2011年6月30日,NetworkWorld上发表了一篇软文“Generic Accounts are your SIEM blind spot”(呵呵:-),谈及了传统SIEM的一个缺陷——无法定位到违规人账户,最都也就定位到IP或者系统帐号,并将其称作阿克琉斯之踵。呵呵,无外乎就是说到了SIEM与IAM集成的问题。当然,文章更具体的提到了特权用户管理(Priviliged User/Identity Mgmt)。不过,作者的前半部分文章写的还是很系统化的,值得一读,现摘录如下:
this powerful technology has one Achilles' heel. Though SIEM can correlate a mountain of security data to create a picture of singular events, these frameworks are limited in their ability to track the most powerful users and accounts within IT. Privileged credentials, which I like to call generic accounts, are the "super user" logins that grant IT staff access to change configuration settings, run programs, and access sensitive data everywhere on the network.
SIEM systems were not designed with privileged identities in mind, so they have no way to tie events that are triggered through use of privileged accounts with the individuals who may be responsible. And by itself SIEM has no way to distinguish between applications using a root account and an individual who might use those same credentials to access sensitive data or make undesired configuration changes. As a result, when it comes to privileged accounts, your SIEM system can show you little to differentiate between normal events and criminal activity.
This SIEM blind spot is a special concern when you consider that most organizations seldom change their privileged credentials, and these powerful logins are often widely shared for the convenience of IT both among the staff who service the infrastructure and -- depending on the attitude of help desk personnel -- with individuals outside of IT.
Data breaches often involve the unauthorized use of highly privileged accounts, and when this happens most organizations are powerless to identify the individuals or processes responsible. The best that can be done is to change a few passwords and wait for the cycle to repeat itself. It's a Groundhog Day experience that's seen in far too many enterprises.
What's worse, the lack of accountability with these generic accounts makes it extremely difficult to detect application vulnerabilities that could be exploited by external parties to steal sensitive information. When a hacker discovers a bug in a Web application that uses a generic account, the root problem is not that the account has been compromised but that the application itself has been hacked. It can be impossible to detect the difference between a faulty application and a human being with unauthorized access when the SIEM system can't tell the difference.
Fortunately, SIEM providers have taken notice and are starting to collaborate with privileged identity management (PIM) vendors to offer solutions that close this visibility gap. Together SIEM and PIM can show not only when and where critical events occurred, but also precisely who was responsible for any action that required the use of privileged "super user" accounts.
In combination, these technologies can help ensure that only authorized personnel can access an organization's most sensitive data, change configuration settings and run programs on the network. The products also work in concert to generate an audit trail to correlate the actions taken by privileged users with the security events that might result. By removing anonymity, the products introduce accountability for all users who access the organization's most critical IT resources -- revealing who had access to what systems and data, when and for what purpose.
Deep, new technical integrations between SIEM and PIM deliver top-to-bottom auditing that helps organizations determine the root causes of security events. These integrations can also help IT security staff more quickly determine the right corrective actions. For example, once it's determined that unauthorized access was attempted by an individual inside your organization, there's no point in shutting down your website "just in case" an application has been compromised. Conversely, should you determine that unauthorized access was attempted by a service or application, there may be a case for closing an application and launching an investigation.
Either way, you'll be making better-informed decisions that could ultimately prevent a costly, and potentially public, data breach.
