SIEM Ebook
SIEM Ebook
SIEM Ebook
SIEM has evolved and is now a cornerstone of security. However, experts say alone it may not be enough.
Sponsored by
SIEM
alone cant do that. However, a good SIEM will bring that down to maybe 100 events that need a closer look. On the other hand, he adds, if a SIEM is not tuned right it can produce false positives that could waste time and get people fired up for nothing. Of course, false negatives can be just as bad or worse because they impart a false sense of security. While SIEM has obviously been around for some time, it is finally starting to deliver on some of the promises made in the earlier days, says Jeffrey Brown, head of IT security, risk and compliance, AIG Investments. When its done right, it can provide a holistic security view and event correlation across the enterprise. And, he notes, SIEM can greatly enhance incident response and forensics capabilities as well. Jeffrey Brown, head of IT security, risk and compliance, On the other hand, AIG Investments. notes Brown, the vision that is rarely achieved in real-world deployments is being able to detect events as they happen, correlating these events with vulnerable systems and responding to attacks in near real-time. Other features, like remediation ticketing and advanced correlation, are even harder to get right, he says.
52%
form of hacking. Verizon
SIEM
implementations just arent that effective, he notes, adding that the growing overload of incidents also makes it difficult to manage and respond effectively. Larger companies are more likely to have the resources needed to do it right, but in the case of Target, the breach information still got lost among the huge number of alerts they were getting, says Malik. Its the usual matter of finding needles in a haystack, says David Monahan, director of security and risk management, at Enterprise Management Associates (EMA), a Boulder, Colo.-based industry analyst and consulting firm. SIEM solutions can be very good at crunching down the information to find the needles, he says. The problem is in a large organization you may still end up with 10,000 needles. In the case of Target, they had 60,000 alerts a day. Thus, in Monahans view, SIEM is ripe for acquiring additional capabilities related to analytics. In the last two years and especially in the last six to 12 months, vendors have begun to move toward analytics and intelligence, so that those raw alerts can be better parsed and prioritized.
And, warns John McCann, co-founder of Visual Click Software, an Austin, Texas-based provider of computer network security access management and reporting applications, SIEM is still dangerously retrospective. Since most attacks originate outside the company intranet, what good are event logs in containing a breach?, he posits. Like a home alarm system David Monahan, director of security and risk management, that only tracks when Enterprise Management doors or windows Associates are opened, it will be clueless when a window is smashed in. John Pirc, CTO at NSS Labs, an Austin, Texas-based network testing facility and security consultancy, agrees that SIEMs have taken center stage with their ability to improve the signal-to-noise ratio, and providing a consolidated view of which assets require immediate attention due to security incidents, in addition to a view of compliance reporting, log analysis and other areas.
92%
of breaches are perpetrated by outsiders. 2013 Data Breach Investigations Report, Verizon
SIEM
However, he explains, SIEMs are only as good as the information they contain. In my opinion, it is unlikely that SIEM vendors can identify an APT in the absence of intelligence on specific attacks that the general security community doesnt know about, he says. In short, SIEM is only as smart as the data you feed it. Still SIEMs can be very powerful tools, according to Patrick Zanella, associate vice
Alerts and responses have improved in most SIEM platforms. Patrick Zanella, Zensar Technologies
president and security, compliance and product practice head, with Zensar Technologies, a global information technology services and business process outsourcer headquartered in Pune, India. In his view SIEM platforms have actually improved significantly over the past few years. For example, he notes, some provide a replay function that enables an administrator to recreate a past incident or attack and thereby develop a new policy for times when a similar incident might occur in the future. Alerts and responses have also improved in most SIEM platforms, Zanella says. Early implementations of automated responses caused problems, such as actions being taken when the alert was actually a false positive. Today the kinks in automatic response systems have mostly been worked out. More organizations are getting comfortable that their SIEM will properly correlate an attack with information from other tools, such as a web content filtering product, and respond appropriately, he says. Zanella says organizations typically use SIEM products for two reasons: to spot evidence of security threats or security breaches, and to ensure their organization is complying with regulatory standards. All those logs
