Point security products such as firewalls, host-based anti-virus and email filtering have a job to do and often do it reasonably well. Arguably if they did not, then businesses would not buy them, although sometimes purchases are made more for compliance purposes than security ones – for example, installing full-disk encryption on laptops because the data commissioner’s office says it should be.
However, even if the best point security products are in place, this does not mean 100% security because they all miss things. Many anti-virus products rely on malware samples having been previously recorded and added to the vendor’s databases; new malware (a “zero-day” attack) is not so easily spotted. Intrusion prevention systems will do nothing to stop a hacker gaining access with stolen credentials.
To get a broader insight into the effectiveness of their IT security and compliance posture, businesses have been investing in security information and event management (SIEM) tools over the last decade or so. These tools allow them to see what has being going across their systems; for example, comparing router logs with server access requests to notice that data was copied to a particular IP address using the credentials of a former employee. Such hindsight is useful, but it would be better if such events could be identified and stopped as they happen.
This is now possible. Some of the leading vendors of SIEM tools have souped them up and linked with intelligence engines that co-ordinate policy. This enables them to act as real-time defence mechanisms, providing an additional security overlay to supplement point security products; so-called next-generation SIEM or advanced IT security intelligence. This enables sophisticated correlations of log data, event data and other IT intelligence data to identify and take action of a wide range of IT security, compliance and other issues.
Quocirca will be discussing how advanced IT security intelligence can be used to protect against a range issues in a webinar on June 19 with McAfee. These include:
- Stopping an impossible access request
- Identifying and preventing zero day attacks
- Linking physical and IT security to protect critical infrastructure
- Spotting and stopping suspicious sys-admins’ activity