Вы находитесь на странице: 1из 13

Resolve to Revitalize Your SIEM

Do you need to spruce up your security information and event management?


Learn about the latest advances and how best to use existing technology.

EDITORS NOTE NEW ADVANCES RETHINK HOW TIME FOR A


IN SIEM YOU USE YOUR SIEM REBOOT
SIEM PRODUCT
EDITORS
NOTE

Sprucing up your SIEM for the New Year

Some things never changelike the fact SIEM products are offering. Michael Cobb then
HOME
that your networks security is constantly expands on this discussion, with special atten-
EDITORS NOTE threatened by increasingly sophisticated bad tion to how best to use the dataeven data in
guys. Security information and event manage- the cloudthat a SIEM collects. Already have a
NEW ADVANCES
IN SIEM ment (SIEM) tools have long provided a means SIEM in action? Then the closing chapter, with
to get a holistic view of network security. SIEM Anton Chuvakins guidance on how to make an
RETHINK
HOW YOU USE products are intended to gather data from all old SIEM work better, is for you.
YOUR SIEM PRODUCT
over and centralize it to allow you to identify So whether youre considering a SIEM pur-
TIME FOR A and respond more quickly to threats. In the chase, an upgrade or are facing another year
SIEM REBOOT
past, they have worked with varying degrees of using outdated technology, reading this guide
effectivenessbut now these old tools have will help you spruce up your security and
some mean new capabilities you need to know make your SIEM one that sings. n
about.
Thats where this technical guide opens, Brenda L. Horrigan, Ph.D.
with Karen Scarfones concise but thorough Associate Managing Editor
examination of the capabilities some new Security Media Group

2 RESOLVE TO REVITALIZE YOUR SIEM


ADVANCES

New Advances in SIEM

SIEM technologies have been at the data may be ill-advised because of its poten-
HOME
heart of many organizations security opera- tially lossy nature. (Big data doesnt use tra-
EDITORS NOTE tions for over a decade. Whether theyre being ditional relational databases, so it cannot be
used mostly for centralized logging and com- relied upon to comprehensively retrieve every
NEW ADVANCES
IN SIEM pliance or for incident detection and response bit of data originally stored in it.) But if your
efforts, security information and event man- organization is using SIEM for incident detec-
RETHINK
HOW YOU USE agement tools, or SIEMs, provide a single tion and response, a switch to big data may
YOUR SIEM PRODUCT
interface to information from many security improve your incident detection rates by being
TIME FOR A systems. Over the years, SIEM technologies able to collect much more data and crunch it to
SIEM REBOOT
have changed, and its important that your own find the patterns of attacks within it.
SIEM strategies evolve to incorporate these
advances. Threat Intelligence Feeds: SIEM products
Here are a few recent advances you should be increasingly support the ingestion of threat
aware of when looking at new SIEM products or intelligence feeds. These feeds contain infor-
re-evaluating your existing SIEMs quality. mation about threat indicators, such as the
IP addresses, hostnames and URLs attackers
Big Data Adoption: One of the biggest trends in use. Each feed typically includes a score for
SIEM during the past few years has been the each threat indicator, rating relative confidence
switch from relational databases to big data in its malicious nature, as well as additional
models. If your organization is using SIEM metadata that provides context for the threat
strictly as centralized logging, a switch to big intelligence. When a threat intelligence feed

3 RESOLVE TO REVITALIZE YOUR SIEM


ADVANCES

is used in conjunction with SIEM data, it pro- increased scalability by having individual data
vides a wealth of intelligence and allows for the collection points do some of their own data
expedited identification of incidents and more analysis and processing. If your SIEM is cur-
confident responses. Make sure that your SIEM rently struggling to keep up with its workload,
supports threat intelligence feeds. you may benefit from switching to a distrib-
uted architecture.
HOME
Cloud-Based Integration: Logging in multi-
EDITORS NOTE tenant clouds has long been a challenge for Enterprises can now ensure
SIEM systems. Fortunately, there are now many increased scalability by having
NEW ADVANCES
IN SIEM cloud-based SIEM services and products that
individual data collection
can collect audit logs and route those logs to an
RETHINK
organizations regular (non-cloud) SIEM serv-
points do some of their own
HOW YOU USE
YOUR SIEM PRODUCT
ers. Some of these cloud-based SIEM products data analysis and processing.
TIME FOR A are offered by the same vendors that offer reg-
SIEM REBOOT
ular SIEM products; integration may be trivial In conclusion, consider your own organiza-
for these cases. In other cases, extensive plan- tions needs for SIEM in the context of these
ning and testing may be needed to determine if four recent advances. Odds are that if your
the data from the cloud can be collected, pro- organization is solely interested in SIEM for
cessed and transported to the enterprise SIEM centralized logging, these advances arent so
system in a timely enough manner to support importantbut be aware that your SIEM can
incident response. do so much more than just log management. It
can be an invaluable tool both for discovering
Distributed Analysis: Although SIEMs have incidents more quickly and by correlating data
traditionally been thought of as centralized across systems and events with threat intelli-
log processing, enterprises can now ensure gence. Karen Scarfone