of data captured by the SIEM are growing, especially as SIEM platforms begin to capture usage and incidents from mobile devices. For this reason, some vendors are working to connect business intelligence and analytics tools to SIEM data, he explains. Zanella points to a Forrester report, How Proactive Security Organizations Use Advanced Data Practices to Make Decisions, which proposed that the IT industry is currently poised at the intersection of SIEM, data warehousing and business intelligence, the combination of which could potentially provide the ability to discover and better respond to new threats. Joe Magee, director, Cyber Risk Services at consultancy Deloitte, also sees a glass that is more than half empty. While some vendors and users are beginning to experiment with newer technologies, such as using Big Data for security purposes, existing investments in SIEM are, in fact, providing performance improvements, he says. For these purposes, the single biggest strengths of SIEM technology remain its ability to perform Joe Magee, director, cyber risk services, Deloitte real-time correlation without extensive coding or development of complex algorithms, he says. In addition, SIEMs have the ability to ingest a wide range of information both traditional IT data and various forms of referential data to establish business context and support workflow automation, which in turn can streamline incident handling and reporting, he adds. But that doesnt mean SIEMs make it easy. Despite vendors efforts to provide more pre-built use case logic and reports, leveraging SIEM for cyber risk use cases still requires significant customization, says Magee. Similarly, large-scale SIEM systems are also, in his view, labor-intensive, particularly as the volume of data they ingest
38%
Verizon
SIEM
increases. For these reasons, many organizations choose to get outside help, through professional services or managed services, he says.
A managed [SIEM] solution coupled with internal review and response processes has proven to be successful formula for us. David Williams, OceanFirst Bank
he adds. Staffing an internally deployed solution is obviously a challenge unless you are using a follow-the-sun model handing off to regional monitoring depending where its daytime and not all organizations have this kind of coverage ability, says Brown. Ive seen at least one complex global corporation where a 24/7 security operations center (SOC) was able to detect and respond to APT events that spanned multiple business units as they were happening, he says. That experience would seem to make the case for a strong, centralized approach when deploying this kind of monitoring, he says. Furthermore, being able to tie in asset and vulnerability data to correlate against attacks offers the promise of a more focused and more intelligent incident response. However, adds Brown, I am not aware of many companies that have reached that level of maturity yet. On the other hand, he adds, the pitfalls of adopting a managed solution include having to trust the third party to effectively monitor and escalate events, coordination with your company in the event of an incident and, in a worst case, dealing with the aftermath if the third party exits the service or goes out of business altogether. This could leave a company scrambling to get something in John Pirc, CTO, NSS Labs place, he says. Thus, a lot of companies are actually looking for what Brown calls more of a staff augmentation model, to handle evenings and weekends, rather than a fully managed service, which, he says, is something that not many of the service providers are really supporting. Pirc at NSS Labs says it all depends on the budget and available talent. The cost-benefit of using managed services, he explains, is that one is likely getting the best security
20%
of network intrusions hit information and professional services firms. 2013 Data Breach Investigations Report, Verizon
experience, advising and lessons learned because capable service providers tend to have a lot of experience. Managed services can be a good thing for a company, but you need to do the cost-benefit analysis of doing the job yourself or outsourcing it to a managed service provider, he says.
