SIEM: Out of the shadows and into the light
Everyone is talking about security information and event management (SIEM), which gives organisations a unique vision of the threats they encounter. By David Waller.
Being a property owner can be a massive headache. You end up spending thousands to protect what's yours – securing doors, windows, and every other feasible point of entry. Yet all a criminal needs is one shot – a misplaced key, say – and he is in. That's why people turn to CCTV. The all-seeing mechanical eye won't stop the intruder, but at least it shows what he looks like, how he got in – and exactly what he's doing to that antique rug.
These days, threats to network security are no different and it is increasingly common to find endpoint security, such as firewalls, being beaten. Three cheers then for security information and event management (SIEM), sold as a kind of CCTV for your system. It is a technology that pulls together logs of information and events from across the network to provide users with a real-time analysis of all the dangers.
It is certainly easy to see why it should attract attention right now. In a world of WikiLeaks and Stuxnet, a platform that is built to battle both internal and external threats is not a hard sell.
Yet that's not all. SIEM also enables companies to collect, store and analyse a colossal amount of log data, helping to ensure compliance with the spread of increasingly stringent and far-reaching regulations.
SIEM is very much of the moment. According to Gartner it is the fastest-rising sub-section of the security sector, growing at a rate of 21 per cent a year. And when HP stumped up $1.5 billion for ArcSight in October 2010, SIEM had its first big-money buy-out.
Yet as even its vendors will tell you, SIEM is merely a small part of a bigger security puzzle.
The meaning of SIEM
The term SIEM was coined by two Gartner employees in 2005, and describes the point where IT meets surveillance: security products have traditionally focused on perimeter defence; but relying on firewalls, IDSs and virus detection won't cut it these days.
“Penetration is a given,” says Jay Huff, EMEA marketing director at ArcSight. “The problem with those endpoint solutions is that once someone's through, that solution is finished. And once that threat is inside, companies need to know what it's up to.
SIEM takes all the information gathered from events across the network – from system logs to who is swiping themselves into the building – and tailors it to inform the business about exactly what is happening and when.
Gartner lists 20 key players in the SIEM space, which suggests a market with a healthy dynamism and offering a raft of commercial products. Those companies include ArcSight, BlueSOC, Cisco Security MARS, LogLogic, Logica, NitroSecurity and RSA enVision.
These platforms are tasked not just with keeping those nasty elements on the far side of your firewall. When the technology first emerged for gathering the huge stores of data that networks were spitting out, security was simply the first logical use, but that data can also be mined for other things.
An intelligent view
Recently, the focus of SIEM has moved away from the S and toward the I and the E – the information and events. It can help provide operational intelligence and proactive hardware management, as well as monitoring of mobile users, laptops and access to applications.
“I liken all this to digital detective work,” says Bill Roth, chief marketing officer at LogLogic. “Every action leaves footprints in the sand. Our job is to say who left them and when, and where that trail is leading.”
Pre-Stuxnet, major utilities operations may have only used such data to improve their processes. Now they can see how vulnerable they are to security breaches too. But security is only half the picture. The biggest driver for SIEM is in fact the increasingly treacherous minefield that is regulatory compliance. According to Gartner, more than 80 per cent of SIEM take-up in the US comes from the need for organisations to show they are on top of regulation.
This trend is also starting to apply to Europe. Retailers handling credit cards need to comply with the Payment Card Industry Data Security Standard, proving their responsible handling of customer credit card data. Rule ten says you have to log all access to cardholders' data and store it for regular review. “We like that rule,” says Roth.
Retailers can align SIEM to their policy, creating, say, alerts when any credit card data is accessed on the system outside of business hours.
Its use spreads far further than retail: to telco companies, financial organisations sensitive to the regulations coming out of Basel, and those organisations working with the Government, which have to comply with GPG13 and CESG Memo 22, covering connections to the secure government intranet.
There are similarly tight standards for dealing with patient details in the UK and the US healthcare systems, and the more general ISO 27002 information security standard.
