Beruflich Dokumente
Kultur Dokumente
Some things never changelike the fact SIEM products are offering. Michael Cobb then
HOME
that your networks security is constantly expands on this discussion, with special atten-
EDITORS NOTE threatened by increasingly sophisticated bad tion to how best to use the dataeven data in
guys. Security information and event manage- the cloudthat a SIEM collects. Already have a
NEW ADVANCES
IN SIEM ment (SIEM) tools have long provided a means SIEM in action? Then the closing chapter, with
to get a holistic view of network security. SIEM Anton Chuvakins guidance on how to make an
RETHINK
HOW YOU USE products are intended to gather data from all old SIEM work better, is for you.
YOUR SIEM PRODUCT
over and centralize it to allow you to identify So whether youre considering a SIEM pur-
TIME FOR A and respond more quickly to threats. In the chase, an upgrade or are facing another year
SIEM REBOOT
past, they have worked with varying degrees of using outdated technology, reading this guide
effectivenessbut now these old tools have will help you spruce up your security and
some mean new capabilities you need to know make your SIEM one that sings. n
about.
Thats where this technical guide opens, Brenda L. Horrigan, Ph.D.
with Karen Scarfones concise but thorough Associate Managing Editor
examination of the capabilities some new Security Media Group
SIEM technologies have been at the data may be ill-advised because of its poten-
HOME
heart of many organizations security opera- tially lossy nature. (Big data doesnt use tra-
EDITORS NOTE tions for over a decade. Whether theyre being ditional relational databases, so it cannot be
used mostly for centralized logging and com- relied upon to comprehensively retrieve every
NEW ADVANCES
IN SIEM pliance or for incident detection and response bit of data originally stored in it.) But if your
efforts, security information and event man- organization is using SIEM for incident detec-
RETHINK
HOW YOU USE agement tools, or SIEMs, provide a single tion and response, a switch to big data may
YOUR SIEM PRODUCT
interface to information from many security improve your incident detection rates by being
TIME FOR A systems. Over the years, SIEM technologies able to collect much more data and crunch it to
SIEM REBOOT
have changed, and its important that your own find the patterns of attacks within it.
SIEM strategies evolve to incorporate these
advances. Threat Intelligence Feeds: SIEM products
Here are a few recent advances you should be increasingly support the ingestion of threat
aware of when looking at new SIEM products or intelligence feeds. These feeds contain infor-
re-evaluating your existing SIEMs quality. mation about threat indicators, such as the
IP addresses, hostnames and URLs attackers
Big Data Adoption: One of the biggest trends in use. Each feed typically includes a score for
SIEM during the past few years has been the each threat indicator, rating relative confidence
switch from relational databases to big data in its malicious nature, as well as additional
models. If your organization is using SIEM metadata that provides context for the threat
strictly as centralized logging, a switch to big intelligence. When a threat intelligence feed
is used in conjunction with SIEM data, it pro- increased scalability by having individual data
vides a wealth of intelligence and allows for the collection points do some of their own data
expedited identification of incidents and more analysis and processing. If your SIEM is cur-
confident responses. Make sure that your SIEM rently struggling to keep up with its workload,
supports threat intelligence feeds. you may benefit from switching to a distrib-
uted architecture.
HOME
Cloud-Based Integration: Logging in multi-
EDITORS NOTE tenant clouds has long been a challenge for Enterprises can now ensure
SIEM systems. Fortunately, there are now many increased scalability by having
NEW ADVANCES
IN SIEM cloud-based SIEM services and products that
individual data collection
can collect audit logs and route those logs to an
RETHINK
organizations regular (non-cloud) SIEM serv-
points do some of their own
HOW YOU USE
YOUR SIEM PRODUCT
ers. Some of these cloud-based SIEM products data analysis and processing.