... we have seen a recent paradigm shift where analysts are trying to find anomalous, previously unknown, activity within log data. Richard Friedberg, Carnegie Mellon University
However, that approach may not be for everyone. Armand Boudreau, a solutions architect at K logix, a data security company based in Brookline, Mass., that provides consulting and technology integration to enterprise companies, believes SIEM appliances for large enterprises are here to stay. That is primarily because of the storage and processing requirements of organizations looking to incorporate additional contextual data, such as packet captures and vulnerability data. By contrast, he notes, while options like cloud SIEM offerings are available, they are still impractical for large enterprises due to data retention and online accessibility requirements for historical data and [the need for] integration with other in-house systems, he says. In fact, notes Deloittes Magee, the need to correlate a wide range of both internal and external data for cyber threat detection will probably lead more organizations to prefer a co-sourcing model of managed services in which a third party helps manage SIEM infrastructure that resides on the customer premise. Another approach to making SIEMs more responsive and effective is simply augmenting them with specialized intelligence compo-
nents that perform identity-aware, statefulattack detection. That approach can help fill some important real-time detection capabilities without bogging down the performance of the central SIEM architecture, says Magee. De-coupling log storage and collection, for example, from the higher-level data analysis functions can increase effectiveness and performance without sacrificing the volume of data being collected for forensic or compliance purposes, he says. These more distributed architectures continue to leverage SIEM for central correlation and workflow management, Magee adds, and are beneficial because they can address the challenges of monitoring more complex environments, while also potentially alleviating some of the performance and capacity issues that SIEM has traditionally suffered. Among vendors offering a more vitaminenriched approach to SIEM, Pirc cites RSAs acquisition of NetWitness and the use of NetWitness as a tool, combined with a SIEM, which could actually provide you with the missing pieces that could uncover an APT, he says. Its all about the intelligence you feed your SIEM.
SIEM
24%
and restaurants. 2013 Data Breach Investigations Report, Verizon of breaches occurred in retail environments
SIEM
that are fed into SIEMs are noisy, littered with false positives from improper intrusion detection system (IDS) or anti-virus tuning. Ensuring that all of these devices are properly tuned, or at the very least, the ingest is properly filtered, is key to supporting efficient analysis workflows and not overburdening the system, says Friedberg. While many SIEM deployments have focused on making sense of existing event data where another downstream device has detected an alert based on known malicious activity that is sent to the SIEM we have seen a recent paradigm shift where analysts are trying to find anomalous, previously unknown, activity within log data, Friedberg explains. Typically referred to as hunting operations, these analytics require combing through massive amounts of raw data in an iterative fashion.
...we have observed a shift away from traditional SIEM offerings... Richard Friedberg, Carnegie Mellon University
According to Friedberg, this raw data includes both typical security logs, as well as data from other parts of the organization historically considered out of scope of routine security monitoring, including HR data, email records, application logs, etc. Analysts leverage their knowledge of the business environment, the network architecture and a sophisticated understanding of the protocols in use by the organization to determine normal versus malicious activity, he says. The workflow then involves iteratively identifying known good traffic and focusing on the leftover. Put another way, it can be characterized as throwing out the hay to find the needles, he says. However, many SIEM offerings have struggled to keep up with the
