The Top Ten Criteria for a Security Information and Event Management (SIEM) Tool

The Top Five Security Information Management Considerations

1. Ensure your log management layer is scalable. The log management layer is responsible for collecting the hoards of audit logs within your environment; it is not likely to filter any collected data. A key requirement for a Security Information Management (SIM) tool is to collect all audit log data so that a forensic investigation can be instigated if required. This layer therefore needs to scale to ensure full log collection.

2. Comprehensive Reporting. The log management layer should be able to report on activity that have been collected and identified within the accounting and audit logs. This should include running reports across up to 90 days of data. When you are collecting 10-20 million logs a day, this means the report will need to search upwards of 2 billion entries to retrieve the requested data for the report. It is also possible that you will run several reports a day.

3. Log Collection. It is important that you can collect logs from across the enterprise. The SIM layer should be a true forensic store of accounting and audit logs that allows a complete investigation, should the need arise. This means you want logs from firewalls, operating systems, applications, VPN’s, Wireless Access Points etc. You therefore need to ensure that logs from all of these sources can be collected. Plain text logs stored in flat files are typically widely collected, as are Windows Event Logs. Event logs stored database’s are not easily collected, so if you have any custom built or internal built applications ensure that these logs can be collected, as often these are stored in some type of database.

4. Chain of Custody. Ensure that you can validate that the logs have not been changed or modified, since they were collected from the source device. This should include collection of the logs in real-time from the original device, to ensure they are not modified before collection. This will allow for a forensically assured investigation, if required.

5. Trend Dashboards. It is important to be able see the trend of the volume of logs being collected. When collecting millions of logs a day, dash-boarding all of that data becomes pointless, as it will be a sea of information. However the size of the haystacks can tell you if there are problems. For example if you see a huge spike in failed logins, this tells you that there is something going on within the environment that is not normal.

The Top Five Security Event Management Considerations

1. Correlation. The main purpose of a SEM tool is to filter out the noise from the forensic data and flag up or alert up any suspect behaviour. It is critical therefore that your SEM can filter the rubbish down to useful information via complex correlation rules.

It is almost useless to alert on every failed login within your environment, as in large enterprises there are hundreds or thousands of these per day. However 100 failed logins within a five minute span, from an external IP address, for an administrative account should be alerted on and investigated. Your correlation engine should support easy creation of these multiple event rules.

2. Dashboards. Once you have generated a correlated alert, you want to place this information on a dashboard for easy user consumption. While it is not feasible to dashboard the forensic data that the SIM has collected, because of the sheer volume, it is recommended to dashboard the SEM alerts, as they are likely to be significantly less in number. On average you should be alerting on less than 1% of 1% of the collected logs that equates to a maximum of 200 alerts from 2 million collected audit logs. With a really strong correlation engine we would expect to eventually tune these alerts down to 2 a day, instead of 200 a day. You only want to be alerted on TRUE security or operational risks to your enterprise, not every time someone fat fingers their password.

3. Reporting. While reporting capability is critical for SIM, it is also important for SEM. The reports are not going to be as difficult to produce, for starters you are not reporting against billions of logs, more likely you are reporting against tens of thousands of alerts. But management will want to see that critical alerts have been responded to and resolved.

4. Log Normalisation. To create detailed alerts you will need to “understand” the raw logs, for example you will need to understand what part of the log string is the group name, if for example you want to alert when a user is added to an administrator group. Most vendors will create normalisation rules for the standard off the shelf applications, but you should be able to normalise your organisations custom log formats, without having to employ the vendors, likely to be expensive, professional service consultants.

5. Alert Management. As well as creating complex alerts based on correlation rules it should be possible to track the status of generated alerts. Has the Alert been resolved? What steps were taken after the alert was raised. A built in ticketing system or tight integration in to an existing ticketing system is a critical feature of a Security Event Management tool.

What You Need to Know About RAID Systems and Data Recovery

RAID is the term used for systems that employ multiple hard disk drives to form what the host computer sees as a single storage volume. RAID was initially introduced when larger capacity drives were particularly expensive and used a controller with an array of multiple cheaper, smaller capacity drives to form a large volume. This gave rise to the acronym RAID, standing for Redundant Array of Inexpensive Drives.

As well as boosting overall capacity it introduced the possibility of redundancy, where use of data ‘mirroring’ or ‘parity’ processes means that if an individual drive failed, this would not necessarily lead to a permanent loss of data. It also allowed the speed at which data could be written to and read from the array to be increased by ‘striping’ data across more than one drive simultaneously.

The vastly reduced ‘cost per GB’ of today’s high capacity drives has meant that RAID systems are now less about the cost of overall capacity, and more about increasing performance, maintaining system availability and securing data through redundancy. This has lead to the meaning of RAID now becoming accepted as a Redundant Array of Independent Drives.

A multiplicity of different RAID types has emerged indicated by numbers, i.e. RAID 0 or RAID 5. The various types each have differing attributes aimed at increasing performance or data security (or more commonly now a combination of the two), and each will be a compromise between these advantages and the resultant complexity and increased hardware costs. Each type has a wide range of independently configurable parameters meaning that the overall range of possible configurations can be bewildering.

RAID system failures can stem from a range of differing causes. Hardware failures of individual drives would normally be within the scope of the system to handle, but multiple drive failures, or failures of the controller can often lead to a system ‘crash’. Even the loss of a single drive, if not responded to in the correct manner by experienced personnel, can lead to a ‘catastrophic’ failure of the entire system. This illustrates that despite the concept of RAID having great strategic benefits for storage performance and data security, these will only be achieved where the system is understood, implemented and managed correctly.