TIME FOR A are offered by the same vendors that offer reg-
SIEM REBOOT
ular SIEM products; integration may be trivial In conclusion, consider your own organiza-
for these cases. In other cases, extensive plan- tions needs for SIEM in the context of these
ning and testing may be needed to determine if four recent advances. Odds are that if your
the data from the cloud can be collected, pro- organization is solely interested in SIEM for
cessed and transported to the enterprise SIEM centralized logging, these advances arent so
system in a timely enough manner to support importantbut be aware that your SIEM can
incident response. do so much more than just log management. It
can be an invaluable tool both for discovering
Distributed Analysis: Although SIEMs have incidents more quickly and by correlating data
traditionally been thought of as centralized across systems and events with threat intelli-
log processing, enterprises can now ensure gence. Karen Scarfone
detection rates by uncovering clues hidden not limiting analysis to just the data one orga-
deep in an organizations data, a SIEM needs nization creates. Look for feeds that are flex-
to make use of adaptive intelligence; in other ible, easy to deploy and that existing security
words, it must learn whats normal in order to monitoring products can use effectively. Real-
recognize whats abnormal, because abnormal time analysis of both structured and unstruc-
events are a strong indicator of an advanced tured data is essential.
HOME
threat or breach. SIEM also has to be able to
EDITORS NOTE identify an attack pattern, even if it is spread
out over a period of time. DONT FORGET THE DATA UP THERE
NEW ADVANCES
IN SIEM Setting up SIEM rules is an iterative process, Enterprises with data in the cloud should look
but products that allow the simultaneous use for service providers that make SIEM data
RETHINK
HOW YOU USE of rule-based and rule-less correlation can available for collection by an on-premises
YOUR SIEM PRODUCT
reduce initial configuration times, automate SIEM. This enables a unified view of both
TIME FOR A parts of the login and authentication monitor- cloud and on-premises environments as long as
SIEM REBOOT
ing process, and reduce the number of false the SIEM can handle the providers data, which
positives. While self-learning algorithms are may be in different formats. In platform as a
still in their infancy, real-time identity correla- service (PaaS) environments there is the option
tion using fuzzy logic, behavior analysis, clus- of installing monitoring agents to push traffic
tering algorithms and policy rules are close to and logs to an in-house server for processing,
providing true signature-less detection to pre- while some SIEM tools can make use of spe-
vent unauthorized access and pick out abnor- cific software as a service (SaaS) application
mal activity at the user, account and resource program interfaces to collect logs from public
levels. cloud services so events across multiple plat-
Incorporating external threat intelligence forms can be correlated to produce dashboard
feeds from the global security community can views and audit reports that combine both
further clarify whats normal or acceptable by internal and cloud-based applications. Network
bandwidth, latency and data-transfer costs can, the right actions to take, but also that those
however, impede timely interruption of mali- efforts are coordinated.
cious activity.
Is your security information and event one problem or addressing multiple security
HOME
management stuck in the past? Is it mature? monitoring and analysis issues?
EDITORS NOTE Some organizations procure and deploy a If your SIEM architecture is still solving the
SIEM tool only to wonder whether, with all original security problemmonitoring user
NEW ADVANCES
IN SIEM that unmonitored log data, it is collecting dust access to servers or reducing IDS/IPS false
instead of improving their security posture. positivesthere is absolutely nothing wrong
RETHINK
HOW YOU USE Organizations use SIEM for collecting, with your implementation. As long as you are
YOUR SIEM PRODUCT
normalizing and correlating security events not paying hundreds of thousands of dollars
TIME FOR A based on log data from an array of systems and every year for legacy network intrusion detec-
SIEM REBOOT
devices. Today, many SIEM tools also support tion systems false positive reduction, then a
threat intelligence feeds and other data from static SIEM deployment or one that is in main-
external sources. The best path for a SIEM tenance mode is not inherently worse than a
deployment is from one successful security dynamic deployment.
incident response to another, with constant SIEM evolution offers advantages for many
refinement of the technologys configuration enterprises that should not be overlooked,
and processes. There is nothing more moti- given the cost of these tools. It helps retain
vating than value realized with a sequence of security personnel, unlock budgets, refine pro-
quick wins and security problems solved. cesses, improve collaboration and integration
A number of SIEM deployments, however, and ultimately creates a self-fulfilling prophesy
are stuck in nonproductive stages. Ask your- of a successful security monitoring program.
self: Is your SIEM evolving? Is it solving just What are some of the common mistakes that
organizations make with SIEM? And how can need it someday? argument does not work.
you go from deployment to steady-state opera- Log entries can be collected by a log manage-
tion to successful SIEM expansion? ment tool (commercial or open source) with a
much lower per-log cost. The use-case-driven
collection facilitates just the right amount
MIRED IN DATA COLLECTION of analysis because the SIEM tool stays at its
HOME
One reason your SIEM deployment may be fail- optimum performance level without incurring
EDITORS NOTE ing to evolve is that it is stuck in the collection excessive hardware costs.