level of flexible data ingest, the customization to support analysts ad-hoc queries, and scalability to support these emerging workflows, he adds. That shift, he adds, has led security analysts to turn to customized Big Data solutions often some variant of Hadoop. In recent interviews with analysts across critical infrastructure, several comments were made that reinforced the level of customization needed and highlighted the fact that it was just as easy to build their own custom solutions instead of completely customizing a vendor offering to meet their unique needs, Friedberg says. Of course, all of this activity relies heavily on the quality of data. Thus, according to Friedberg, as businesses evolve and analysts better understand the value of data, the configuration both of what data is pulled in, and what analytics are run tends to change frequently. While this is often easier to implement in custom solutions or in-house deployments, it can also be supported by MSSPs, as long as the flexibility is built into the contract structure, he says. While we have observed a shift away from traditional SIEM offerings, vendors are also quickly adapting to address the customization and scalability needs of the market, he says. In particular, recent offerings are leveraging Big Data solutions to make it easier for analysts to create custom workflows and run their own ad-hoc queries. And that observation leads to another: implicitly, if not explicitly, SIEM success requires more than technology. In my mind the biggest challenges with getting value out of a SIEM are the people and process elements, not the technology itself, says Brown. Deploying a SIEM requires a lot of holistic thinking, he says. They do work better when paired with complementary technologies, but there will always be challenges getting everything to work together. He adds that there are plenty of technological hurdles to overcome. Still, connecting
37%
of breaches affected financial organizations. 2013 Data Breach Investigations Report, Verizon
SIEM
the various components, parsing log data that may have insufficient detail and even getting general systems inventory right can all represent technical roadblocks in a SIEM deployment. Therefore, Brown recommends always starting out with small, targeted deployments that factor in future scalability. I think the big mistakes are not managing expectations and starting too broadly, which will lead to high costs and complex implementations, he says. In fact, many companies jump right in to big, centralized deployments and then turn on all the dials at once. These deployments are typically not resourced correctly in terms of people and scalable technology architectures and these efforts tend to either stall or fail completely. Another mistake, says Brown, is focusing on check-the-box compliance. PCI compliance remains a strong driver for these types of deployments, but simply putting a SIEM in place to be compliant is not going to provide real value, he says. Getting the remediation and incident response processes right takes time, cooperation and agreed-upon processes across the organization, says Brown. You cant just deploy the software and not address the people and process elements. In short, SIEM needs to be an enterprise priority. Getting this right will take funding, resources and cooperation across the organization, he says. Simply getting the tools in place can be a challenge, but systems inventory, defining good metrics and the processes that go into incident response and remediation activites usually represent the real challenge, he adds. Echoing Brown, Vikas Bhatia, CEO & executive risk adviser at Kalki Consulting, a New York-based provider of cyber security consultancy services, agrees that finding the right staff expertise and sufficient resources is the first big challenge that must be met in order to succeed with a SIEM. Thats whats needed to increase the maturity of the solution, he says. However, typically, staffing is
set arbitrarily when a SIEM is put in place, based on an expected level of alerts. Later, the manager will often be asked to handle and integrate a far higher number of alerts, whether positives or negatives, without more resources. You can use the technology to filter the information, but when it comes to alerts, you really need a person to analyze and contextualize that so you can determine what action to take, and when, says Vikas Bhatia, CEO & executive risk adviser, Kalki Consulting Bhatia. Then, there is what Bhatia calls the political ownership of SIEM within the enterprise. Security operations are normally an enterprise-wide domain, but from a SIEM standpoint there may be siloed systems within departments HR, for example that need to be included to track who is and isnt a current employee. Getting access can involve bridging political boundaries and may require that you communicate the value of SIEM to the whole organization, Bhatia notes. Similarly, when organizations merge or make acquisitions, it can bring additional complications to a SIEM implementation. We worked with a global organization that had just acquired a smaller firm, and they discovered that the smaller firm had been breached, Bhatia says. The company then needed to make sure it did not integrate a bad network into its existing operations. Plus, it needed to better monitor he new implementation to discover what was really being attacked. That kind of challenge can be akin to trying to change a tire while the car is moving, he says.
