The Assimilation System Management Suite (ASMS) provides integrated capabilities in monitoring, general system management, network management, and cybersecurity. The next few releases will concentrate on strengthening our cybersecurity portfolio of low-noise automated security tools. The new capabilities include security best practice analyses, checksum integrity analyses, patch tracking and management and integration with a few SIEM products. This post talks about our plans for those releases in more detail.
Cybersecurity Best Practice Analyses
Making sure your systems and applications are fully buttoned down in accordance with best practices is essential. Depending on your business, certain parts of this are required by law or regulation. Staying in continual compliance with security-related best practices and regulations is vitally important, but difficult. Verizon states that 80% of all organizations that get into compliance fail to stay in compliance. We are adding a customizable set of best practices based on the IT Best Practices community (ITBestPractices.info) – which incorporates rules from NIST and other sources. SIEM events will be generated when systems drop out of compliance with a rule and when they come back into compliance.
One of the nice things about the Assimilation Architecture is that it’s natural to have it do this kind of real-time analysis. Its fully distributed architecture makes it sensitive to changes in security configuration without expensive polling.
Cybersecurity File Integrity Analyses
Continuous monitoring of the integrity of sensitive files is an essential tool for any IT organization to have in its tool bag. It’s a part of everyone’s list of best practices and for many organizations is a regulatory mandate. In spite of being well-understood to be essential to detecting intruders, it is not implemented by many organizations. One of the causes for htis is that many tools have to be told what files are important, yet they should not make a lot of noise about what’s not important. When attackers compromise systems, they most commonly install a new network application (which we detect as a new listening application), or modify an existing network application.
With Assimilation’s deep-dive discovery, we automatically detect which files are essential to network applications – even custom applications. Sensitive files are automatically monitored without human intervention or configuration. Because the files being monitored are directly related to network applications – they’re exactly the kind of sensitive file whose integrity must be ensured – eliminating noise in the results. ASMS currently monitors file integrity, but does not create any alerts. This feature will create SIEM events for anomalous file contents.
Cybersecurity Patch Tracking and Management
Because of the comprehensive nature of our discovery, The ASMS knows the version of every package installed on every machine in its domain. This feature will be to provide a service which our clients can connect to which provides a consolidated feed of security patches information from multiple vendors. Some vendors provide advisories in OVAL, some provide them in CVRF format, and some in semi-structured text. We will provide two things as part of this:
- A service which listens to a variety of security feeds transforming the results into a common format.
- A component of the ASMS which listens to that feed and creates SIEM events for each system in need of remediation. Once required patches are applied, SIEM events will be generated indicating that the vulnerability was patched.
Cybersecurity SIEM Integration
For most security organizations, for the ASMS to be useful to them in their existing processes, what they need most is rich integration with their chosen Security Information and Event Management (SIEM) tool. SIEMs aspire to give their users a “single pane of glass” view of their enterprise security. The SIEM products we’re currently considering for this role are QRadar (IBM), Arc Sight (HP), Splunk and LogRhythm. This feature will enable our customers to get instant visibility of all the security issues uncovered by the Assimilation Suite in a drama-free fashion – before auditors or attackers find the issues.