Extending Security Event Correlation

Last year at this time I wrote a series of posts on section circumstance correlation. I offered the mass definition in the test post:Security circumstance reciprocity is the impact of applying criteria to accruement inputs, mostly of a contingent ("if-then") nature, in order to generate actionable accruement outputs.Since then what I hit institute is that products and people still claim this as a goal, but for the most part achieving it remains elusive.Please also see that terminal place for what SEC is not, i.e., SEC is not only assemblage (of accruement sources), normalization (of accruement sources), prioritization (of events), quelling (via thresholding), accruement (via ultimate incrementing counters), centralization (of policies), summarization (via reports), administration (of software), or deputation (of tasks).So is SEC anything else? Based on some effective uses I hit seen, I conceive I can safely inform an extension to "true" SEC: applying aggregation from one or more accruement sources to develop environment for added accruement source. What does that mean?One example I saw fresh (and this is not specially new, but it's definitely useful), involves NetWitness 9.0. Their newborn NetWitness Identity duty adds user obloquy collected from Active Directory to the meta accruement acquirable patch work network traffic. Analysts can choose to review sessions based on user obloquy kinda than meet using maker IP addresses. This is sure not an "if-then" proposition, as oversubscribed by SIM vendors, but the continuance of this move is clear. I hope my ingest of the word "context" doesn't apply to much arts section case to this conversation. I'm not talking about making IDS alerts more useful by lettered the qualities of a direct of server-side attack, for example. Rather, to take the case of a computer side move scenario, envisage exchange the maker IP with the land "Bulgaria" and the direct IP with "Web computer hosting Application X" or similar. It's a different way for an analyst to conceive about an investigation.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)