Mihnea Sandulescu

Mihnea Sandulescu

Mihnea Sandulescu

Short Bio

Mihnea is a security consultant with a solid background in security management technologies, especially with regard to Security Information Event Management (SIEM) and Log Management (LM). His applied research focuses on integrating SIEM and LM capabilities into a single adaptive platform, where well known SIEM / LM deployment and operational issues are approached in an effective and user friendly manner. SEQREL offers a security management solution with adaptive capabilities, including plugin-free adaptive parsing, dynamic event aggregation and quick big data scale analytics.

Adaptive Security Management

The Adaptive Security Management concept raised from the need to simplify security management. It is well known that security management projects are very expensive and although the required infrastructure is expensive, that is just the tip of the iceberg. More concerning is the cost of deployment and the cost of operations. Who is ready to pay the price?

– For those that see compliance requirements as a pain, the total cost of ownership will just add more pain.
– For those understanding the need for effective threat management, might seem worth the price.
– Some others will just use open-source software and, while having fun building a custom infrastructure, will forget to count the man-days they spend on it. For them will seem affordable. But what does a reasonable security management solution deliver in fact?
– A Security Information Event Management (SIEM) system gives some visibility over the data it collects or correlates (usually 20% or less of total logs), mostly based on the so called “use cases”. But a use case is unfortunately based on what we expect to happen. Are the hackers targeting what we expect?
– A Log Management (LM) solution usually collects all the data but gives little visibility to what it collected. It helps a lot on a post-mortem analysis, but doesn’t give many clues on the “unknowns”.
– Will maybe Big Data solve all our problems? Well, it will at least help us to store all the data, before we have a clue on what we want to do with the data. What can we do better?
– Have visibility on all the data.
– Get clues on the unknowns.
– Reduce the deployment time.
– Reduce the cost of operations. Data visibility it is about knowing what data you have.

With LM you might get a good search engine, but how many pages are you going to search through? Probably like on a Google search, just focus on the first page, while the one hacker focusing on you is hiding on some other page. What is needed is a good aggregation and a good and quick way to summaries all the information resulted from a query. But how important is the quality of the data? Is it a good thing or a bad thing that SIEM and LM suppliers tell us how many devices they support with their so called “vendor plugins”?

Well, some vendors might look better than others, but the concept seems broken when it comes to information security. What we need at the end is to normalise the data, in order to understand it, before we process it and search it. The better we can parse it and enrich it with meaningful details (Categorisation, Asset Information, Threat Intelligence), the better will be the outcome in terms of threat detection. And what if all data is normalised properly, is it all relevant? No, there are a lot of falsepositives.

And who will manage the false-positives, the analyst or an expensive admin? Who will work with the data and who will manage the system? How easy can the data be exported and how can sensitive information be hidden when it needs to be shared? All these are questions that will make a big difference in terms of cost of operations. For more details on what can be done to make a security management a success, with classic or adaptive solutions, feel free to join the Adaptive Security Management session.