LOGbinder Blog

Updates, Tips and News   RSS Feed  

Making SIEM better by focusing on the top 3 blind spots

Mon, 21 Sep 2015 09:25:49 GMT

To be even better, your SIEM needs more intelligence without noise. Like the universe we live in, the area that must be monitored for APTs constantly expands. It is hard to focus on the significant security events when the field of view keeps getting larger.

The key to information security is what you focus on must be worth catching. Enforcing systemic, organizational proficiency to focus on the narrower relevant field is absolutely crucial to organizations’ security practice.

Focus on the Top 3 Blind Spots

A lot of the organizations we talk to are finding a way to address that challenge of making their SIEM better, not burdened. They do it by dedicating their primary effort to solving the SIEM’s top 3 blind spots:

  1. Applications,
  2. the cloud, and
  3. failure to monitor all the Windows endpoints

We believe in this so much it’s where we are putting all our money. Here’s how:

LOGbinder provides the market-leading solution for SIEM’s to have visibility into what’s happening inside Exchange, SharePoint and SQL Server. Soon after the public availability of Exchange 2016, SharePoint 2016 and SQL Server 2016 (expected mid-2016), LOGbinder intends to release compatible updates to its core products. We already have these versions in development and are excited about their potential to help make your SIEM better. Our SIEM integrations help you isolate and monitor only what’s important.

Microsoft’s cloud-based products, especially Office 365 and Azure are hugely attractive to organizations of all sizes. Their limitation has been a lack of audit capability, but that is soon to change. Microsoft expects to release (also mid-2016) a completely new and very good audit function to both Office 365 and Azure’s Active Directory. LOGbinder is poised to deliver a matching solution to put cloud-based application security intelligence where it belongs – your SIEM. We are investing significant resources with the plan to deliver the solution 30 days after public availability.

By the way (and this is important), it is going to require special effort on the part of all of us in the IT security business to pitch in and make cloud security audit and monitoring possible. LOGbinder will provide the audit data from cloud, as well as guidance about what to watch. But… you should talk to your SIEM product development team today to make sure they are talking to LOGbinder and working on their integration for LOGbinder’s cloud-based solutions.

The 3rd problem area for SIEM security intelligence is monitoring all Windows endpoints. If you don’t know which endpoint is installing a new program...

Your SIEM is perhaps your greatest bandwidth hog as it is, adding all that traffic from the endpoints isn’t feasible, right? But that’s not a good enough reason; nobody wants to have to explain a data breach because of it. The real reason is probably a financial one. LOGbinder has developed a solution and is devoting significant money to bring that solution to market early in 2016. We discussed it at length at the recent HP Protect conference. We call it SuperCharger for Windows Event Collection. It is software that – with no agents and no polling – uses the native Windows event functionality to deliver only the relevant security events to the SIEM from all the Windows endpoints with no noise! It’s really cool and we’re super-excited. So are our SIEM partners who’ve taken the time to talk to us about it.

We are very excited about the opportunities now (and soon to be) available for SIEM security analysts. Putting meaningful security event logs in the SIEM where they belong is our passion.

LOGbinder is committed to making your SIEM even more powerful by feeding it more intelligence without the noise.

Note: The statements in this post about our new product delivery dates are “forward-looking”. We can’t predict the future with certainty. Our plans are presented here, and we expect to be able to make those plans a reality. But like all future plans, they are vulnerable to unanticipated events.

Meet Randy at HP Protect 2015 and learn about our new products

Mon, 24 Aug 2015 11:13:07 GMT

Most of the people who read our newsletter know the LOGbinder founder as the guy behind the Security Log Encyclopedia and the voice of the Ultimate Windows Security webinars. Meet him in person and take the opportunity to chat!

Randy Franklin Smith will again be at LOGbinder’s HP Protect booth, this year to discuss the new LOGbinder SuperCharger for Windows Event Collection and our new solutions for Microsoft’s cloud-based products. Organizations having hundreds of servers and thousands of Windows devices will be particularly interested in our SuperCharger product. And the new LOGbinder solutions will not be limited to Exchange 2016, SharePoint 2016 and SQL Server 2016. Microsoft is doing some great things to make Azure Active Directory and Office 365 more visible to security analysts. Which makes for some exciting opportunities that LOGbinder will make possible for security-conscious organizations.

