Is SEIM a Science, or an Art Form?
Security Event and Incident Management, or SEIM, has undergone something of an evolution over the past few years. What used to be 100% science is now far more of an art form. A decade ago, it was all firewalls and antivirus software, IDS/IDP and web threat gateways. Then came the Advanced Persistent Threats, or APTs, which shifted the focus to tools for detection. APTs made it more or less impossible to stop every attack all the time, so it was better to concentrate on finding the buggers and getting them stopped once they were (unfortunately) in the system.
The New Art of SEIM
Examining the network activities and recognizing when something is wrong isn’t an exact science. It’s much more of an art form.
Now, with a new generation of detection engines, SEIM or Incident Response (IR) is a group of skills and techniques that more closely resemble art than the science of blocking attacks or even the automated monitoring of last generation’s detection methods. Cyber security has fallen back onto people. The problem is, there aren’t many people with the skills necessary to recognize a threat as it happens. But worse, recognizing the threat isn’t the real problem. The actual problem, which is yet to be addressed, is how to stop the intruders once discovered.
How to Teach More Artists
Unfortunately, it’s much harder to teach one an art than it is to teach a science.
What cyber security needs now are training grounds for the new artists that are now necessary to detect and thwart threats. That begins with a set of best practices — not just best practices for recognizing a threat among the buzz of activity within a system or network, but best practices for getting it stopped.
Next, there needs to be more education on today’s IR. This means college and technical school courses, yes, but it also means training at the enterprise level, so that the security experts of yesterday can be the security experts of today and tomorrow, too.
Finally, there needs to be cyber intelligence development on Indicators of Compromise, or IoC. This should include the uncommon threats along with the common ones, like ransomware, insider threats, and data corruption, which get much less attention than data breaches and rank and file hack attacks. The art is in recognizing threats that are indicated by little more than some unusual file activity. For example, what does it look like when hacktivists try to corrupt data gathered during research involving animals or environmental hazards like fracking chemicals? These attacks look nothing like the average identity thief trying to get social security numbers. One such development is Syncsort’s Ironstream, which in tandem with Splunk Enterprise and Splunk Enterprise Security can combine mainframe security data with data from other IT platforms providing a real time security-event monitoring and correlation with all your systems.
Are your cyber security experts hardwired for science, or are they up for some artistic expression of their abilities?