Where a RAID system has failed for whatever reason, our the recovery procedure follows an established process:

o On-s Site or Remote Consultation and Technical Support – The first step is to gather information about the system and it’s configuration, the nature and cause of the failure, and the steps necessary to limit further data loss and initiate the recovery process. Prompt and effective support at this stage can make the recovery process easier and quicker and may even be sufficient to reinstate the system without the need for further intervention.

o In-lLab Diagnosis – The components of the system will be diagnosed for individual failure, and the data may be transposed to a recovery server for analysis to protect the original source. The next key stage is to ascertain the original configuration. This involves analysis to obtain such information as RAID Type, Disk Order, any Hot Spare Disks, Stripe Size, Parity Type and Rotation. Correct identification of these parameters is vital to recover data and may require the use of the latest applications and algorithms.

o Raid RAID Reconstruction and Commission – With the parameters established, the system can be returned to its original configuration and tested to confirm the integrity of the resulting data.

o Data Retrieval and Repair- – The data can now be recovered and checked with the client to confirm that a full recovery has been achieved. Arrangements at this stage will be made with the client to return the data in their preferred manner, either by recreating the original RAID system, or in any other form that suits their individual requirements.

o On-Site site Data and System Restoration – To complete the total RAID recovery service, the system can be reinstalled on-site by our technicians. As well as testing the system to confirm full restoration, clients can be advised as to the correct system management processes and procedures to prevent any further instances of data loss.

Cloud-Based Systems and Workforce Management Software: The Benefits

It is not surprising to have markets embracing cloud computing more readily today than a decade ago in order to boost their business performance and bottom line. Research has revealed that 90% of all new enterprises favor cloud-based systems which include inbuilt workforce management software when setting up their business ventures. This type of system and inbuilt software offers a smoother transition and scalability for improved mobile workforce scheduling operations.

It is also noted that huge savings are enjoyed by a majority of cloud users with 62% readily reinvesting the savings into the business.

Benefits for Start-Ups

The huge benefits that cloud computing bring about are also favorable to start-up businesses as well as medium to large businesses. Cloud-based systems allow many of these entrepreneurs to invest less capital on onsite technological resources and solutions.

Start-up businesses are able to move progressively forward to embrace new technology elements such as the mobile devices and workforce scheduling software. With the progressive annual growth on cloud computing, this industry is expected to benefit all businesses with the widening circle of advanced features for mobile workforce scheduling.

Cloud-based systems are suitable for handling mobile workforce schedules that would ensure greater effectiveness even for small to medium businesses. Hence, a small company that provides mobile workforce can be equipped with the right scheduling software and marketing strategies to increase efficiency without imposing on specialist skills or resources.

Cloud computing has been proven for small businesses in terms of increased efficiency and better time management of mobile workforce and resources. Cloud services are suitable for many types of small businesses in a wide array of industries such as building constructions or education.

Future Predictions

As the technology progresses, it is expected that a wider scope of applications would emerge from cloud computing that would enhance the mobile workforce in more ways than one. It is predicted by various technological experts that cloud computing would see more hybrid clouds emerging with the number of Amazon competitors being reduced.

It is expected that hybrid cloud management would be key in impacting mobile workforce scheduling with an explosion of cloud brokerage as well as integration hubs. Data will become more prominent with more advanced software that incorporates advanced features such as defined networking.

There would be more options on hybrid cloud security with IAAS based services on the rise. This might lead to more frequent outages unless advanced technology brings on better solutions.

A definite shift is experienced from the technology arena to the business sector with cloud based decisions made to enhance B2C services. Hence, mobile workforce scheduling can gain greater efficiency with the advanced management features to avoid low service standards.

Explaining Some Things To Look For In An Integrated Security System And PSIM

We are fortunate in this era that modern technology has produced a lot of beneficial products and solutions. One of these advantages is integrated security systems.

Professionals on the matter of security suggest that you will need to recognize how integrated security systems operate and how crucial they are for modern corporations. There is no secret that criminal activity,essentially theft, is commonplace in society. This has led people today and businesses all around you to become cautious in the case of security. In an effort to lessen the potency of criminals, gurus in the security industry are constantly being faced with the problem of how to best safeguard the law abiding population.

In the present day, security has become heightened further as proprietors, supervisors and even executives are cautious about the hazards that they face each day and are developing these security systems to boost their armory. This cause for worry is the reason why a lot of office blocks, by way of example, utilize the assistance of a specialized security organization, that may let them have peace of mind.

Lots of business establishment owners will not immediately favor integrated security systems and PSIM. However, if these people can clearly see the grand scheme of the full undertaking, chances are they’ll may perhaps modify their reaction almost instantly. Quite possibly a good reason why integrated security systems aren’t that widespread is due to the fact that they have a steep learning curve.

One key advantage of an integrated security system, however, is that it also safeguards the data and information of your company, together with your physical premises. As you might envision, this complete security management is no straightforward task, and the seriousness of such an undertaking is enough to put loads of individuals off from investing. Which is why it is important to open your mind instead of shutting it without even knowing all about this service.

To incorporate security systems and PSIM into a corporation is not a stroll in the park. Once again, don’t let the complicated setup deter you, as once your integrated security system is ready to go, you will find yourself wanting to know what you ever did without one.

A vital thing to consider when going through the installation process of an integrated security system is basically that you will need to keep in continuous contact with your dealer. Put another way, the origin of the paraphernalia for this to continue should come from just one manufacturer only. In case the dealer ceases its business or chooses not to carry on their professional services, then it could spell chaos to a business. This is the reason it is recommended to diligently select the right people to assist in putting up this sort of protection.