So we’ve got some really cool things to show and tell, and we’re using the HP Protect venue as the place to do it in person. More than a HP marketing event, these days HP Protect is one of the few events where security analysts and their teams from all over the globe come to network and learn. It’s our kind of audience. We usually get to spend time with customers and consultants who truly grok security at HP Protect conferences. This year the conference will be held September 1-4, 2015 at the Gaylord Marriott in National Harbor, MD just across the river from Washington, DC. (click here to jump to HP Protect 2015 site)

We hope to meet you there! We’ll be at booth #412 in the CyberSecurity Hall. You are going to love what you see.

The State of Application Security

Mon, 24 Aug 2015 11:12:18 GMT

In a recent poll of more than a hundred security analysts and database admins, 80% said their organization put equal or greater emphasis on network and OS auditing than on database security audits. (35% said database monitoring was less important than network or OS audits.) This seems inverse of what it should be.

It would be so awesome if organizations would simply prioritize their audits to the applications where all the sensitive information is stored.

Help us get the word out! It’s not hard to get application security intelligence to the SIEM where it belongs. The right tools make it dead simple:

  1. Choose the relevant LOGbinder application(s), install and configure in minutes, and
  2. Start watching the security events roll in to the SIEM console.

Organizations that don’t have a SIEM need to add a preliminary step and pick the SIEM that has LOGbinder integration already built-in

SQL Server auditing tutorial with Q&A

Mon, 24 Aug 2015 11:12:01 GMT

Monitoring the sensitive data inside an organization is critically important. But to do a good job of it, analysts and admins need to learn the framework of SQL auditing and get some insider tips. We sponsored a webinar to meet this need this week and received a heartening response with registrations and a lot of good questions during the live event. If you missed the webinar or didn’t get the opportunity to register, you can still get the recorded version. It’s worth the hour it will take to see the demo and hear the answers to the attendee’s questions.

LOGbinder use case (Simplified edition)

Mon, 27 Jul 2015 13:51:01 GMT

If an organization has a SIEM (any SIEM) and also has Microsoft’s Exchange, SharePoint and/or SQL Server applications, LOGbinder is required. No SIEM can get the security audit logs from those applications via normal collection methods. What does this mean in real-world terms? And why does it matter, aren’t Operating System logs, packet data and network traffic sufficient?

Some applications make it dead simple to audit. They push the events in plain-text directly to the Windows Event log or a custom application log. Not so the enterprise Microsoft applications Exchange, SharePoint and SQL Server. They do a great job of generating the appropriate events. But they have a unique way of storing them. And they do not make them easy to read and understand. Each of the 3 applications have differing reasons for why this is true and we have published extensive information about this over the years. See www.logbinder.com/resources for the highlights.

By the way, some SIEM solution providers will tell you that their SIEM collects the needed logs via a free collector, but this is not fully the case. Some organizations may be satisfied with a partial collection of the events (which may not be the security events), and they may not require that the event data be understandable or even intelligible. In our experience most organizations are unhappy with such collectors and eventually improve their security intelligence via LOGbinder.

Application security intelligence may be the only thing that truly matters

The logic is very simple. The bad guys’ ultimate goal is information. Operating system logs, net traffic—that’s just data. Therefore:

  1. What causes real harm and embarrassment is when information – that can only be stored inside applications – is breached.

  2. The only way to know what’s happening inside the application is when the application is telling you.

    1. Only Exchange can tell you that John is reading the CEO’s mailbox. Or that a privileged user changed permissions on the CEO’s mailbox.

    2. Only SharePoint can tell you that Bob is downloading a significant percentage of documents in a sensitive library.

    3. Only SQL Server can tell you that Alice changed permissions on the confidential data table(s).

    4. Only the application can tell you that an external APT is downloading mass downloads of content data.

So that’s all the use-cases distilled into a very clear and simple concept. Application security intelligence belongs in the SIEM. And at this point, the only way to get it from Exchange, SharePoint and SQL Server is with LOGbinder software.

Browse our solutions pages (click the Solutions tab up top) or drop us a line to get information specific to your use case. We would love to hear from you!

previous | next

powered by Bloget™