| Security information and event management | | | | archive logs from different security devices, routers |
| software rolls up alerts from firewalls and | | | | and operating systems. A security information and |
| intrusion-detection/protection systems, along with | | | | event management system's data gives the security |
| event data from antivirus products, databases, Web | | | | team direction; after that, they must still physically |
| servers and elsewhere. It offers two tracks to get | | | | find the affected system. A configuration |
| to the source. | | | | management database, which holds information about |
| Step No. 2: Follow the Threat to Its SourceWhen an | | | | the components of an organization's |
| alert shows up on a security manager's console, it's | | | | information-technology infrastructure, can help. By |
| as if someone set off an alarm, says Morrow, the | | | | identifying components and their status, the database |
| Chief Security and Privacy Officer for Electronic Data | | | | helps security managers zero in on the source of |
| Systems Corp. The security group's first question is | | | | trouble, though that doesn't mean all devices are |
| obvious: Where is the problem? But finding the | | | | easy to find; a laptop plugged into the corporate |
| answer requires ingenuity. There's no single surefire | | | | network by a temporary worker or other visitor will |
| method for finding a security breach and nailing down | | | | be elusive. For all the automated sleuthing, a certain |
| its scope. | | | | percentage of devices will be discovered only by |
| The task is still more art than science. Event logs | | | | simple hand-on crawling through offices, plugging and |
| generated by firewalls and early warning | | | | unplugging things. When it comes to detecting an |
| intrusion-detection/prevention systems give security | | | | attack, human intelligence must support automated |
| analysts one route of inquiry. And the demand for | | | | systems in determining the scope and severity of an |
| tools that help correlate the mass of security data | | | | attack. Security managers say they seek out the |
| held by the various systems is growing. Security | | | | affected asset's owner. |
| experts advise looking at security information and | | | | Determining the appropriate response means taking |
| event management software, which helps security | | | | the attack's venom into account. Besides wanting to |
| managers detect incidents, for clues that may help | | | | know how many systems are affected and the |
| identify the source of the attack as well. | | | | location of the attack, security personnel also seek |
| Security information and event management | | | | to determine the insidiousness of the attack. They |
| software rolls up alerts from firewalls and | | | | will want to know if it is a random exploit or a botnet |
| intrusion-detection/protection systems, along with | | | | propagating through the network and reporting |
| event data from antivirus products, databases, Web | | | | information back to somebody or some organization |
| servers and elsewhere. It offers two tracks to get | | | | through an IRC [Internet Relay Chat] channel. |
| to the source. One is its visualization portion, which | | | | Something like that is much more impactful." |
| looks like a large, continuously scrolling spreadsheet | | | | While corporate security groups chase down |
| and provides some amount of detail on a network | | | | incursions when they happen, they've tried to |
| attack, detected virus or other event, including the | | | | become more proactive, looking for and fixing weak |
| Internet Protocol address of the affected equipment | | | | spots before attacks occur with the help of |
| and device name. | | | | vulnerability management tools. Like |
| The initial information gives a basic sketch of the | | | | intrusion-detection sensors and firewalls, these tools |
| problem and where it may exist. Every device | | | | may feed into security information and event |
| connected to a network is identified by an Internet | | | | management systems and configuration engines. |
| Protocol address, for example, which can guide | | | | Many organizations scan for vulnerabilities on a regular |
| security personnel to the general areas requiring | | | | basis, allowing security personnel to determine which |
| investigation. However, there are limitations to this | | | | systems are vulnerable to attack and patch |
| line of inquiry; one is a lack of context. What does | | | | accordingly. |
| the IP address mean? Where is it and who is using | | | | Because cybercriminals are becoming smarter and |
| it?The other limitation is that an attack may spoof | | | | more sophisticated in their operations, they are real |
| the IP address. Security analysts thus have to dig | | | | threats to your personal security and privacy. Your |
| deeper into the second source, the event logs, which | | | | money, your computer, your family, and your |
| contain more finely grained detail. They'll be looking | | | | business are all at risk. |
| for Media Access Control addresses, which identify | | | | These cybercriminals leave you with three choices: |
| network nodes, to see if a given IP address is | | | | 1. Do nothing and hope their attacks, risks, and |
| correct and valid, Lawson explains. The logs also will | | | | threats don’t occur on your computer. |
| provide details on how an attack progressed through | | | | 2. Do research and get training to protect yourself, |
| a network. By examining the firewalls and routers and | | | | your family, and your business. |
| operating systems, analysts can piece together how | | | | 3. Get professional help to lockdown your system |
| many Media Access Control addresses, Internet | | | | from all their attacks, risks, and threats. |
| Protocol addresses and routers were targeted in a | | | | Remember: When you say "No!" to hackers and |
| given incident, Lawson says. Security personnel need | | | | spyware, everyone wins! When you don't, we all lose! |
| information beyond the alert itself. A good security | | | | © MMVII, Etienne A. |
| information and event management system will | | | | |