SIEM Security Information Event Management Gartner Magic Quadrant
image from http://www.gartner.com/technology/reprints.do?id=1-2J31FF4&ct=150706&st=sb Gartner
What is it that we need? To protect our systems and perform functions?
Good information from all of our devices. The above diagram is Gartner’s magic Quadrant for SIEM – Security Information Event Management, so the top products/companies are IBM Security, Splunk, HP, Intel Security, and LogRythm.
So with Splunk you can connect all network devices (firewall, switches, servers, routers, and more) into the Splunk interfaces and then you will have a proper look into what is really going on in your network. Or will you?
TTP Tactics Techniques and Procedures is what we know but it is still used against us.
Because we do all we can, but still get hacked.
How do we improve the fundamental problem ? The problem of what is going on the logs. is it good enough?
http://oversitesentry.com/itconundrum-security-catch22s/ reviews the Heisenberg “the Uncertainty principle”
We do have a problem in the sense that when we are checking and logging:
Does the act of checking the network modify the characteristics of a potential scan or attack on the system?
It likely depends on the attack and the system that is defending(logging).
There is only one thing to do http://oversitesentry.com/why-is-pentesting-needed/
You must perform your own Red Team attacks to know what is happening while an attack occurs, in fact it is important to perform specific attacks at a specified moment in time, to check status and performance.
Start creating a diagram like this:
How else can systems be protected with a higher level of defensive capability? Otherwise it is only the vendor’s word as to what is happening.