Powerboost your Security Intelligence with SIEM and Data Activity Monitoring
Melissa Stevens 270005B76W MELISSAS@US.IBM.COM | | Tags:  ibm-security security-intelligence data-security security data-activity-monitoring
0 Comments | 4,673 Visits
This post was contributed by Luis Casco-Arias, Senior Market Manager for IBM Security.
In case you missed it, the culmination of the evolution of IT security is “Security Intelligence”. In this era of rapid data explosion, consumerization of IT, IT perimeter openness and expansion, and attack sophistication, IT organizations will not be able to keep up with the growing security and compliance requirements by using traditional approaches. The idea is that IT organizations have to partner with the Lines of Business to control security and compliance in a more automated, business context centric, holistic, and proactive manner. To address this goal, the industry is adopting the power of analytic engines, such as the ones provided by Security Information and Event Management (SIEM) solutions, to not only react quickly to incoming attacks, but also to predict and stop potential threats. These solutions analyze and correlate security and audit events from a myriad diverse systems and applications to come up with the relevant insights to protect against advanced threats. In doing so, they centralize, automate, and integrate a lot of the work that would have to be done by armies of highly skilled security engineers. However, their analysis is as good as the data that they are able to collect. When it comes to data access activity, the traditional sources tend to be database audit logs. Unfortunately, not only are these logs not real-time events, but they are highly susceptible to tampering. You need to enter the realm of data activity monitoring!
With data activity monitoring you get real-time alerts on relevant insights from data access. These solutions monitor all inbound and outbound traffic from any data source, including the metadata (such as session IDs, time, source and target IP addresses, etc) and the context (including the data itself or error return codes). The alerts are driven by preset policies and analysis, and can even proceed to blocking unwanted or suspicious traffic. These alerts can be sent to SIEM solutions for further correlation with other security alert sources across the enterprise. Some common use cases that generate data activity alerts include: failed logins to the data server, unauthorized access by privileged users, and SQL error codes due to SQL injection attack attempts or users trying to escalate privilege. This ensures that companies can react quickly to possible external or internal threats, preventing valuable sensitive data loss from breaches.
Companies also get additional benefits such as:
As companies deal with data explosion and the extension of the perimeter beyond the enterprise boundaries, we will see an increased focus to protect data closer to the source. Complementing SIEM solutions with in-depth data activity monitoring will provide customers with a seamless extension of scope into data sources, benefiting customers not only with exceptionable accurate and actionable insight, but also with the cost benefits from off-loading the analysis to specialized tools. A vendor making this synergy a reality is IBM. Take note of our Security Intelligence vision with data activity monitoring.