4 RESOLVE TO REVITALIZE YOUR SIEM


RETHINK

Rethink Your SIEM

Enterprises need dynamic, intelligence- DATA, DATA EVERYWHERE


HOME
driven defenses to effectively identify mali- Enterprises create colossal amounts of data:
EDITORS NOTE cious behaviors not seen before, anomalies that email, documents, social media interactions,
can enable dangerous zero-day attacks of the audio, network traffic, clickstreams, and logs of
NEW ADVANCES
IN SIEM type that wreak havoc on a daily basis. A key files being accessed, registry changes made, and
component of enterprise defenses is a SIEM processes started and stopped. System infor-
RETHINK
HOW YOU USE product. SIEM provides a central repository for mation, such as processor and memory utiliza-
YOUR SIEM PRODUCT
collecting and monitoring network activity. tion, can also be useful for spotting unexpected
TIME FOR A Unfortunately, painful implementations and changes in the status of a system. The sheer
SIEM REBOOT
overselling by vendors has left SIEM with a volume of data handled makes scalability,
sullied reputation. Meanwhile, many SIEMs powerful analytical tools and support for het-
have been deployed solely to meet compliance- erogeneous event sources the most important
reporting requirements, with few organizations capabilities when assessing next-generation
actually making full use of the technologys SIEM products, particularly when it comes to
event-correlation capabilities. time-sensitive processes such as fraud detec-
A second generation of SIEM products, tion. Tools for visualizing and exploring this
however, may change that. Advanced security data are another key feature, along with action-
analytics and increased scope and scale of data able intelligence based on business context, so
collection mean a greater number of diverse threats posing the greatest risk can be easily
events can be put into context to find unusual found and prioritized.
activities in real time. To make full use of all this data and increase

5 RESOLVE TO REVITALIZE YOUR SIEM


RETHINK

detection rates by uncovering clues hidden not limiting analysis to just the data one orga-
deep in an organizations data, a SIEM needs nization creates. Look for feeds that are flex-
to make use of adaptive intelligence; in other ible, easy to deploy and that existing security
words, it must learn whats normal in order to monitoring products can use effectively. Real-
recognize whats abnormal, because abnormal time analysis of both structured and unstruc-
events are a strong indicator of an advanced tured data is essential.
HOME
threat or breach. SIEM also has to be able to
EDITORS NOTE identify an attack pattern, even if it is spread
out over a period of time. DONT FORGET THE DATA UP THERE
NEW ADVANCES
IN SIEM Setting up SIEM rules is an iterative process, Enterprises with data in the cloud should look
but products that allow the simultaneous use for service providers that make SIEM data
RETHINK
HOW YOU USE of rule-based and rule-less correlation can available for collection by an on-premises
YOUR SIEM PRODUCT
reduce initial configuration times, automate SIEM. This enables a unified view of both
TIME FOR A parts of the login and authentication monitor- cloud and on-premises environments as long as
SIEM REBOOT
ing process, and reduce the number of false the SIEM can handle the providers data, which
positives. While self-learning algorithms are may be in different formats. In platform as a
still in their infancy, real-time identity correla- service (PaaS) environments there is the option
tion using fuzzy logic, behavior analysis, clus- of installing monitoring agents to push traffic
tering algorithms and policy rules are close to and logs to an in-house server for processing,
providing true signature-less detection to pre- while some SIEM tools can make use of spe-
vent unauthorized access and pick out abnor- cific software as a service (SaaS) application
mal activity at the user, account and resource program interfaces to collect logs from public
levels. cloud services so events across multiple plat-
Incorporating external threat intelligence forms can be correlated to produce dashboard
feeds from the global security community can views and audit reports that combine both
further clarify whats normal or acceptable by internal and cloud-based applications. Network

6 RESOLVE TO REVITALIZE YOUR SIEM


RETHINK

bandwidth, latency and data-transfer costs can, the right actions to take, but also that those
however, impede timely interruption of mali- efforts are coordinated.
cious activity.

