The effect of the increased use of the Internet mainly by business is the rapid growth of security incidents. This enlargement has forced organizations to appreciably expand their information technology infrastructures.
Information safety incident can be characterized as the lack of accessibility, honesty, and/or discretion of data. Software and hardware vendors have devoted a tremendous amount of resources to the creation of security devices such as firewalls, interruption detection systems, burly authentication, and right of entry control mechanisms, virtual private networks, and public key infrastructure. Organizations worldwide are implementing these technologies to protect their information assets and detect information security incidents.
Introduction
Most security devices offer logging and alerting of known and possibly unknown security events that occur on an information technology infrastructure. In spite of all our technological advances and the introduction of devices like firewalls and VPNs, most companies do not monitor the information coming from these devices.
Security device logging can be extensive and not easy to understand due to the detail and size of the logs. Manual review is time consuming. In many organizations, a dedicated staff of information technology personnel is not available to incessantly monitor logs and alerts or network and system administrators use routine maintenance to review security information. . This limited or not existing monitoring of enterprise security leaves organizations blind to information attack targeted at their networks. Security logs offer details about the action on an information technology infrastructure. This action includes valid business applications; external attacks using the Internet and internal attacks by employees. Recognizing their vulnerability, organizations are looking outside for the management of their security infrastructure. . Third party management of firewalls is already ordinary, and management of intrusion finding systems is becoming more common.
But this need for exterior security management has become more than just monitoring the alerts from a network-based or host-based intrusion detection system; it has become 24x7x365 security monitoring of the entire enterprise.
Security Monitoring
Today only a few companies are contribution 24x7x365 enterprise-wide security monitoring services and even fewer include monitoring events from firewalls and network-based and host-based intrusion uncovering systems as well as the logs and alerts from routers, switches, anti-virus, and content scanning applications, backup applications, PBXs, and critical Unix and NT servers including but not limited to web servers, FTP servers, and mail servers. In the future enterprise security monitoring will incorporate safety events from physical security devices such as card readers, motion detectors, and cameras, security alarms from secured doors and gates, fire alarms and climate control sensors.
Each device or application listed above can generate hundreds of lines of logs daily. A majority of the events logged are not security related so surveillance of specific security events is difficult and time consuming. For the typical system administrator, network administrator, and/or security officer, the task of reviewing logs is not a reality and monitoring events in real-time is impossible, day-to-day system preservation demands too much time. Companies just do not have a 24x7x365 information technology staff to perform real-time monitoring and response. "Off business hours" monitoring becomes mainly tricky or nonexistent. Internal and external hackers are well aware of this susceptibility.
Some vendors do offer tools to condense their product events and logs, but even with these tools it is nearly impossible for an administrator to find time to monitor a security system, enterprise-wide. Most of these consolidation tools are vendor specific. Vendor A's tool can only be used to accept logs or events from Vendor A's products while Vendor B's tools can only be used to consolidate Vendor B's products. The reason for this is that Vendor A's products and Vendor B's products log event information another way. This situation forces administrators to have many different tools to monitor logs and event information throughout their enterprise. Today, there are only a few companies that provide vendor independent log and event consolidation solutions, but these solutions demand an extensive amount of customization to be useful in monitoring security events enterprise-wide.
Along with lack of time and vendor independent tools, false positives are another reason why enterprise security monitoring in not easy. A false positive is when an event triggers a security alert, but the event is not security related. There has been a lot of conversation over the last year regarding intrusion recognition systems and false positives. In order to have extensive vision on a host or network, a host-based or network-based intrusion detection system needs to be configured loosely so that a high number of false positives are generated. The difficulty with this is that many administrators do not have the time or knowledge to research the amount of events generated by these insecurely configured intrusion detection systems. Host-based and network-based intrusion detection systems are only two types of devices that generate false positives. Many other security devices produce them as well.
Monitoring an entire security enterprise takes an experienced 24x7x365 staff of security analysts who have responsibility for continuously analyzing events and filtering out the false positives. For an enterprise security manager a large number of false positives are difficult to manage, without a dedicated security staff, people are diverted from their regular work to respond to false attacks. But, false positive analysis is critical to protecting an organizations information asset. Is there another way? Maybe.
Event Correlation
The after that advance in enterprise security monitoring will be to capture the knowledge and analytical ability of human security experts for the development of an clever system that performs event connection from the logs and alerts of multiple security technologies.
For example company A has a screening router outside of their firewall that protects their corporate network and a security event monitoring system with reliable artificial intelligence. The monitoring system would start detecting logs where the access control lists or packet screens on the screening router were denying communications from a certain IP address. Because the intelligent system is intelligent it begins detailed monitoring of the firewall logs and any openly nearby server logs of any communications destined for or originating from the IP address. If the intelligent system resolute that there was malicious communication, the system would have the capability to modify the router access control lists or the firewall configuration to deny any communication destined for or originating from the IP address. In this example, the access control lists deny logs from the router triggering the intellectual system to look for distrustful movement from a certain IP address. Using event correlation the reaction mechanism has more time to monitor and react to an assailant. If the system did not correlate events, the system would only detect an event that had already occur based on a known attack signature or the system might even read a malicious attack as normal traffic.
What if the intelligent system began detect multiple failed logins to an NT server by the president of the company? It would be useful for this technology to determine where these failed logins were originated from and look for distrustful action from this IP and/or user for some designated timeframe. If this system determined that the failed logins originated from a user other than the president of the company, it could begin to intimately monitor for a period of time all actions by this user and the company president (the user could be impersonating the president). This monitoring could include card readers, PBXs or voice mail access, security alarms from tenable doors and gates and right of entry to other servers. If the monitoring system were not correlating events the user impersonating the company president would almost positively bypass all access control and security monitoring devices because the user’s actions come into view as normal action.
Today there is one major obstruction to clever event correlation enterprise-wide. There is no standard for logging security related information or alerts. Every vendor uses their own logging or alerting methodology on security related events. In many cases there are inconsistent formats among products from the same vendor. These issues make enterprise security monitoring tricky and event correlation almost not possible with artificial intelligence. . The industry will need to impose a standard method or protocol for logging and alerting safety related events before an intelligent system can be developed and productively implemented enterprise-wide.