phase. This deployment scenario often happens
NEW ADVANCES
IN SIEM when IT security teams plan a SIEM project
in a horizontal mannerall collection first, all FOCUSED ON COMPLIANCE CHECKLISTS
RETHINK
HOW YOU USE analysis laterrather than on a use-case by Another reason a SIEM deployment may
YOUR SIEM PRODUCT
use-case basis. The end result of that is a good remain stuck is compliance. This happens
TIME FOR A log collection system at ten times the price. when organizations buy a SIEM tool to check
SIEM REBOOT
The way to resolve this issue is to use out- the box and never start using it for anything
put-driven SIEM. An output-driven approach beyond scaring away the auditors. The result is
simply means deploying a SIEM tool in such a onereally expensive checkbox.
way that no data comes into the system until Todays SIEM products come with reports,
there is clear knowledge of how that informa- dashboards and correlation rules that are cre-
tion will be used and presented. Here, only ated to address common scenarios for security
existing/planned reports, visuals, alerts, dash- as well as address regulatory compliance such
boards, profiling algorithms, context fusion and as PCI DSS, Health Insurance Portability and
so on can make a SIEM team open the flood- Accountability Act (HIPAA) and Sarbanes-
gates and admit a particular log or context Oxley Act (SOX).
type into the tool. Some vendors claim that such off-the-shelf
With this model of SIEM, the what if we SIEM content is useful out of the box with no
customization. But customer experience has and many customers look for SIEM product
shown that most off-the-shelf SIEM content capabilities that satisfy both. Finally, even
is useful only when it is applied to specific compliance requires that your SIEM be used
systems (and thus customized by adding fil- and not just connected to the network.
ters) or when it is tweaked to better match the
environment.
HOME
ONE PROBLEM SOLVED, N TO GO
EDITORS NOTE
Threat management and breach Sometimes an organization builds a SIEM
deployment, solves the initial problem and
NEW ADVANCES detection have also emerged
IN SIEM then something breaks. Maybe staff turns over,
as the primary drivers of SIEM
the security team gets downsized or the con-
RETHINK
HOW YOU USE
in the past few years, but compli- sulting budget runs out. And then the deploy-
YOUR SIEM PRODUCT ance is still holding strong. ment focus shifts to maintaining the status
TIME FOR A quo.
SIEM REBOOT
The way to evolve out of this logjam is to Many SIEM deployments have failed to adapt
explore the use cases at the edges of your to business changes as well as developments in
compliance usage, from monitoring users that surrounding IT environments. A SIEM project
touch card data to observing all users that that is deployed to solve a particular problem
interact with sensitive data. Threat manage- with no specific plans to expand sometimes
ment and breach detection have also emerged gets left behind when business changes make
as the primary drivers of SIEM in the past few the problem irrelevant.
years, but compliance is still holding strong. To resolve this issue, security architects
Today, most customers at least ask about using should plan to deploy SIEM tactically, achiev-
their SIEM tools for detecting breacheseven ing quick wins as part of a phased approach.
if compliance is top of mind. The functionality A phased approach by use case, further divided
required to satisfy the two use cases overlaps, by log source types, geography and functions
(such as report before alert or review before incident investigations and not for security
correlation) can be used to slice this large effort monitoring? Or, similarly, do you plan to evolve
into manageable chunks. The opposite of using to monitoring but have not done so in the past
any phased approachescollect all at once 5 years? If the answer is yes in either of these
or implement all use cases at oncealmost scenarios, consider scrapping your SIEM and
never results in success and often leads to a replacing it with a log analysis tool. The money
HOME
large-scale waste of resources. that you save on SIEM can buy a lot of fast and
EDITORS NOTE effective log management.
Overall, the best strategy for a SIEM deploy-
NEW ADVANCES
IN SIEM CAUGHT UP IN INCIDENT INVESTIGATIONS ment is constant refinement and expansion.
Finally, some organizations fail to get the most SIEM works like a bicycle: You are happy with
RETHINK
HOW YOU USE out of their SIEM deployments because the the technology only if you pedal and move
YOUR SIEM PRODUCT
tool is tied up in incident investigations. This forward.
