(Originally published in Cyber Defense Magazine, Black Hat special edition)
In this information age, even the mightiest of enterprises and governments across the globe are worried about cyber-attacks. Not a single day passes by without a story about a hack or a compromise or an identity theft involving data related to a large number of users. Cyber security is increasingly becoming complex, and cyber-attacks have truly emerged a global crisis.
An analysis of some of the recent high profile breaches reveals that the threat landscape is rapidly evolving into a more dangerous ground with highly targeted attacks and advanced persistent threats (APTs) leading the way.
Traditionally, enterprises have depended primarily on perimeter security software and traffic analysis solutions, which help only in combating traditional attack vectors. But hackers today are turning highly creative, and traditional defenses are not effective against advanced threats.
Combating modern cyber-attacks demands a multi-pronged strategy incorporating a complex set of activities. These include deploying security devices, enforcing security policies, controlling access to resources, monitoring events, analyzing logs, detecting vulnerabilities, managing patches, tracking changes, meeting compliance regulations, monitoring traffic, and more.
But even all these measures are proving insufficient to effectively tackle the sophisticated APTs and targeted attacks. Organizations are required to turn towards advanced analytics, which involves analyzing all the data that enters the network, all the time. Though the market is flooded with various types of IT security analytics solutions, the harsh reality is that no single solution could offer effective protection against all emerging threats.
Despite having a sound security arsenal, organizations encounter embarrassing breaches as cyber-criminals often stay ahead of all defenses. Organizations are required to not just analyze internal data but also to gain threat intelligence from external sources to obtain real-time visibility. The battle against evolving cyber-crimes calls for close coordination and collaboration among security solution vendors, industry groups, government agencies, and security analysts. The need for sharing security data and intelligence is pressing and clear.
Already, a good number of public and private collaborative communities and information sharing groups are playing a pioneering role in creating and disseminating threat intelligence. Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), Anti-phishing Working Group (APWG), Emerging Threats, Malware Domain List, SANS ISC, Spam and Open Relay Blocking System (SORBS) are some of the popular communities. Other communities like Information Sharing and Analysis Centers (ISACs) specialize in verticals, such as IT, financial, healthcare, or banking; and they offer highly focused feeds relevant to specific verticals.
However, the vendors in information security space, especially those in the log management and SIEM domains are not liberal in exposing their data to third-party applications and threat intelligence tools. Of course, the SIEM solutions have been offering provisions to import data from varied sources, including threat intelligence solutions. But such integrations are fraught with many limitations. In the absence of proper correlation and data processing, feeding terabytes of data to the SIEM solution will not offer the required protection.
Even when the SIEM solution proves to be powerful with the capability of analyzing and correlating big data from internal and external sources, most organizations cannot afford huge investment in big data analytics.
ManageEngine Advances Security Intelligence with Log Data for Third-Party Tools
ManageEngine’s SIEM and log management solution EventLog Analyzer shatters all these limitations by opening up its database for integration with any third-party application. EventLog Analyzer’s API lets security administrators feed reams of normalized log data into any third-party application, including crowd-sourced threat intelligence solutions, vulnerability assessment platforms, business intelligence tools or even custom applications for advanced security intelligence and threat protection.
EventLog Analyzer’s rich database serves as the centralized warehouse of security-sensitive data, and the Thrift IDL-based API of EventLog Analyzer enables administrators to pull the required data.
Security administrators can leverage this integration to bolster their security framework in such use cases as:
Advanced threat mitigation – The normalized data from EventLog Analyzer could be fed into crowd-sourced advanced threat intelligence services, sandbox solutions or sophisticated vulnerability assessment platforms. These tools can associate EventLog Analyzer’s security data with the information they already possess and help mitigate emerging attacks, botnets, zero-day threats, phishing attacks, malware attacks, and APT.
Location-based threat analysis – Integration with geolocation services could help enterprises gain geographic context to any event. This, in turn, helps pinpoint the country of origin and physical location of an application involved in an event. If the origin matches the countries commonly associated with APTs, suspicious traffic could be isolated for deeper analysis.
Customized security views – Security managers could even create their own web applications and dashboards by extracting the data critical to their needs.
Application performance tuning – Normalized data from EventLog Analyzer could be fed into modern business intelligence tools, which could help organizations understand the evolving threat landscape, assess risks and prepare mitigation strategies and an emergency response plan in the event of attack. The data could also help drill down to overall application performance issues and assess product usability and quality.
EventLog Analyzer collects, normalizes, analyzes, correlates, and stores voluminous logs from heterogeneous sources. Now, the API can provide actionable intelligence and help security admins trace, thwart, and combat evolving threats.
It is high time information security solution vendors came together and worked towards shared intelligence. By opening up the normalized log database to third-party applications, ManageEngine has taken the first modest step in that direction.