THE BOTTOM LINE? BUDGETS


WHAT TO DO WITH THE DATA? Of course, security teams need to have the
HOME
Dashboard views of the information collected resources required to handle and respond to
EDITORS NOTE and analyzed are an important feature of any the additional alerts and warnings a well-tuned
SIEM, as are actionable reports that include SIEM will generate. Taking the time to fully
NEW ADVANCES
IN SIEM effective countermeasures so administrators inventory and classify data assets will enable a
can see where attention is needed most. Do not SIEM to better prioritize threats. An asset dis-
RETHINK
HOW YOU USE overlook the importance of being able to export covery and profiling tool, sometimes included
YOUR SIEM PRODUCT
information in different ways; different stake- in a SIEM, will cut the time spent categorizing
TIME FOR A holders will want information about security network assets and will also pick up configura-
SIEM REBOOT
risks pertinent to their interests and presented tion drift and hardware and software changes.
at a level they can understand so as to fully Good security is a continuous process, and a
appreciate the relevance. well-resourced and configured SIEM can pro-
Accelerated decision making is not solely vide constant awareness of the state of security,
about feeding a SIEM more and more informa- vulnerabilities and threats, and thus support
tion and tuning it to be able to spot incidents the teams that manage and protect information
faster; security teams must be able to react and systems running core mission and business
respond faster, too. Incident response teams functions. If the teams have ample resources
need to be familiar with the types of warnings and well-tested procedures to follow, overall
and alerts a SIEM produces and have well- enterprise information security will improve.
tested procedures in place that they can follow. Thats a worthwhile objective any day.
This not only ensures the right people know Michael Cobb

7 RESOLVE TO REVITALIZE YOUR SIEM


REBOOT

Time to Reboot Your SIEM? Probably

Is your security information and event one problem or addressing multiple security
HOME
management stuck in the past? Is it mature? monitoring and analysis issues?
EDITORS NOTE Some organizations procure and deploy a If your SIEM architecture is still solving the
SIEM tool only to wonder whether, with all original security problemmonitoring user
NEW ADVANCES
IN SIEM that unmonitored log data, it is collecting dust access to servers or reducing IDS/IPS false
instead of improving their security posture. positivesthere is absolutely nothing wrong
RETHINK
HOW YOU USE Organizations use SIEM for collecting, with your implementation. As long as you are
YOUR SIEM PRODUCT
normalizing and correlating security events not paying hundreds of thousands of dollars
TIME FOR A based on log data from an array of systems and every year for legacy network intrusion detec-
SIEM REBOOT
devices. Today, many SIEM tools also support tion systems false positive reduction, then a
threat intelligence feeds and other data from static SIEM deployment or one that is in main-
external sources. The best path for a SIEM tenance mode is not inherently worse than a
deployment is from one successful security dynamic deployment.
incident response to another, with constant SIEM evolution offers advantages for many
refinement of the technologys configuration enterprises that should not be overlooked,
and processes. There is nothing more moti- given the cost of these tools. It helps retain
vating than value realized with a sequence of security personnel, unlock budgets, refine pro-
quick wins and security problems solved. cesses, improve collaboration and integration
A number of SIEM deployments, however, and ultimately creates a self-fulfilling prophesy
are stuck in nonproductive stages. Ask your- of a successful security monitoring program.
self: Is your SIEM evolving? Is it solving just What are some of the common mistakes that

