“PCI has driven a good ecosystem in the log management space, so the back-end technology is there,” says Gunnar Peterson, contributing analyst for Securosis and managing partner of Arctec Group.
The trick is figuring out the right technologies to act as the sensors feeding data into that SIEM system and developing a sound means of implementation. Peterson says technologies such as Web application firewalls and XML security gateways should play a more prominent role in application-layer activity that has thus far been difficult for many organizations to track. “Those can play a pretty important role because they are outside of the application so the security teams don’t have to necessarily get involved with the application build process as much,” he says. “But at the same time to support something that’s going to be useful you have to be down at the message data level.”
As for best practices, Peterson says it varies by industry — but he has some suggestions for any organization to get started.
You can’t count on port numbers to identify applications. As House points out, applications such as BitTorrent and Skype hide in HTTP traffic specifically to elude security controls. “A monitoring solution that just classifies traffic on port 80 as HTTP is potentially exposing the organization to infected content online, especially pirated software and media files with embedded malware,” he warns.
Peterson says organizations need to leverage standards, such as CEE, which is being pushed by Mitre, or XDAS, which the OpenGroup is supporting, to help the front-end monitoring solutions “talk” with the back-end log management systems and enable you to fine-tune the data that makes it into the hands of the incident response team. “To mitigate this threat, an application monitoring solution needs to be able to identify and control both the content and the applications that are part of social networking sites,” he says. “Developers and security architects should spend time with those incident response teams just as if they were your business user — because, in fact, they are your business user — and interview them,” he says.
http://www.darkreading.com/security_monitoring/security/management/showArticle.jhtml?articleID=227701138