Your SIEM Blind Spot


I recently had the opportunity to contribute an article that appeared in Computerworld. My inspiration for writing the article was the ever-increasing number of data breaches occurring across some of the biggest names in their respective industries: Morgan Stanley, Sony, WellPoint, RSA… the list goes on.

While each data breach has a different twist, many of the incidents in today’s headlines involve the unauthorized use of highly privileged accounts. When this happens most organizations are powerless to identify the individuals or processes responsible. The best that can be done is to change a few passwords and wait for the cycle to repeat itself. It’s a Groundhog Day experience that’s seen in far too many enterprises.

SIEM systems, which enable IT to better correlate data provided by security software and appliances across the network and has been a game changer for IT security teams when properly leveraged, were not designed with privileged identities or accounts in mind. As a result these systems have no way to tie events that are triggered through use of privileged accounts with the individuals who may be responsible.

And, by itself SIEM has no way to distinguish between applications using a root account and an individual who might use those same credentials to access sensitive data or make undesired configuration changes. Therefore when it comes to privileged accounts, your SIEM system can show you little to differentiate between normal events and criminal activity.

Take this scenario as an example: when a hacker discovers a bug in a Web application that uses a privileged account, the root problem is not that the account has been compromised but that the application itself has been hacked. It can be impossible to detect the difference between a faulty application and a human being with unauthorized access when the SIEM system can’t report the difference.

For all the improvements we’ve seen since SIEM entered the picture, this powerful technology has one significant blind spot: though SIEM solutions can correlate a mountain of security data to create a picture of singular events, these frameworks can fail to correlate security events with the powerful, privileged users and accounts that are often responsible.

Fortunately, SIEM providers have taken notice and are starting to collaborate with privileged identity management (PIM) vendors to offer solutions that close the visibility gap. Together SIEM and PIM can show not only when and where critical events occurred, but also precisely who was responsible for any action that required the use of privileged accounts.

Combined, these technologies can protect against costly data breaches by:

1.)    Ensuring that only authorized personnel can access an organization’s most sensitive data, change configuration settings and run programs on the network

2.)    Generating an audit trail to correlate the actions taken by privileged users with the security events that might result

3.)    Removing anonymity to introduce accountability for all users who access the organization’s most critical IT resources – revealing who had access to what systems and data, when and for what purpose.

By leveraging SIEM and PIM together, you’ll get far greater assurance of making the right decisions that could ultimately prevent a costly and, potentially, public data breach.

Anyone using the combined solutions SIEM and PIM agree/disagree? Share your thoughts on the blog. You can also follow me on Twitter: @liebsoft.


Be the first to comment on "Your SIEM Blind Spot"

Leave a comment

Your email address will not be published.