Beware the cons
While the downside to not complying with regulations is abundantly clear –“There are now huge fines or even imprisonment as a punishment for the misuse of data,” explains Roth – that's not to say the proposed solution comes without its criticisms.
SIEM products have been written off by some as expensive, hard to implement and lacking sufficient standardisation. Setup requires a fair amount of planning, installation, systems integration and training. What's more, running it requires constant monitoring.
Some critics also highlight the danger of being overwhelmed by data. Customers plump for the well-marketed ‘next big thing', splash out on a SIEM package, and watch in awe as the records of billions of events come flashing across their screen. Then they realise that they do not have the first clue what to do with it all.
Vendors acknowledge that this is a risk, yet argue that it is simply a case of knowing where your priorities lie. Receiving all this data for the first time can be daunting – for many it will be an eye-opener as to how much information they didn't previously have access to – yet rare is the company that isn't grateful for the visibility.
Too much information?
Big customers such as banks could be getting 20,000-30,000 logs a second through a single firewall. Imagine the numbers at eBay or Amazon. It is a huge data challenge. “There's no point in spitting out pages and pages of the stuff,” says Gary Nation, head of SIEM at RSA. “Even a big IT team can't handle too much. Think of it like a funnel. There's all this stuff on top, and you want the stuff coming out from the bottom to be actionable, relevant information.”
It is a matter of thinking about the critical business assets so that the customer can tell the provider which data to collect. A bank may look to prioritise customer-facing applications; a retailer looking to comply with PCI will need to focus on events relating to credit card transactions. Instead of being daunting, the data soon becomes a useful capability. SOC operatives, meanwhile, become far more efficient.
Vendors can provide out-of-the-box solutions, training on the technology, advice on best practice and consultation on compliance. The hard part is knowing your policies and matching it all up. Hence they are moving towards easy-to-use interfaces that integrate SIEM with other solutions, such as log management, database management and application layer tools, and developing real-time monitoring so that a company can stay on top of compliance year-round.
This scenario, says Mehlam Shakir, CTO at NitroSecurity, is the alternative to “running around like headless chickens for a month preparing for the audit, then forgetting about it for another year”.
HP's big-money punt on ArcSight shows just how seriously the industry is taking SIEM. But even ArcSight's Huff is quick to caution against any shouts of ‘the next big thing', pointing out that this is not the solution to end all others; he sees it more as an “additive technology”.
It won't stop malicious attacks – you will still need endpoint solutions for that; rather, SIEM is about collecting as much information as possible and making sense of it in order to better arm users in the fight against threats.
The other key bonus of SIEM, Huff says, is that it frames the security issue in a way the average business leader can understand. Suddenly able to see the malicious threats to the network, they are more likely to do something about them. As such, it could be a real boon to security intelligence.
“Endpoint tools don't work when it comes to boardroom discussions,” says Huff. “They don't give you any visibility. SIEM lets people look at their organisation's security from a technical perspective and create a dialogue: ‘Here are the bad things going on across your network, and here's how to shore up your defences.'”
So what can we expect from the SIEM space in the future? For one, consolidation – the current glut of smaller vendors may soon go the way of ArcSight, as more of the big boys plant their flag in the security patch.
Second, there will need to be a move toward standardisation. “In five years' time, you will see a common profile for security technology,” explains Roth. “It could well be a case of saying ‘do these 12 things and you shouldn't end up being sued'.”
Yet SIEM remains just one part – albeit a key part – of an organisation's wider security infrastructure. As the industry moves toward the adoption of security intelligence platforms, it will have to fight for its place alongside other solutions that help provide defence in-depth – think data filtering, IDS and encryption.
Regulation is hardly going to disappear overnight, and the future for organisations is certain to involve ever-more malicious attacks in the Stuxnet mould, as well as an increasing threat from within. So it seems that CCTV could well come in handy.