8 RESOLVE TO REVITALIZE YOUR SIEM


REBOOT

organizations make with SIEM? And how can need it someday? argument does not work.
you go from deployment to steady-state opera- Log entries can be collected by a log manage-
tion to successful SIEM expansion? ment tool (commercial or open source) with a
much lower per-log cost. The use-case-driven
collection facilitates just the right amount
MIRED IN DATA COLLECTION of analysis because the SIEM tool stays at its
HOME
One reason your SIEM deployment may be fail- optimum performance level without incurring
EDITORS NOTE ing to evolve is that it is stuck in the collection excessive hardware costs.
phase. This deployment scenario often happens
NEW ADVANCES
IN SIEM when IT security teams plan a SIEM project
in a horizontal mannerall collection first, all FOCUSED ON COMPLIANCE CHECKLISTS
RETHINK
HOW YOU USE analysis laterrather than on a use-case by Another reason a SIEM deployment may
YOUR SIEM PRODUCT
use-case basis. The end result of that is a good remain stuck is compliance. This happens
TIME FOR A log collection system at ten times the price. when organizations buy a SIEM tool to check
SIEM REBOOT
The way to resolve this issue is to use out- the box and never start using it for anything
put-driven SIEM. An output-driven approach beyond scaring away the auditors. The result is
simply means deploying a SIEM tool in such a onereally expensive checkbox.
way that no data comes into the system until Todays SIEM products come with reports,
there is clear knowledge of how that informa- dashboards and correlation rules that are cre-
tion will be used and presented. Here, only ated to address common scenarios for security
existing/planned reports, visuals, alerts, dash- as well as address regulatory compliance such
boards, profiling algorithms, context fusion and as PCI DSS, Health Insurance Portability and
so on can make a SIEM team open the flood- Accountability Act (HIPAA) and Sarbanes-
gates and admit a particular log or context Oxley Act (SOX).
type into the tool. Some vendors claim that such off-the-shelf
With this model of SIEM, the what if we SIEM content is useful out of the box with no

9 RESOLVE TO REVITALIZE YOUR SIEM


REBOOT

customization. But customer experience has and many customers look for SIEM product
shown that most off-the-shelf SIEM content capabilities that satisfy both. Finally, even
is useful only when it is applied to specific compliance requires that your SIEM be used
systems (and thus customized by adding fil- and not just connected to the network.
ters) or when it is tweaked to better match the
environment.
HOME
ONE PROBLEM SOLVED, N TO GO
EDITORS NOTE
Threat management and breach Sometimes an organization builds a SIEM
deployment, solves the initial problem and
NEW ADVANCES detection have also emerged
IN SIEM then something breaks. Maybe staff turns over,
as the primary drivers of SIEM
the security team gets downsized or the con-
RETHINK
HOW YOU USE
in the past few years, but compli- sulting budget runs out. And then the deploy-
YOUR SIEM PRODUCT ance is still holding strong. ment focus shifts to maintaining the status
TIME FOR A quo.
SIEM REBOOT
The way to evolve out of this logjam is to Many SIEM deployments have failed to adapt
explore the use cases at the edges of your to business changes as well as developments in
compliance usage, from monitoring users that surrounding IT environments. A SIEM project
touch card data to observing all users that that is deployed to solve a particular problem
interact with sensitive data. Threat manage- with no specific plans to expand sometimes
ment and breach detection have also emerged gets left behind when business changes make
as the primary drivers of SIEM in the past few the problem irrelevant.
years, but compliance is still holding strong. To resolve this issue, security architects
Today, most customers at least ask about using should plan to deploy SIEM tactically, achiev-
their SIEM tools for detecting breacheseven ing quick wins as part of a phased approach.
if compliance is top of mind. The functionality A phased approach by use case, further divided
required to satisfy the two use cases overlaps, by log source types, geography and functions

10 RESOLVE TO REVITALIZE YOUR SIEM


REBOOT

(such as report before alert or review before incident investigations and not for security
correlation) can be used to slice this large effort monitoring? Or, similarly, do you plan to evolve
into manageable chunks. The opposite of using to monitoring but have not done so in the past
any phased approachescollect all at once 5 years? If the answer is yes in either of these
or implement all use cases at oncealmost scenarios, consider scrapping your SIEM and
never results in success and often leads to a replacing it with a log analysis tool. The money
HOME
large-scale waste of resources. that you save on SIEM can buy a lot of fast and
EDITORS NOTE effective log management.
Overall, the best strategy for a SIEM deploy-
NEW ADVANCES
IN SIEM CAUGHT UP IN INCIDENT INVESTIGATIONS ment is constant refinement and expansion.
Finally, some organizations fail to get the most SIEM works like a bicycle: You are happy with
RETHINK
HOW YOU USE out of their SIEM deployments because the the technology only if you pedal and move
YOUR SIEM PRODUCT
tool is tied up in incident investigations. This forward.
TIME FOR A model of SIEM is nowhere near as harmful
SIEM REBOOT
as the previous ones. It happens when a SIEM
is primarily used to investigate, rather than SIEM REALITY CHECK
detect, incidents because the organization What is the best way to get there? A SIEM
never matures to the security monitoring program requires an annual or biannual check
stage. of its health and operations. This evaluation
A common result of such deployments is process allows an organization to track its
that the SIEM product gets replaced with a achievements with SIEM and plan deployment
commercial or an open source log search tool, expansion. The key question is, what security
such as an emerging ELK stack (a combination issues can we solve next?
of Elastic Search, Logstash and Kibana). Just as youd check that the proper network
To resolve this issue, take a long hard look systems and device logs of security events
at your SIEM. Do you only plan to use it for are flowing into the SIEM, you should also

