New data suggests that most of the industry’s data breaches could have been prevented by effective log data management, reporting and response. Consider the following from Verizon Business’ latest Data Breach Investigations Report, published just a few weeks ago:

• 86 percent of the victims had evidence of the breach in their log files, but most of them did not detect the breaches for months.
• 61 percent of the breaches were discovered not by the victim company, but by a third party outside the company.
• 96 percent of the breaches were avoidable through simple or intermediate controls.

This surprising data all points to one fundamental truth: Despite huge investments in security tools and expertise, many major businesses still don’t know when they have been breached. They are left trying to explain themselves when a breach that has been in place for months - or even years - is revealed to their top management by a third party.

Why don’t companies recognize breaches when they happen, especially when those compromises are readily evident in their log files?  Why can’t enterprises find the time to scan those logs for anomalies?  Most importantly, what can companies do to reduce the length of time between the initiation of an attack and its detection and remediation?

I see two fundamental reasons why most companies don’t have good answers to these questions. Both come up time and again from customers who come to SenSage having had problems with their old log management solutions. First, their log management solution can’t scale to meet their continuous event loading, storage and management requirements. There has been massive growth in the volumes of event data being generated in recent years - especially application-related events - so performance and scalability are becoming pressing challenges. And second, their log management solution does not support the sophisticated data analysis necessary to isolate the events that matter from the events that don’t. This is especially the case with stealthy “low and slow” attacks where you may need to analyze patterns from months or years worth of data.  Traditional log management systems with indexed searches of archives were never architected to deal with this.

If this all sounds painfully familiar, you should evaluate our unified SIEM and log management solution, purpose-built atop a clustered, columnar database. It scales from terabytes to petabytes while minimizing storage costs via patented compression algorithms and supports sophisticated query analysis through our console or your choice of business intelligence tools utilizing the industry’s only ODBC/JDBC interface to security event data.

permalink

For the second year in a row, SenSage has been a recognized by Gartner as a Leader in the 2010 Magic Quadrant for Security Information and Event Management (SIEM). Fewer vendors made the the Leaders quadrant this year, and SenSage was one of only three vendors rated as “Excellent” in Product Viability.

When measured against the top 12 vendors (20 vendors were considered overall)  in specific capabilities, SenSage ranked #1 in Compliance Reporting, #2 in User Monitoring and Application Monitoring, and #3 in Log Management. Gartner’s recognition of SenSage as a Leader is strong validation that our Security Intelligence approach is resonating with customers as they refine and improve their security, risk management and compliance operations.

permalink

At the recent RSA Conference we asked those visiting our booth to complete a survey focused on security management. Specifically, we wanted respondents to comment on the state of their organizations’ log management, compliance reporting, real-time monitoring, forensic investigation and incident response processes. We asked how many products they have deployed, how well they coordinate, measure and improve these processes, and how stakeholders perceive the effectiveness of these processes.

We collected 360 surveys and the results are eye-opening. For example, fifty-eight percent report that their security management processes have no coordination or only reactive triage across teams. Sixty-nine percent state that they do not consistently measure these processes for results. How can you be effective at something you neither coordinate nor measure? Indeed, 61 percent estimate that stakeholders consider the processes “ineffective” or “somewhat effective.”

These are just a few of the data points from the survey. To learn more about the results and how SenSage Security Intelligence solutions help organizations consolidate and simplify their SIEM and log management processes and infrastructure, register for our upcoming webinar at http://www.sensage.com/rsa2010/.

permalink

Last month’s e-Crime Congress 2010 event in London (http://www.e-crimecongress.org/ecrime2010/) demonstrated the closing but as yet still open gap between the enterprises that suffer cyber-crime and the law enforcement agencies attempting to help them. The event was well attended by end users, security vendors and law enforcement agencies from numerous countries, and all attendees seemed to be taking the topic at hand quite seriously. However, I did not see much evidence of end users increasing their likelihood of engaging law enforcement in the event of a breach, for fear of increasing the likelihood that the breach might become public knowledge and taint their brand. There are indeed challenges in applying business confidentiality practices to all participants in a cyber-crime investigation.

In my plenary presentation, I described the need for enterprise security practitioners to develop, maintain and utilize Security Intelligence to combat sophisticated cyber-crime threats targeting their organizations. I also suggested that the future of cyber-crime fighting will probably involve the timely and confidential transfer of Security Intelligence from the victim to law enforcement. Just as “CONFIDENTIAL” documents often remind us when to keep our lips sealed in inter-enterprise business engagements, perhaps confidential security intelligence transfers can catalyze the confidential operational practices needed to earn the trust of end users?

permalink

In his most recent blog (http://www.sensage.com/blog/category/jim-pflaging-ceo-blog/), Jim Pflaging introduced a very exciting concept – Security Intelligence – and talked about how our most advanced customers are leading the charge in this improved approach to security and compliance management. I think it’s really important to emphasize the process aspect of this pursuit. We get pumped up about the technology because of all it can do, but organizations need to evolve their processes to get the most out of this technology. Even if they don’t consolidate the different groups involved with security (i.e., corporate security, security operations, IT operations, forensic investigation, audit/compliance and risk management), they can improve their coordination across these groups to reduce duplicated effort, human error and incident response times. The SenSage Professional Services team has been helping our customers tackle this sort of process improvement for over five years now and has codified its findings in the Security Intelligence Capability Maturity Model. The model provides a practical methodology to prioritize, plan and measure results in security and compliance improvement efforts, and will be a regular topic in our future blogs. We will be demonstrating the model and our Security Intelligence solutions in our booth #845 at RSA this week. If you’re at the show, stop by to learn more and share your perspective!

permalink