Would you Take Tylenol to Treat a Brain Tumor?
Let me explain.
Organizations are inundated with logs and alerts. Firewalls generate thousands of alerts a day. IDS systems thousands more. Sandbox solutions create yet hundreds to thousands more, alerting on malware that may or may not have detonated on a vulnerable system. And of course, infrastructure and applications are generating countless logs associated with user activity, whether normal or suspicious.
Organizations know they lack visibility into active attackers on their networks, and they know they have a log problem. So vendors have rushed to the fore with security analytics packages that either sit on top of a SIEM (or are available directly from the SIEM vendor) to solve this log problem. Analyze the logs and alerts, and provide visibility into what is actually happening.
This is the headache, and analytics are just a pain killer — treating a symptom.
The real problem is that there are active attackers in your networks, if not now, then soon. Rather than trying to detect them by parsing the logs and alerts from the current set of security infrastructure (which attackers easily bypass), it is worth taking a step back.
What is the right way to architect a solution to find active attacks?
The answer is simple — examine the actual, live network traffic (but it must be done with deep packet inspection, not just looking at flows), and the actual hosts and endpoints in the environment. Look for the universal behaviors associated with an active attack in the actual network and endpoints where the attack takes place. Go after the root cause (the tumor in this extended analogy), don’t just try to make the headache go away. You’ll save yourself from the biggest headache down the road.
Learn more from our white paper, New Defense Against Targeted Attacks.