TIME FOR A model of SIEM is nowhere near as harmful
SIEM REBOOT
as the previous ones. It happens when a SIEM
is primarily used to investigate, rather than SIEM REALITY CHECK
detect, incidents because the organization What is the best way to get there? A SIEM
never matures to the security monitoring program requires an annual or biannual check
stage. of its health and operations. This evaluation
A common result of such deployments is process allows an organization to track its
that the SIEM product gets replaced with a achievements with SIEM and plan deployment
commercial or an open source log search tool, expansion. The key question is, what security
such as an emerging ELK stack (a combination issues can we solve next?
of Elastic Search, Logstash and Kibana). Just as youd check that the proper network
To resolve this issue, take a long hard look systems and device logs of security events
at your SIEM. Do you only plan to use it for are flowing into the SIEM, you should also
consider this: Is the value of the SIEM deploy- to benchmark how their SIEM is performing;
ment being delivered? If no real value to the the challenge is that measuring SIEM health
deployment is seen, what can you change, add, and operations is still an emerging area, and
subtract, refine, or improve? (Hint: It is rarely there is no set of accepted metrics.
The core SIEM team has to define success
The best strategy for a SIEM criteria at the planning stage and periodically
HOME
check for progress in regard to these criteria.
deployment is constant refine-
EDITORS NOTE Evidence of SIEM success can be found by
ment and expansion. SIEM
measuring SIEM impact on incident severity
NEW ADVANCES
IN SIEM
works like a bicycle: You are and recovery time (similar to the operational
happy with the technology only mean time to repair), and incident severity
if you pedal and move forward.
RETHINK
HOW YOU USE offers evidence of more strategic SIEM suc-
YOUR SIEM PRODUCT
cess. A reduced incident discovery window, if
TIME FOR A the product itself.) Could changes related to observed, can provide a great boost to a SIEM
SIEM REBOOT
data sources, hardware speed, logging configu- program.
rations, network bandwidth or load balancing Even with all of this done right, you still
improve your SIEM deployment? If no obvious need a bit of luck. This is not a sentiment
next step comes to mind, ask around the orga- about SIEM; its the same with the any large
nization. This process will definitely help you IT security projectsuccessful deployments
run your SIEM well. depend on strategy, expansion and things fall-
On a more tactical level, organizations need ing into place. Anton Chuvakin
ance. For more, check out his Gartner blog, personal blog Robert Richardson | Editorial Director
EDITORS NOTE
or follow him on Twitter @anton_chuvakin. Eric Parizo | Executive Editor
NEW ADVANCES Kara Gattine | Executive Managing Editor
IN SIEM
MICHAEL COBB, CISSP-ISSAP, is a renowned security Brenda L. Horrigan | Associate Managing Editor
RETHINK author with over 20 years of experience in the IT industry. Sharon Shea | Assistant Editor
HOW YOU USE
He co-authored the book IIS Security and has written Linda Koury | Director of Online Design
YOUR SIEM PRODUCT
numerous technical articles for TechTarget. He has also Neva Maniscalco | Graphic Designer
TIME FOR A been a Microsoft Certified Database Manager and reg- Jacquelyn Howard | Senior Director, Editorial Production
SIEM REBOOT
istered consultant with the CESG Listed Advisor Scheme Doug Olender | Senior Vice President/Group Publisher
(CLAS). Cobb has a passion for making IT security best dolender@techtarget.com
practices easier to understand and achievable.
TechTarget
275 Grove Street, Newton, MA 02466
KAREN SCARFONE is principal consultant for Scarfone www.techtarget.com
Cybersecurity and specializes in network and system 2015 TechTarget Inc. No part of this publication may be transmitted or re-
produced in any form or by any means without written permission from the
security guidelines. Scarfone was formerly with the publisher. TechTarget reprints are available through The YGS Group.
About TechTarget: TechTarget publishes media for information technology
National Institute of Standards and Technology (NIST), professionals. More than 100 focused websites enable quick access to a deep
where she oversaw the development of system and network store of news, advice and analysis about the technologies, products and pro-
cesses crucial to your job. Our live and virtual events give you direct access to
security publications for federal civilian agencies and independent expert commentary and advice. At IT Knowledge Exchange, our
social community, you can get advice and share solutions with peers and experts.
the public. She has coauthored more than 50 NIST
COVER ART: THINKSTOCK
Special Publications and Interagency Reports.