Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Why SIEM, app sec, behavior analytics are crucial for security

Cindy Cullen Chief Cyber-Security Strategist, HPE

Would you walk, run, or drive a car blindfolded? Of course not. But if you are running your environment without SIEM (security information and event management), without analysis of DNS (Domain Name System), without application security, and without analysis of user behavior, then you are essentially running your environment blindfolded.

Many organizations have chosen to enhance their visibility because their security mindset has switched from “if we are compromised” to “we have already been compromised.” Other organizations are choosing to invest in visibility because they have realized that, on average, it takes nine months for an organization to detect that it has been compromised. And organizations are often amazed at what they find when they develop visibility. 

With SIEM, you can see clearly now

SIEM provides visibility into activities on the systems that send it log and events. Some organizations choose to send only high-risk information (such as that pertaining to VPNs, firewalls, etc.), while more risk-averse organizations send all logs and events to the SIEM. The SIEM provides visibility via data aggregations and the correlation of information and events across the environment, alerting and providing insights for forensic analysis. It's effective because 84 percent of all successful breaches occur via the application layer.

With DNS analytics, zero false positives can be yours

Most organizations do not aggregate DNS logs in the SIEM because of the volume of data. However, that data can provide insights into what is happening on the network and with devices talking to command and control centers, beaconing, etc. This can provide visibility into zero day and malware mashups that cannot be detected by signature-based tools.

An advantage of DNS analytics is that it has virtually zero false positives. Some organizations have such high confidence in this approach that they developed automatic processes that isolate and take action (i.e., re-imaging) on the endpoint devices immediately after they are flagged via DNS.

RASP: Get real, go runtime

Visibility into application vulnerabilities can be accomplished via review of the application code as it is being developed, code reviews, and dynamic application scans in the software development lifecycle. Additionally, once applications are deployed, visibility into applications can be accomplished via runtime application security self-protection (RASP) in the operations process.

Oh, behave! Use behavior analytics

Common attack vectors are via compromised credentials and insiders. Analysis of user behavior provides visibility into user activity and makes it possible to flag behavior outside the norm for individuals and groups such as finance and research. For groups, behavior analytics is based on a comparison of a group of users, such as five administrators’ behavior. If one has different behavior (i.e., accessing finance data, downloading large amounts of data) from the rest, that can be flagged as unusual and in need of review. The behavior may be within the role of that administrator, or it may be malicious behavior. For individual users, a baseline of behavior is established. Then any activity outside the baseline becomes suspicious and is flagged as being in need of review.

20/20 vision is critical

Ensure that you are not blindfolded to activity in your environment. SIEM, analysis of DNS traffic, application security in the full software development lifecycle including in operations via RASP, and user behavior analysis are a few good options to obtain visibility into your environment.

Keep learning

Read more articles about: SecurityApplication Security