The media characterizes every data breach - like recent ones at Target, Nieman Marcus and Sony – as epic failures. And the amount of data stolen is of epic proportions but I think we should remember that these are crimes committed by criminals. There were a lot of IT security professionals at each organization trying to prevent what still happened. It pays to learn from what they did right, what worked and what didn’t.
Erick Ingleby, a fellow security log specialist, and I have combed all the information we can find about these data breaches and analyzed it from the perspective of detection. We’ve assembled an interesting list of security monitoring lessons and ideas that we will share in this upcoming webinar.
For example, the Target story highlights once again the incredible power of monitoring for new executables running for the first time on your environment – including endpoints like Target’s point-of-sale systems. That’s not as hard as you think and we’ll compare Windows event forwarding and SIEM agents as 2 different ways to make it possible.
But another big lesson Erick and I got from this research is the problem of double false positives. That’s what we’re calling it when your security technology does its job and alerts us to a legitimate security issue but we mistakenly classify it as a false positive. This happened more than once during the data breaches and we’ll look at why and how to avoid making the same mistake. Erick will briefly show how LogRhythm helps prevent double false positives by how it seeks to highlight true anomalies using multiple lines of evidence.
But that’s just one example. We’ve come up with a number of generalized monitoring scenarios targeted at detecting data breaches at different phases of the operation and different points on a typical network.
I want to stress that this webinar will be focused on monitoring and detection. There are other lessons to be learned in terms of prevention – such as better network segmentation – but architectural network changes are often not practical as well as outside the scope of this community that tends to be the security analyst.
If you are concerned about data breaches and you’re involved in SIEM and other security monitoring, this is the webinar for you. Don’t miss this real training for free (TM) event. Please register now!