[siem-users] Hello
Anton Chuvakin
anton at chuvakin.org
Thu May 3 00:11:29 UTC 2012
> And I'll open up with a quick question and my answer: do you think a
> SIEM can detect a well hidden APT style attack? And my answer is that
> is no it can't if the attacker(s) spread out their attack over weeks
> and months. I believe that a paradigm shift needs to occur in the SIEM
> space where activity is not only correlated in
> seconds/minutes/hours/days but in weeks and months.
...which, by the way, does not mean that a SIEM would be useless for
such advanced attack. You are correct, you might not get woken up at
3AM by a nicely worded alert (indicating that APT is in :-))) , but a
good SIEM can make your investigation might less painful. Re: weeks
and months, profiling techniques on aggregated data are being slowly
incorporated into SIEM tools, but it is expected (OK, *I* expect it
:-)) that these features would require a lot of work by the actual
SIEM operator.
--
Dr. Anton Chuvakin
Site: http://www.chuvakin.org
Twitter: @anton_chuvakin
Work: http://www.linkedin.com/in/chuvakin
More information about the Discussion
mailing list