Get smarter about log data Oct 2012

Bob Tarzey, Analyst and Director

Quocirca Comment
Resellers charged with making sure their customers use of IT is secure face an on-going challenge; is the security in place good enough to counter todays threats and if not, can the customer be convinced to invest more? Research commissioned by LogRhythm and included in a recent Quocirca report entitled Advanced cybersecurity intelligence underlines the scale of the problem; only 19% of the organisations surveyed said security spending was increasing as proportion of overall IT spending (figure 1). web filters to police use of the internet etc. Whilst all such products have their place, mainly when it comes to countering old-style generic security threats, they are often not enough to protect against more targeted threats, detecting and mitigating these requires a broader approach to be taken. A good example is the Flame malware that was first reported and named earlier in 2012. The early instances of the malware were not know to anti-virus products that relied on signatures, so it had to be detected in other ways, for example by monitoring for unusual activity. Flame worked by contacting as many other devices on a network as it could and then seeking out interesting data and sending it back to a command and control server. A server that was accessing a wide range of other devices on a given network and sending reports back to a suspicious IP address could be detected by monitoring both firewall and server activity logs in real time and recognising the unusual behaviour of Flame. Spotting attacks in this is what Quocirca has called in its recent report advanced cyber-security intelligence. However, the number of threats is increasing and their nature is changing from being generic and random to tailored and targeted. The approach taken to IT security needs to change in line with this and in many cases this will have to be achieved without huge new investment. A starting point is to review what is in place already and gauge its effectiveness. Traditionally IT security has been deployed as series of point products; firewalls to keep out intruders, desktop anti-virus to protect the end user environment, spam filters to clean email, The good news is that many organisations already have the base technology for doing this in place. The early iterations of such products were for log management; the collecting and archiving of log data for long term compliance reporting. These evolved in to what became termed SIEM (security information and event management), which involved the collection of a broader range of data. Next generation SIEM (another term for advanced cyber-security intelligence) describes souped-up versions of such tools that can use such data in real time to protect against targeted threats.

Get smarter about log data Oct 2012

http://www.quocirca.com

2012 Quocirca Ltd

On the whole organisation are reasonably optimistic about protecting themselves against IT security with the right technology in place (figure 2). However, they must also recognise that the right technology is changing. This is not to say point security products should all be ditched, but their effectiveness should certainly be reviewed and rationalisation which should free up some funds.

Resellers need to make sure they have an understanding of next generation SIEM, the products and their capabilities. Many of their customers may already have the base technology in place, but not be using to full effect to improve their protection against a range of increasingly sophisticate threats. Furthermore, most organisations already have some form of log management capability in place (figure 3). It is just that they are not benefiting from using this in real time. Again the current investment can be reviewed and more advanced capabilities recommended. LogRhythm, the sponsor of Quocirca recent report in once such provider, others include IBM (via its Q1 Labs acquisition), McAfee (via its NitroSecurity acquisition) and HP (via its ArcSight acquisition). Quocircas report Advanced cyber intelligence is freely avaialble to here: security

http://ecrm.logrhythm.com/WebQuocircaAdvanc edCyberSecurity7-2012.html This article first appeared in the Computer Reseller News (CRN) UK print edition and on http://www.channelweb.co.uk

Get smarter about log data Oct 2012

http://www.quocirca.com

2012 Quocirca Ltd

About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of realworld practitioners with first-hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption the personal and political aspects of an organisations environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to advise on the realities of technology adoption, not the promises. Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocircas mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocircas clients include Oracle, Microsoft, IBM, O2, T-Mobile, HP, Xerox, EMC, Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist firms.

Full access to all of Quocircas public output (reports, articles, presentations, blogs and videos) can be made at http://www.quocirca.com

Get smarter about log data Oct 2012

http://www.quocirca.com

2012 Quocirca Ltd