Page 16 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 16
Information Security and Privacy
Notes In the panoply of functions a SIM can provide, perhaps the foremost is absorbing the bulk of log
data from IDS sensors, IPS devices and firewalls. In this sense, a SIM can act as an IDS console,
helping navigate through what is normally an overwhelming amount of IDS data. That’s easy
enough, but that function alone often doesn’t provide enough purchase value for organizations
that already have an IDS console.
For a greater benefit we can look beyond analysis of IDS events and focus on the SIM product’s
alerting and analysis capabilities. These features are appreciated by the security team, but other
IT staff can find them useful as well.
Example: Most IDSes have a subset of signatures that help track virus-infected or Trojan-
controlled systems. You can use SIM alerts to immediately send infected system data to the
organization’s help desk, enabling a more proactive approach to tracking and resolving these
issues.
A SIM also collects firewall data, which can also be advantageous. Your SIM knows who the top
talkers and listeners are on the network, and can probably help identify hot spots and hot
protocols where some network engineering or bandwidth controls might be useful.
When deploying a SIM, bring the network engineering team on board by sharing reports and
dashboards that focus on bandwidth usage. A SIM might be the only system in your organization
that can give this level of visibility into the network, irrespective of security concerns.
Thinking outside of the traditional security box is a good way to leverage a SIM’s correlation
engine and normalization capabilities. While SIMs might be focused on the security implications
of the data they collect, every log message tells a story - one that is generally buried in a pile of
unrelated minutiae.
Example: Most devices can emit log messages that presage future failures, such as bad
power supplies, fans or failing hard drives. Find those messages using your SIM and you can
turn a future emergency failure into a planned maintenance window.
Another potential bonus lies in the piles of typically unexamined logs from Windows and Unix
servers. Not every SIM specializes in Windows, but all the good ones are happy to accept
Windows event logs, even if they require a conversion to the System log, log-forwarding
standard using a tool like Snare. While most system managers have already developed their
own local methods for watching logs, a SIM provides a place to collect these logs, rules, and
alerts in a single management console.
When leveraging a SIM this way, you can reduce deployment time by eliminating the steps of
installing and configuring local log watch tools. And, by cross-correlating events from multiple
systems, you may gain greater security visibility than by considering each log one system at a
time.
A SIM has to stand or fail on its own merits and for the task you bought it to handle. But taking
advantage of the opportunities to leverage a SIM for greater network and system visibility and
control will ensure your organization makes the most of its investment.
It’s one thing to be notified that unauthorized activities are happening on the network. It’s
another thing entirely to convince less security-savvy network management to do anything
about it. Security Information Management is capable of generating reports to support your call
for action and to generate them quickly. If the product comes with prepackaged reports that you
can modify to provide the information specific to your organization and incident, then you’re
way ahead of the game. Prepackaged reports are critically important time-savers when it comes
to regulatory-compliance audits.
10 LOVELY PROFESSIONAL UNIVERSITY
