The SANS Technology Institute
Contact Stephen Northcutt
FOR IMMEDIATE RELEASE
May 8, 2010
Tel: (808) 823-1375
Email: stephen@sans.edu
SANS Technology Institute announces paper with guidance on
A new paper has been released from the SANS Technology Institute on Event
Correlation and SIEM Vendor Approaches. Known as a Joint Written Project, this
paper was developed by students as part of the SANS Technology Institute Masters
Program.
As technology progresses IT professionals and Security analysts are presented with
an ever increasing volume of data to parse through to find evidence of security
events. Many companies rely on disparate logging architectures that split network,
server, and application logging. The security threats to a company are always
increasing and it is becoming imperative for a company to have a well designed
logging infrastructure that consolidates, archives, and correlates any useful logging
information from as many parts of a company's network as possible. Not only is it
becoming imperative to stop intrusions from both external and internal attackers but
it is crucial for protecting critical information from getting into the wrong hands.
The paper will describe how a Security Information and Event Management (SIEM)
system can prevent or mitigate data loss by detecting both network intrusions and
extrusions. Such losses of data can cost organizations in the millions of dollars to
recover from – some organizations may never recover. Several key area will be
examined with the intent to discuss how different vendors SIEM products can
mitigate these areas. The areas discussed are:




Identification of infected systems trying to exfiltrate information;
Countermeasures to detect attempts to infect internal systems;
Detection of outbound sensitive information; and
Mitigation of the impact of infected systems.
Once data has started being collected, the next task that an organization must tackle
is how to correlate the different logs in order to identify where and when an attack is
occurring or has occurred. Without additional log analysis software, this can be a
daunting, if not impossible task. To that end, the use of a SIEM to detect and
prevent attacks will be examined in detail. Several different SIEM vendors have
agreed to share the approach they take to address the identified key areas for
discussion. The vendors providing input to this paper are, in alphabetic order:

LogRythm;



Nitro Security;
Prism Microsystems; and
QRadar (by Q1Labs).
To access the paper, please see http://www.sans.edu/resources/student_projects
About SANS and SANS Technology Institute. SANS was established in 1989 as a
cooperative research and education organization. Its programs reach more than
165,000 security professionals, auditors, system administrators, network
administrators, chief information security officers, and CIOs who share the lessons
they are learning and jointly find solutions to the challenges they face. At the heart
of SANS are the many security practitioners in government agencies, corporations,
and universities around the world who invest hundreds of hours each year in
research and teaching to help the entire information security community. To develop
the technology leaders needed to help strengthen the world-wide defensive
information community, the SANS Technology Institute was created as a degreegranting affiliate of SANS. It is one of the nation's leading graduate schools devoted
to the study of information security.