Amidst the compulsion to invest in the most sophisticated technology as quickly as possible, it has become increasingly important to understand what solutions are out there and whether they are a good fit.
One of the fastest growing sectors of security products is user behavior analytics tools, such as the security information and event management (SIEM) system, which gathers data from event and authentication logs to establish a baseline of normal activity, and then uses this baseline to detect malicious user behavior and other anomalies. (To learn more about security, see Beyond Governance and Compliance: Why IT Security Risk Is What Matters.)
If analogies help, think of an ICU monitor where continuous observation from a central display helps identify abnormalities which, in turn, triggers alerts and then immediately initiates remedial action. And similar to electrode placement on a patient’s skin to create a conduit for cardiac output, agents are used as the middleware to make a connection to the server and create a path for data transmission to a Virtual Log Collector (VLC).
For companies that could afford it, news of this technology was like a godsend back in the ’90s, where the tsunami of logs being whipped up by intrusion and prevention detection systems were creating an enormous vacuum for log management systems. Today, however, SIEM tools have come a long way from the log-centric systems that were primarily intended for log management, and so have the costs to implement them.
In recent years, SIEM technology has become more advanced with features such as raw packet data capture and machine learning methodologies, like event correlation, to help spot threats which typically bypass preventative controls. “Moving towards continuous detection of attacks and appropriate protection is a journey, and SIEM is a key enabler in that process,” says Lalit Ahluwalia, the North America Security Lead for Public Sector at Accenture.
In order for any enterprise to deploy SIEM, they would have to go through an exhaustive requirements-gathering phase in which all security-related event log paths produced by their critical appliances, including network, VoIP, security and systems administration appliances, would be documented.
Once completed, middleware agents are then configured to send those logs to a VLC, which captures raw data packets and disseminates them to a cyber threat host that facilitates threat detection and prevention using algorithms for behavior analytics and an alert monitoring system.
Yet implementation and preparation costs are only one part of the equation. Ongoing monitoring is the other part.
The Second Half
The client company will need dedicated personnel, such as information security engineers and architects, to ensure new logs are being sent to the agent, filters are updated to reduce false positives, performance is consistently fine-tuned, disk space is monitored and load-balancing solutions are implemented when the network starts crying out for more bandwidth.
One of the main factors that determine a company’s cost for implementing a SIEM is whether they choose to use a cloud service (SIEMaaS). As more companies move toward IaaS, SaaS and PaaS, it becomes more logical to have technology that integrates with it, or at least the option, if necessary.
When a solution becomes more scalable, it is likely to become cheaper and faster to implement than the alternative. However, in comparison with an on-premise solution, connectivity to other appliances might not be as straightforward.
Although dependent on the service provider’s backup plan, SIEMaaS would likely provide more reliable backup security in case of failover as an accessible cloud service has a better chance of staying up while an isolated data center goes down. On the other hand, if the outage is caused by the cloud service provider, the client company could end up with a lot of technical anarchy on their hands.
Some experts believe that exposing SIEM to the cloud could increase the organization’s attack surface as their network platform becomes less isolated. However Rahim Karmali, Security Solution Architect for Hewlett Packard Enterprises, believes nothing could be further from the truth. “It’s the entry points you need to worry about – your mobile, tablet, laptop, etc. Very often those devices are floating on networks that may not be secured.”
Pros (SIEM in General)
Cloud perspectives aside, what is apparent is an organization is better off with a SIEM than without one. Many standard compliance reporting requirements, like those from the Health and Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS) and the Sarbanes-Oxley Act (SOX), are fulfilled through a centralized log collection.
Incident handling becomes much more effective as no one is manually going through logs to find the attacker’s route through the network or all the hosts and servers in the attack vector; instead, the SIEM system identifies and correlates these events, from a bird’s-eye view, and then reconstructs the sequence of events to determine the nature of the attack.
“It serves as an alerting tool with the ability to accurately identify suspicious events by correlating log information from applications, databases, operating systems, network and security devices,” says Ahluwalia.
Serious attacks are no longer isolated, and events can be distributed across multiple systems to avoid detection. Without a SIEM in place, malicious events can spread like wildfire.
Some SIEM products also have the ability to stop attacks by sending alerts to other security controls, such as firewalls and intrusion prevention systems. “Companies can no longer take a reactive approach to things like malware and ransomware,” says Karmali. “They need a system that provides actionable intelligence.” (For more on security, see Encryption Just Isn't Enough: 3 Critical Truths About Data Security.)
Cons (SIEM in General)
SIEM automates many activities that a company would otherwise spend hours of manual labor on, however it also requires a new skill set to maintain its effectiveness. A client company would require active participation from all departments to ensure correct logs are being sent to the agent because correlation engines work more efficiently when they are not sifting through irrelevant data or false positives. The larger the organization, the greater the tendency is for its logs to overwhelm the SIEM system.
Furthermore, although SIEM technology has made huge advances since its inception in 1996, it is not a stand-alone system. It requires a combination of “people, process and technology” says Karmali.
Optimal efficiency is usually achieved when SIEM systems team up with firewalls, intrusion detection/prevention systems, malware protection applications and other controls.
Most enterprise-wide organizations are more secure with a functional and effective SIEM system in place; however choosing which SIEM system is the best fit may prove challenging. Smaller companies, for example, are better off with a cloud solution which could be more scalable and faster to implement. For larger companies it would be worthwhile to invest in what might be a more costly, hybrid solution, where the cloud and premise are both providing their own economies of scale.
Either way, for organizations of any size, the way to achieve optimal efficiency and a high return on investment is by having dedicated staff to perform ongoing monitoring and maintenance of the system.
Many companies implement a SIEM for compliance reasons and, if they don’t have enough resources to manage, maintain and fine tune the system, could end up with a very expensive, ineffective log collector on their hands.