11 RESOLVE TO REVITALIZE YOUR SIEM


REBOOT

consider this: Is the value of the SIEM deploy- to benchmark how their SIEM is performing;
ment being delivered? If no real value to the the challenge is that measuring SIEM health
deployment is seen, what can you change, add, and operations is still an emerging area, and
subtract, refine, or improve? (Hint: It is rarely there is no set of accepted metrics.
The core SIEM team has to define success
The best strategy for a SIEM criteria at the planning stage and periodically
HOME
check for progress in regard to these criteria.
deployment is constant refine-
EDITORS NOTE Evidence of SIEM success can be found by
ment and expansion. SIEM
measuring SIEM impact on incident severity
NEW ADVANCES
IN SIEM
works like a bicycle: You are and recovery time (similar to the operational
happy with the technology only mean time to repair), and incident severity
if you pedal and move forward.
RETHINK
HOW YOU USE offers evidence of more strategic SIEM suc-
YOUR SIEM PRODUCT
cess. A reduced incident discovery window, if
TIME FOR A the product itself.) Could changes related to observed, can provide a great boost to a SIEM
SIEM REBOOT
data sources, hardware speed, logging configu- program.
rations, network bandwidth or load balancing Even with all of this done right, you still
improve your SIEM deployment? If no obvious need a bit of luck. This is not a sentiment
next step comes to mind, ask around the orga- about SIEM; its the same with the any large
nization. This process will definitely help you IT security projectsuccessful deployments
run your SIEM well. depend on strategy, expansion and things fall-
On a more tactical level, organizations need ing into place. Anton Chuvakin

12 RESOLVE TO REVITALIZE YOUR SIEM


ABOUT
THE
AUTHORS
ANTON CHUVAKIN, Ph.D., is a research vice president at
Gartner for the technical professionals security and risk
management group. As a recognized expert in log man-
agement and PCI compliance, Dr. Chuvakin has published
dozens of papers on log management, SIEM, correlation,
security data analysis, PCI DSS and security management. This Technical Guide, Resolve to Revitalize Your SIEM,
HOME He is an author of Security Warrior and PCI Compli- is a Security Media Group e-publication.

ance. For more, check out his Gartner blog, personal blog Robert Richardson | Editorial Director
EDITORS NOTE
or follow him on Twitter @anton_chuvakin. Eric Parizo | Executive Editor
NEW ADVANCES Kara Gattine | Executive Managing Editor
IN SIEM
MICHAEL COBB, CISSP-ISSAP, is a renowned security Brenda L. Horrigan | Associate Managing Editor
RETHINK author with over 20 years of experience in the IT industry. Sharon Shea | Assistant Editor
HOW YOU USE
He co-authored the book IIS Security and has written Linda Koury | Director of Online Design
YOUR SIEM PRODUCT
numerous technical articles for TechTarget. He has also Neva Maniscalco | Graphic Designer
TIME FOR A been a Microsoft Certified Database Manager and reg- Jacquelyn Howard | Senior Director, Editorial Production
SIEM REBOOT
istered consultant with the CESG Listed Advisor Scheme Doug Olender | Senior Vice President/Group Publisher
(CLAS). Cobb has a passion for making IT security best dolender@techtarget.com
practices easier to understand and achievable.
TechTarget
275 Grove Street, Newton, MA 02466
KAREN SCARFONE is principal consultant for Scarfone www.techtarget.com

Cybersecurity and specializes in network and system 2015 TechTarget Inc. No part of this publication may be transmitted or re-
produced in any form or by any means without written permission from the
security guidelines. Scarfone was formerly with the publisher. TechTarget reprints are available through The YGS Group.
About TechTarget: TechTarget publishes media for information technology
National Institute of Standards and Technology (NIST), professionals. More than 100 focused websites enable quick access to a deep
where she oversaw the development of system and network store of news, advice and analysis about the technologies, products and pro-
cesses crucial to your job. Our live and virtual events give you direct access to
security publications for federal civilian agencies and independent expert commentary and advice. At IT Knowledge Exchange, our
social community, you can get advice and share solutions with peers and experts.
the public. She has coauthored more than 50 NIST
COVER ART: THINKSTOCK
Special Publications and Interagency Reports.

13 RESOLVE TO REVITALIZE YOUR SIEM