime through digital forensics. Between the two we should have plenty to think about.
SIEMs are, in our view, the single most important security tool in the security practitioner’s arsenal. The SIEM pulls together all of the anomalistic data from a whole raft of tools, correlates it and gives it to us in a way that makes sense, whatever that might mean to us. Intrusion detection systems, firewalls, web logs, flow data…all can be fed to a competent SIEM as grist for its analytical mill.
That said, SIEMs traditionally have had distinct personalities. Some have been deep-dive tools with a lot of flexibility to carve out one’s own analytical approach. Some have been log managers at heart with the ability to crunch logs in meaningful ways. Yet some others have been dedicated to letting admins know that something has gone – or is about to go – very wrong. These act in real time or “pre-real time” to analyze security events and issue an alarm when a correlated set of events spells trouble.
Forensic tools, on the other hand, let us analyze after the fact. The event leaves its footprints on the computer or network, and the forensic tools grab it, analyze it and tell us what happened if we can read the tea leaves right. That always is not as easy as it sounds, of course, and to that end we have a vast array of forensic tool types.
This is probably the only product group we look at that has multiple Recommended and Lab Approved designations. This is because the field of digital forensics has no single type of player. There are digital forensic tools to analyze networks, computers, computers over the network, relationships and metadata, as well as different types of computers and applications. There truly is no one size fits all.
This, also, is the group that we turn over to my forensic students at Norwich University. For the past three years we have turned over the reviewing chores to a very bright group of upperclass students just wrapping up their studies in digital forensics. This class teams up in pairs and tests each product in Norwich’s well-equipped forensic lab. Once tested, the results are written up in reviews for your edification. This year was no exception and Nick Logan, our student team lead, did his job well. You’ll enjoy his insights, I’m sure.
The SIEM group is stable, though. The fundamental concept of the SIEM has reached maturity and it now remains only to keep the products current with different types of data feeds and new ways to analyze and alert in near real time. The notion of catching things before they happen based on the probability that an observed set of events is likely to signal an attack attempt is new and is just developing as a reliable technique.
All in all, these are two of my favorite groups: forensics, because that is my primary knowledge area, and SIEMs, because they simply fascinate me. Putting both groups in a single issue seems to me a good way to explore the basis for analysis of bad things and, as we all know, bad things can happen even to good networks.
SC Lab Manager Mike Stephenson did the honors in the SIEM tests, giving Reviewer Mike Lipinski the month off. I supervised the students and, for a change, wrote a few reviews in each group myself. My observation is that the forensic group is pretty mature – as is the SIEM lot – but that new forensic tools emerge regularly to meet the requirements of a developing marketplace and new types of exploits that need to be analyzed.
– Peter Stephenson, technology editor