Log Management & SIEM for Security, Compliance, Operations | the dialog

Ever since Google was hacked by the notorious “Operation Aurora”, the term Advanced Persistent Threat has come to the forefront of the computer security challenges organizations must face.   APTs are attacks originating from groups with government-level funding, with considerable patience to wait for an opportunity to exploit, and have a specific mission they are performing.

I’ve met the whole concept of APTs with personal skepticism.  After all, the analysis of Google’s hack did not prove that the Chinese government was directly responsible, that the tools used exceeded the complexity of botnets formed by malware such as Bagle or Cornflicker, or that a basic penetration test could not have yielded similar results against any company, let alone an open-architected, public minded company such as Google.

Regardless, there are many respected researchers that do claim the attack was government sponsored and that the attack was carried out with significant sophistication.  They claim far more resources are likely pushed into funded cyber attacks against influential organizations as a result of copycats from other governments and well funded criminal groups.

For those who have been dealing with cyber crime during the last decades, these threats sound similar to threats that have been seen all along.  Criminal profit-motivated organizations have created sophisticated malware with command and control systems that, among other things, search and steal anything of value from an infected computer and send it to data collecting exfiltration servers located in shady data centers all around the world.

The role of integrated Security Information and Event Management (SIEM) and Log Management products such as LogRhythm are coming to the forefront of APT defense, establishing them as a fundamental element of security that is just as important as the old familiar defenses.  APTs are likely to have a centralized command and control, and the defense is to have at least the same capabilities as the attacker, in the form of a Security Information and Event Manager.

Regardless if you are concerned about emerging threats from cyber crime, insider threat or feel your organization has a direct threat from government sponsored APTs, SIEM solutions like LogRhythm are an invaluable tool to respond to complex and targeted threats against your organization by addressing the following:

1) Event Layer collection, analysis, and reducing log data to highlight events of importance.
2) Automatic notification of compromises and security critical events
3) Robust and deep forensics abilities on a wide variety of log sources
4) Understandable dashboard highlighting activities and trends for the organization
5) Internal / External system awareness and GeoLocation identification of attackers
6) Detection and notification of potential data loss events

Without the right SIEM solution an organization may seem blind to even basic threats.  The illumination provided by a SIEM can expose complicated and unknown threats by tracking information with enough detail to spot anomalous behavior that APTs are not capable of hiding.  SIEMs are the most significant countermeasure against Advanced Persistent Threats available and are critical for stepping up to limit the impact of APTs.