Properly integrated identity and access management (IAM) and security incident and event management (SIEM) can assist in combating modern targeted attacks, Gartner says.
Gartner research managing vice president Mark Nicolett it was important to protect the perimeter to narrow the surface of attack.
“Some attackers are opportunistic and if they find a soft environment and hit the roadblocks, they will try and find a softer target, so there is value in hardening the perimeter,” Nicolett told the Gartner IAM conference in London.
“Some systems can only take it so far. They need to be good at early detection and this is an area we are particularly bad at.
“A targeted attack can take a week or more to unfold as the attacker figures out a way to find to take the data, so we need to monitor user activity, application activity, data access and device access, also profiling and anomaly detection."
He said SIEM deployments should perform threat intelligence, recognise targeted malicious code advanced threat communications. This requires expertise in databases, networks and Active Directory.
Gartner predicted that by 2016, 30 per cent of SIEM deployments will have an IAM integration in addition to Active Directory.
“It is complex as you need log management and SIEM deployed first before you deploy anything. You can use SIEM for change detection, to know what has been authorised. Reporting on exceptions, database auditing, privileged user monitoring, rules-based correlation – but if it doesn't tell you about new types of attacks, that is where you need anomaly detection.”
