The announcement of a breach at Barracuda Networks is only the most recent among several high profile network security companies.    We applaud Barracuda’s announcement and the description of what happened.  It’s important that the industry share this information and accept that breaches happen – even among some of the most sophisticated networks, using some of the best products available.

This is precisely why we ask the question: Got SIEM?
The Barracuda announcement noted that their web application firewall was “unintentionally placed in passive monitoring mode” and that “after approximately two hours of nonstop attempts” a SQL injection vulnerability was discovered and the breach ensued.   Clearly this activity was evident in the logs and uncovered during the post-breach forensic analysis.   It “could” have been detected while in progress, alarms “could” have been sounded, and frankly, if TriGeo had been monitoring the activity, the attacker “could” have been blocked long before the breach was successful.

Defense in Depth?
An SC Magazine article on the Barracuda breach, and others, suggests that the breach “highlights the importance of defense-in-depth.”  They’re missing the point.   The firms involved in these breaches already have layers of defense – probably far more than most.   What appears to be missing is visibility.   We make the mistake of relying on the technology to do its job without acknowledging that nothing is perfect, that people make mistakes, and that vulnerabilities will always exist.   The layered approach is critical – it can slow the attacker down.  They may get past one layer easily and struggle considerably longer on the next (for hours, days, even weeks), but eventually they will succeed.

Trust but Verify
So what’s the answer?  SIEM.  No, this isn’t a product pitch.   It’s simply a reality check.  SIEM exists for a reason.  It was developed to provide visibility and context, and the best SIEMs provide actionable intelligence.    There’s a reason that HP just paid 1.5 billion dollars for SIEM technology.   The network tools we all own are powerful tools and when used in concert, they can be a formidable defense, but the operative word is “can.”   They can be very effective, but are they?  If you’re not monitoring what’s happening on your network, you really have no idea.   Did an administrator misconfigure something when applying the latest update?   It happens.   Will you know if it does?

*** This is a Security Bloggers Network syndicated blog from TriGeoSphere authored by Michael Maloof. Read the original post at: http://blog.trigeo.com/2011/barracuda-got-siem/