Simplifying audit and extracting protection value from millions of security events.

Most large organisations, especially those in finance, have made significant investments in implementing Security Information Event Management (SIEM) systems to increase the protection of their assets from internal and external threats. These systems aggregate streams of security events from sources such as firewalls and intrusion detection systems, and try to correlate them to identify suspicious activity. The problem is very like trying to find a needle in a haystack – typically, only one event in 20 million results in a security incident worth investigating.

At Vacta, we believe that most SIEM systems are fundamentally flawed because they use the blacklisting behaviour model; in other words, you have to know in advance the behaviour of every potential malicious event and create a matching correlation rule that will be triggered by it. Unfortunately, this isn’t possible – blacklisting is the same protection model as signature based anti-virus systems; most AV software can filter viruses it knows about but cannot filter new viruses which don’t yet have a signature; this is often called the day zero problem. In the same way, the day zero problem applies to most SIEM systems – the only thing that you can be certain of is that your correlation rulebase is incomplete. That’s not good enough for today’s leading banks and financial institutions that are under daily attack from highly knowledgeable cybercriminals that understand SIEM systems and know how to avoid triggering them. It’s even easier to avoid them if you are an internal fraudster and work in IT, perhaps as a contract database administrator – 17% of data breaches in a recent survey[1] implicated insiders.

The same survey had some damning statistics about the effectiveness of ‘internal active’[2] methods of security breach detection and the amount of forensic evidence available in logs when a breach is discovered. In only 6% of cases, did an organisation’s designed security efforts detect the breach in the first place. Worse still, in 69% of the security breaches analysed, there was forensic evidence of the breach available in the logs but it wasn’t detected, and in 31% there was no forensic evidence available at all. That adds up to 94% ineffective detection of security breaches - a very poor return on investment in security technology.

The Vacta Intelligent SIEM System takes a fresh approach to the detection of security breaches by whitelisting events against the organisation’s security policy. In this way, all policy compliant behaviour is recorded and available for audit reporting, and all policy exceptions are highlighted for investigation. The benefits are outstanding; audit logs are complete and available for regular reporting, and all events that breach policy are captured for further investigation.

The Vacta Intelligent SIEM System combines an innovative appliance and expert configuration services that integrates it with existing security operations processes in client organisations. The appliance indexes events from any source in real time and stores them in an efficient, compressed, filesystem-based datastore (not a RDBMS), with optional data signing and auditing to prove data integrity.

[1] 2011 Verizon Data Breach Investigations Report (DBIR)
[2] Internal active discovery relates to IDS/IPS/HIPS, log monitoring and other similar technologies