Blog

AEP products, SIEM integration, and security logging best practices

December 14, 2016
AEP products, SIEM integration, and security logging best practices

As integration between SIEM and security products becomes more important for the success of information security strategies, forensic logging capabilities and data integration should be advancing in step with product capabilities. But are they? NSS Labs is currently testing AEP products, and it looks like key features are missing from some products.

Let’s start with what should be considered the security standard for logging capabilities, and then we’ll talk about what is currently provided by the industry. To support SIEM integration, the most basic capability a product should provide should be the ability to configure log output from its management console with the option to export or send logs using several standard security log formats, such as CEF, and CEE. Alternatively, the product could allow API access to its event data. Ideally, the product should do both to allow flexibility in the design and implementation of a company’s security infrastructure.

For cross-correlation between security products, a standard set of data points should be included for each event, logged by the product, including the time of the event; the hostname and IP address of the endpoint affected by the threat; identifying information such as the threat name, filename, process name, and source of the threat (e.g., URL, IP address, file share); and cryptographic hash values using the MD5, SHA-1, and/or SHA-256 hashing algorithms if the threat is a file or process.

Unfortunately, several products do not support data log output/product integration, and of the products that do support data log output, many do not include all of the data points to be truly useful. A number have a preference for one specific type of threat identifier, inhibiting one-to-one correlation of events between security products. A few of the products have logs do not include any useful data at all, logging events with text such as “a high severity threat was seen at 11:14AM.”

Hopefully, as the market evolves, so too will the format and value of the data provided by the products that companies rely on to support their information security programs.