SOURCE: Q1 Labs

Q1 Labs

June 20, 2011 03:00 ET

41 Percent of Breaches Had Evidence in the Logs, Yet Firms Fail to Use Intelligent SIEM

Breach Survey Highlights Problem With 1st Generation SIEM Technology Says Security Expert

LONDON--(Marketwire - Jun 20, 2011) - Q1 Labs, the global provider of total security intelligence solutions, highlights data within the recent 2011 Verizon Data Breach Investigations Report (DBIR) as an indicator of the problem of first-generation Security Information Event Management (SIEM), and its failure to alert administrators to potential security problems.

"It's shocking that 41 percent of the breaches investigated within the report already had good evidence of the incident within the victim's log that went unnoticed," explains Chris Poulin, CSO for Q1 Labs. "In many of these cases an intelligent SIEM would have provided early warning. Yet the problem remains that organisations still assume that log management is just a compliance requirement and not an active cyber threat detection system."

Poulin, who spent eight years in the U.S. Air Force managing global intelligence networks and developing software, believes that many organisations assume that all SIEM systems are basically the same. "A dumb SIEM that overloads an administrator with false reports is almost as bad as having no SIEM at all," he adds.

The DBIR, an annual study conducted by the Verizon RISK Team with co-operation from the U.S. Secret Service and the Dutch High Tech Crime Unit, found that within its representative sample, only six percent of the time did an organisation's designed IT security efforts detect the breach.

According to the report's authors, many of these technology controls are either misconfigured, in the wrong place, or not being utilized at all. "For example, one breach victim had recently purchased a SIEM system, but then let the admin go to save cost," the authors noted.

"The reality is that many organisations deploy SIEM or log management to check off compliance tick boxes such as PCI, FISMA, GLBA, SOX, and GPG 13, then do not have the resources or technical expertise to investigate and respond to alerts in any meaningful way," explains Poulin. "We have a customer who was using Cisco MARS, which generated 500 alerts a day; after a while he simply ignored the alarms as he knew they were mostly false alerts."

"When he switched to QRadar, our Security Intelligence Platform, that figure dropped to around a dozen real issues, which then gave him the time to actually separate the threats from the 'noise,' and investigate; the only change was adding intelligence to help automatically categorise the real threats."

Poulin believes that the huge mismatch between the 41 percent of breaches that had log evidence and the less than 1 percent of breaches spotted by SIEM indicates a huge opportunity for organisations to proactively address the constant and growing onslaught of cyber crime, whether internally or externally driven. "If you consider how many large organisations have already assigned budget to log management, the idea of moving away from 'dumb logging' to security intelligence can be justified as a strengthening defence and not just as a compliance tick box," he comments. "DBIR should be a wake-up call to IT admins that simply ignore supposedly spurious alerts from the logging system, and instead think about better tools to bring the real threats to their attention," Poulin concludes.

About Q1 Labs
Q1 Labs is a global provider of high-value, cost-effective next-generation security intelligence products. The company's flagship product, the QRadar Security Intelligence Platform, integrates previously disparate functions -- including SIEM, risk management, log management, network behaviour analytics, and security event management -- into a total security intelligence solution, making it the most intelligent, integrated and automated security intelligence solution available. QRadar provides users with crucial visibility into what is occurring with their networks, data centers, and applications to better protect IT assets and meet regulatory requirements. Q1 Labs is headquartered in Waltham, Mass., U.S.A., and the company's global customer base includes managed service providers, healthcare providers, energy firms, retail organizations, utility companies, financial institutions, government agencies, and universities, among others. For more information, visit www.Q1Labs.com, e-mail info@Q1Labs.com, or call 781-250-5800.

Contact Information