Category: Uncategorized

As Rothman sees it, the biggest advantage to integrating DAM with SIEM is the context it provides. “A database attack is usually one aspect of a broader attack…. The DAM has no visibility on network traffic, server configurations, exfiltration attempts, user activity, or a million other things,” Rothman says.

According to Rick Caccia, vice president of marketing at SIEM vendor ArcSight, this additional context is particularly important for monitoring database access through applications that are tied into data stores — but only through some layer of technological complexity. “The common problem DAM products have is most customers don’t have their applications directly talking to a database; they have some sort of application server that runs applications that talk to the database, and that application server tends to hold one connection to the database,” Caccia explains.

Tying DAM information into the SIEM allows an organization to more easily correlate the activity a user might have done on a front-end application with the query activity by an application server sent directly into the database.

“Organizations take application logs, send the application logs to the SIEM, send the DAM logs to the SIEM, and the SIEM correlates those two together,” Caccia says.

Rothman and Caccia agree that one of the biggest challenges in feeding DAM into SIEM isn’t the technology — DAM and SIEM vendors have worked together during the past few years — but is often caused by internal staff battles.

http://www.darkreading.com/database-security/167901020/security/security-management/228500270/to-improve-security-get-your-dam-info-into-siem.html

“I find it funny that there are patches everywhere else that are applied on a regular basis to machines like desktops and so on, but it is still not a general practice for the databases,” says Michelle Malcher, director of education for IOUG and a DBA and team lead at a Chicago-based financial firm.

She recommends garnering executive buy-in with cooperation of DBAs and security team: Many DBAs are up against the wall with diminishing maintenance windows and uptime demands by management and application owners that make it near impossible for them to meet and still apply patches on schedule.

“Honestly, the first step is not to necessarily install all of the components of the Oracle database if you’re only using specific components,” Malcher says.

http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=227701320&cid=RSSfeed

“PCI has driven a good ecosystem in the log management space, so the back-end technology is there,” says Gunnar Peterson, contributing analyst for Securosis and managing partner of Arctec Group.

The trick is figuring out the right technologies to act as the sensors feeding data into that SIEM system and developing a sound means of implementation. Peterson says technologies such as Web application firewalls and XML security gateways should play a more prominent role in application-layer activity that has thus far been difficult for many organizations to track. “Those can play a pretty important role because they are outside of the application so the security teams don’t have to necessarily get involved with the application build process as much,” he says. “But at the same time to support something that’s going to be useful you have to be down at the message data level.”

As for best practices, Peterson says it varies by industry — but he has some suggestions for any organization to get started.

You can’t count on port numbers to identify applications. As House points out, applications such as BitTorrent and Skype hide in HTTP traffic specifically to elude security controls. “A monitoring solution that just classifies traffic on port 80 as HTTP is potentially exposing the organization to infected content online, especially pirated software and media files with embedded malware,” he warns.

Peterson says organizations need to leverage standards, such as CEE, which is being pushed by Mitre, or XDAS, which the OpenGroup is supporting, to help the front-end monitoring solutions “talk” with the back-end log management systems and enable you to fine-tune the data that makes it into the hands of the incident response team. “To mitigate this threat, an application monitoring solution needs to be able to identify and control both the content and the applications that are part of social networking sites,” he says. “Developers and security architects should spend time with those incident response teams just as if they were your business user — because, in fact, they are your business user — and interview them,” he says.

http://www.darkreading.com/security_monitoring/security/management/showArticle.jhtml?articleID=227701138

Traditionally, security technology companies and computer users have taken a defensive posture, putting the cyber equivalent of body armor on computers, networks and in the cloud. The report’s authors say it is now time to avoid enemy strikes altogether by taking a more aggressive stance, aligning forces and involving law enforcement.

“As we look at the evolution of risky domains and websites over multiple years, we can’t avoid the conclusion that the risk keeps increasing in both volume and sophistication,” said David Marcus, director of security research and communications for McAfee Labs.

Use hacker techniques: Data loss is accelerating at an alarming rate, as there were 222 million records lost in 2009 in the United States alone.

Provide data to help prosecute cybercriminals: A major component for combating spam lies in the hands of ICANN (the Internet Corporation for Assigned Names and Numbers), as it accredits the registrants that sell the domains which cybercriminals use to host malicious sites.

An offensive security practice should involve the entire security industry while incorporating methods that have proven successful. This includes educating those fighting cybercrime “on the streets” to have the latest in malware techniques, bringing tools to the mass population to help identify risky behavior, pointing users to the right contacts to report crimes, and helping to build education and awareness at the kindergarten level through higher education.

http://www.net-security.org/secworld.php?id=9713&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+Security%29

The decision to abandon email encryption projects in most cases was probably taken many years ago when those overheads became apparent. Since then, not only have the regulatory and legislative landscapes changed considerably (DPA, FSA, SOX et al), but so has the technology.

http://www.cio.co.uk/opinion/ferguson/2010/05/27/email-encryption-must-be-prioritised/

Without a reward, “You are not providing any incentive for the managed security service provider to detect breaches,” says Asunur Cezar, the paper’s lead author and an instructor at the Middle East Technical University in Ankara, Turkey. “It may be penalized after some investigation, but that does not necessarily act as an incentive.”

The research also found that, when penalties are limited in some way, the second variant — using one MSSP for monitoring and another for detection — provides better security. The researchers pointed to court cases that limit penalties against service providers, concluding that such real-world limits mean having one provider essentially audit the other leads to the best performance.

The results of the study could be interesting academically, but they might not translate well to real-world MSSP contracts, says John Pescatore, vice president of analyst firm Gartner. In the real world, service firms are providing a specific function, not blanket protection, so it is usually difficult to penalize the companies for a breach. “The contract is to manage your firewalls or manage your firewalls, intrusion detection system, and antiviral — they are not saying, ‘Sign up with us, and we will protect you against all breaches,'” Pescatore says.

http://www.darkreading.com/securityservices/security/management/showArticle.jhtml?articleID=225200295&cid=RSSfeed