months on
SIEM
Pirc. Some SIEMs, for example, now have the ability to take in flow-data, which they can flag for abnormalities. Although useful, this will still require someone digging into the details, says Pirc. Also, with the massive amount of data that clients are collecting, Pirc sees a growing role for Hadoop as SIEM scales to handle the Big Data problem with the ability to perform parallel processing at the speeds needed to make data actionable. Brown sees the big new development in SIEM is putting it in the cloud or even using simple SaaS log management services like Sumo Logic. Splunk, specifically Splunk Cloud, is the name that comes to mind with a full cloud offering, he adds. In my opinion, however, these offerings are relatively new and much more immature than a full SIEM solution deployed locally, he warns. Offering a somewhat different perspective, John Pescatore, director of emerging security trends at the SANS Institute, a Bethesda, Md.-based organization for information security training and certification, predicts there will be two major areas of development for SIEMs one is reporting-focused SIEM offerings and the other SIEM tools that are much more complex and provide more analytics, but also require more skilled people. The latter category, he warns, has been over-hyped as so-called predictive technology, but there really isnt any predictive capacity. All you are doing is speeding up the reaction time, he says. So, rather than getting results six months later, you will get it in real-time, he explains. You find out you have a problem when it happens, not when customers start complaining. In terms of deployment, Pescatore believes delivery as an application will likely remain dominant. However, he notes, Gartner and the SANS Institute also anticipate growth among service providers, such as Dell and Verizon. SIEM is a stone soup affair, notes Peter Schawacker, practice manager, situational
awareness (SIEM), at Accuvant, a Denverbased provider of information security services and solutions. The quality of what you get out of SIEM depends on how well your data sources support your use cases, he says. Realistic expectation and persistence matter most when it comes to SIEM. Dave Dudley, security operations center manager for Indianapolis-based Rook Security, says it is worth remembering that SIEM can be an incredible tool for aggregating and correlating events across a network, but its not an instant win solution. A lot of analyst time still needs to be spent going through data, creating correlation rules, analyzing incidents and performing work that just cant be automated or cant safely be automated, he says. The big driver for SIEM remains realtime detection and response to attackers, adds AIGs Brown. As the experience of Target showed, you also need to get the processes behind the tools right, he says. It will be interesting to see how the Target situation turns out. Particularly, the consequences of what kind of liability a business might incur for detecting but failing to respond to alerts like this may set some interesting precedents in the courtroom, he says. On the other hand, getting thousands of events with names like malware.binary may not be something an organization is ready to handle, he adds. Theres still a lot of room to evolve with these tools, he notes. Correlating SIEM and user identity management certainly comes to mind, says Brown. Anomaly detection and being able to zero in on potentially fraudulent behavior also offers a lot of room for improvement from where we are with todays solutions. n For more information about ebooks from SC Magazine, please contact Illena Armstrong, VP, editorial, at [email protected].
66%
Sponsors
EventTracker offers a dynamic suite of award-winning SIEM and log management products that process billions of discrete log messages to deliver vital and actionable information, enabling organizations to identify and address security risks, improve IT security, and maintain regulatory compliance requirements with simplified audit functionality. For more information, visit www.eventtracker.com
LogRhythm is the largest and fastest growing independent security intelligence company in the world. The companys patented and awardwinning Security Intelligence Platform unifies SIEM, log management, file integrity monitoring, network forensics and host forensics, empowering organizations around the globe to detect and respond to breaches and the most sophisticated cyber threats. For more information, visit www.logrhythm.com
Masthead
EDITORIAL VP, EDITORIAL Illena Armstrong [email protected] ASSOCIATE EDITOR Teri Robinson [email protected] MANAGING EDITOR Greg Masters [email protected] DESIGN AND PRODUCTION ART DIRECTOR Michael Strong [email protected] PRODUCTION MANAGER Krassi Varbanov [email protected]
SALES VP, SALES David Steifman (646) 638-6008 [email protected] REGION SALES DIRECTOR Mike Shemesh (646) 638-6016 [email protected] WEST COAST SALES DIRECTOR Matthew Allington (415) 346-6460 [email protected] SALES/EDITORIAL ASSISTANT Ashley Carman (646) 638-6104 [email protected]
10
ADVANCED
~ ~ ~
Compliance Reporting
HARDENED
RISK
Authentication Anti-Virus
DILIGENT
Firewalls
SIEM, Simplified.
ENTERPRISE-WIDE
VISIBILITY
APT DETECTION
FORENSIC ANALYSIS
CONTINUOUS MONITORING
ROOT
RAPID
CAUSE
ANALYSIS
FRAUD
DETECTION
REDUCE
DOWNTIME
CORRELATION
ADVANCED
EXECUTIVE-LEVEL REPORTING
Compromised credentials? Systems hacked? Data breached? In todays IT environment, its a question of when, not if. LogRhythms Security Intelligence Platform unies SIEM, log management, le integrity monitoring, network forensics & host forensics to help you detect and respond to breaches and the most sophisticated cyber threats faster and with greater accuracy than ever.
listed as champion