SIEM Graphic Banner

Simple Cross-Device Correlation is No Longer Enough

In today’s demanding security environment, companies are more than ever challenged to identify serious threats before they lead to a data breach. Using a SIEM tool to correlate security events is a good start, but an effective defense requires a combination of both advanced cross-device correlation and alert prioritization. We wanted to provide you some examples of how we at Proficio address this requirement for our customers.

Suspicious activity cannot always be identified by looking at just a single set of logs and rarely by only monitoring perimeter devices. That is why correlation among multiple devices and formats is critical. In addition to correlation, the Proficio ProSOC SIEM will assign prioritization. If there are several events happening at once, an analyst needs to respond to the most critical one first, and this allows us to quickly and efficiently do so.

For example, consider an attack at an semi-conductor manufacturer. If an insider is simultaneously attacking both a print server in the marketing department and a CAD server containing confidential schematics of a new chip design, the threat priority for the CAD server should be given higher urgency. With our correlation rules, our system will determine this based on the system’s content, and act accordingly, even though both servers are running on the same operating systems and patches, and are vulnerable to the same attacks.

Another example is an attack that includes the following security events:

  • Accept packet on the firewall
  • Network IDS alerting that the packet represents an attack
  • Target system’s application logs producing anomalistic output
  • Asset and vulnerability data stating that this is a mission-critical server and that it is in fact vulnerable to the attack detected by the IDS alert

Calculating vulnerability and asset information plus cross-correlating a wide range of events into our threat prioritization algorithm helps Proficio ProSOC to effectively set priorities; this allows us to minimize false positives and ensure that the most critical events are quickly brought to the attention of our customer. All thanks to our pre-determined alerting, escalation, case management and response procedures.

Let us know if you would like a demo to see how this works in practice.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.