SIEM as a service
Given the obvious benefits of SIEM to businesses of all sizes – right down to the smallest retailer handling credit card payments – there are clear advantages to making its provision as cheap and uncomplicated as possible. Vendors are taking this fact very seriously, putting an outsourced solution at the centre of their plans: working with managed security service providers (MSSPs) and taking steps to move to the cloud. The latter presents hurdles, with some saying the migration will make the current model of SIEM provision redundant – yet vendors are bullish about the prospects.
SIEM vendors already have a history of working with MSSPs – third parties that take the raw SIEM technology and spin it into tailored packages. Rather than having to bring solutions in-house, end-users can instead subscribe to specific remote services – to aid compliance, for example. This may be PCI-as-a-service, or a package to cater specifically for ISO 27002. It is not a huge leap to imagine the likes of Integralis developing a compliance package for GPG13, which applies to all organisations working with the Government.
Dell's purchase of MSSP SecureWorks earlier this year can be taken as vindication of the outsourcing model, and shows where the industry is heading. LogLogic has been offering its SIEM technology via third-party organisations such as Verizon for several years, and says the take-up of outsourced solutions is accelerating. NitroSecurity also reports an uptake in managed service activity, and says the provision of enabling technology for MSSPs to provide to customers is central to its strategy. Again, it has found this to be particularly popular in PCI compliance.
However, one cannot examine developments in SIEM without hearing mention of the cloud. That migration has happened in log management, and there are movements among SIEM vendors to provide managed SIEM services in the cloud, too. This provides real benefits for smaller organisations, easing the cost and burden of implementation even further. The cloud removes the need to deploy their own solutions, hardware and software; instead they simply subscribe to whatever services they need for a few pounds a month – and can drop and amend as required.
Yet a huge amount of uncertainty still exists around the cloud, and there are issues to overcome in SIEM as in any other technology. The question facing SIEM vendors in the future will be whether they can re-engineer their current solutions, designed to be the be-all and end-all security solution for the customer, to suit a model where security and incidence response increasingly passes to IaaS providers, with control increasingly distributed and shared. Here the end-user business becomes the consumer of information and an audit point – a huge shift from the in-house model.
Overall, though, the cost and labour benefits of SIEM as a service remain strong. End-users are demanding security as a utility – they simply want to plug it in and run it.
Case study: ArcSight
“For most companies, it's not a matter of if you adopt SIEM, but when,” says Eric Mazurak, a network/security engineer at US law firm Reed Smith, which uses ArcSight's SIEM products ESM and Logger. He explains: “Security purposes drove the purchase; it enabled us to detect events happening across multiple systems that individual tools might dismiss, but when aggregated and contextualised become more apparent.
“Regulatory drivers didn't force our hand, but we recognise that regulatory compliance will continue to weave its way into companies more than it ever has. It's nice to know we can leverage the technology in future to that end, too. Most companies have implemented security in a piecemeal way to deal with specific needs or prevailing threats: everything from client anti-virus and firewalls to technologies such as NAC, dynamic port policy and .1x authentication for the client.
“Each of these technologies uses dozens of consoles to manage, alert and report, and it's likely they're all being operated by different teams. All companies suffer from this disease to some extent, and it hinders their ability to effectively manage a potential exposure cohesively, let alone rapidly.
“ESM and Logger give us granular-level control, scale without sacrificing performance or security, and are a good fit for Reed Smith's technical abilities. Crucially, it continues to bring the owners of these varied security solutions together, looking at the same data in the same console. Graphs that immediately populate with data and baked-in rule sets may look pretty and provide some unexpected surface-level information, but that's all the value you'll get unless you sweat a bit. ArcSight provides a broader awareness of what is happening across the enterprise. You benefit from planning what logs you're sending, what data you care about, etc. There follows a burn-in period where you just let it gather everything, and then you formalise your rules and alerts based on the logs you're getting.
“We plan to include more customised integration into our helpdesk and incident tracking software, our NAC, and into more granular database auditing of our more sensitive systems. At the end of the day, the deployment of any SIEM has to be a concerted effort – the more work you put into it, the more the output is relevant to your company.”