In our previous post we presented reasons that Intelligent Security Perimeters are evolving in order to address a new proliferation of so called Advanced Persistent Threats (APTs).
The result is effectively an arms race between perimeter defenses like Firewall Log Analyzers, and the constant development in the cybercrime arsenal. Hence, organizations seek to not only add gateway filters and security to their networks, but also monitor exactly when and how they are being attacked and possibly compromised.
This warfare footing sets the stage for intriguing developments in firewall syslog analysis techniques and search for attack indicators in common event log types. Among these developments is the potential for qualitative analysis of threat vectors, meaning that raw data from firewall event logs can be assigned importance based on past observations and be dynamically scored by some reputation system.
The approach qualitative analysis involves aggregating and correlating existing security event logs as already available in a Firewall Log Analyzer and comparing with an expected pattern or existing standard. This is conceptually similar to a college admission standard, where an existing rejection/entrance criteria has been established by which each applicant is rated. Effectively, the role of the SIEM is raised to the advisory level rather than simply reporting, and the score analytics provide qualitative predictor of malicious traffic.
Through a continuous refinement of the qualitative analysis criteria the potential of an Intelligent Security Perimeter to “learn” and advise IT administrators on better policy implementations becomes a real possibility.
In our next post we will exam types of traffic events that would form such a criteria.