Resolve to Revitalize Your SIEM

Do you need to spruce up your security information and event management?

Learn about the latest advances and how best to use existing technology.

EDITORS NOTE NEW ADVANCES RETHINK HOW TIME FOR A

IN SIEM YOU USE YOUR SIEM REBOOT
SIEM PRODUCT
 EDITORS
NOTE
Sprucing up your SIEM for the New Year
Some things never changelike the fact
HOME
that your networks security is constantly
EDITORS NOTE threatened by increasingly sophisticated bad
guys. Security information and event manage-
NEW ADVANCES
IN SIEM ment (SIEM) tools have long provided a means
to get a holistic view of network security. SIEM
RETHINK
HOW YOU USE products are intended to gather data from all
YOUR SIEM PRODUCT
over and centralize it to allow you to identify
TIME FOR A and respond more quickly to threats. In the
SIEM REBOOT
past, they have worked with varying degrees of
effectivenessbut now these old tools have
some mean new capabilities you need to know
about.
Thats where this technical guide opens,
with Karen Scarfones concise but thorough
examination of the capabilities some new
2 RESOLVE TO REVITALIZE YOUR SIEM
SIEM products are offering. Michael Cobb then
expands on this discussion, with special atten-
tion to how best to use the dataeven data in
the cloudthat a SIEM collects. Already have a
SIEM in action? Then the closing chapter, with
Anton Chuvakins guidance on how to make an
old SIEM work better, is for you.
So whether youre considering a SIEM pur-
chase, an upgrade or are facing another year
using outdated technology, reading this guide
will help you spruce up your security and
make your SIEM one that sings. n
Brenda L. Horrigan, Ph.D.
Associate Managing Editor
Security Media Group
 ADVANCES
New Advances in SIEM
SIEM technologies have been at the
HOME
heart of many organizations security opera-
EDITORS NOTE tions for over a decade. Whether theyre being
used mostly for centralized logging and com-
NEW ADVANCES
IN SIEM pliance or for incident detection and response
efforts, security information and event man-
RETHINK
HOW YOU USE agement tools, or SIEMs, provide a single
YOUR SIEM PRODUCT
interface to information from many security
TIME FOR A systems. Over the years, SIEM technologies
SIEM REBOOT
have changed, and its important that your own
SIEM strategies evolve to incorporate these
advances.
Here are a few recent advances you should be
aware of when looking at new SIEM products or
re-evaluating your existing SIEMs quality.
Big Data Adoption: One of the biggest trends in
SIEM during the past few years has been the
switch from relational databases to big data
models. If your organization is using SIEM
strictly as centralized logging, a switch to big
3 RESOLVE TO REVITALIZE YOUR SIEM
data may be ill-advised because of its poten-
tially lossy nature. (Big data doesnt use tra-
ditional relational databases, so it cannot be
relied upon to comprehensively retrieve every
bit of data originally stored in it.) But if your
organization is using SIEM for incident detec-
tion and response, a switch to big data may
improve your incident detection rates by being
able to collect much more data and crunch it to
find the patterns of attacks within it.
Threat Intelligence Feeds: SIEM products
increasingly support the ingestion of threat
intelligence feeds. These feeds contain infor-
mation about threat indicators, such as the
IP addresses, hostnames and URLs attackers
use. Each feed typically includes a score for
each threat indicator, rating relative confidence
in its malicious nature, as well as additional
metadata that provides context for the threat
intelligence. When a threat intelligence feed
 ADVANCES
is used in conjunction with SIEM data, it pro-
vides a wealth of intelligence and allows for the
expedited identification of incidents and more
confident responses. Make sure that your SIEM
supports threat intelligence feeds.
HOME
Cloud-Based Integration: Logging in multi-
EDITORS NOTE tenant clouds has long been a challenge for
SIEM systems. Fortunately, there are now many
NEW ADVANCES
IN SIEM cloud-based SIEM services and products that
can collect audit logs and route those logs to an
RETHINK
organizations regular (non-cloud) SIEM serv-
HOW YOU USE
YOUR SIEM PRODUCT
ers. Some of these cloud-based SIEM products
TIME FOR A are offered by the same vendors that offer reg-
SIEM REBOOT
ular SIEM products; integration may be trivial
for these cases. In other cases, extensive plan-
ning and testing may be needed to determine if
the data from the cloud can be collected, pro-
cessed and transported to the enterprise SIEM
system in a timely enough manner to support
incident response.
Distributed Analysis: Although SIEMs have
traditionally been thought of as centralized
log processing, enterprises can now ensure
4 RESOLVE TO REVITALIZE YOUR SIEM
increased scalability by having individual data
collection points do some of their own data
analysis and processing. If your SIEM is cur-
rently struggling to keep up with its workload,
you may benefit from switching to a distrib-
uted architecture.
Enterprises can now ensure
increased scalability by having
individual data collection
points do some of their own
data analysis and processing.
In conclusion, consider your own organiza-
tions needs for SIEM in the context of these
four recent advances. Odds are that if your
organization is solely interested in SIEM for
centralized logging, these advances arent so
importantbut be aware that your SIEM can
do so much more than just log management. It
can be an invaluable tool both for discovering
incidents more quickly and by correlating data
across systems and events with threat intelli-
gence. Karen Scarfone
 RETHINK
Rethink Your SIEM
Enterprises need dynamic, intelligence-
HOME
driven defenses to effectively identify mali-
EDITORS NOTE cious behaviors not seen before, anomalies that
can enable dangerous zero-day attacks of the
NEW ADVANCES
IN SIEM type that wreak havoc on a daily basis. A key
component of enterprise defenses is a SIEM
RETHINK
HOW YOU USE product. SIEM provides a central repository for
YOUR SIEM PRODUCT
collecting and monitoring network activity.
TIME FOR A Unfortunately, painful implementations and
SIEM REBOOT
overselling by vendors has left SIEM with a
sullied reputation. Meanwhile, many SIEMs
have been deployed solely to meet compliance-
reporting requirements, with few organizations
actually making full use of the technologys
event-correlation capabilities.
A second generation of SIEM products,
however, may change that. Advanced security
analytics and increased scope and scale of data
collection mean a greater number of diverse
events can be put into context to find unusual
activities in real time.
5 RESOLVE TO REVITALIZE YOUR SIEM
DATA, DATA EVERYWHERE
Enterprises create colossal amounts of data:
email, documents, social media interactions,
audio, network traffic, clickstreams, and logs of
files being accessed, registry changes made, and
processes started and stopped. System infor-
mation, such as processor and memory utiliza-
tion, can also be useful for spotting unexpected
changes in the status of a system. The sheer
volume of data handled makes scalability,
powerful analytical tools and support for het-
erogeneous event sources the most important
capabilities when assessing next-generation
SIEM products, particularly when it comes to
time-sensitive processes such as fraud detec-
tion. Tools for visualizing and exploring this
data are another key feature, along with action-
able intelligence based on business context, so
threats posing the greatest risk can be easily
found and prioritized.
To make full use of all this data and increase
 RETHINK
detection rates by uncovering clues hidden
deep in an organizations data, a SIEM needs
to make use of adaptive intelligence; in other
words, it must learn whats normal in order to
recognize whats abnormal, because abnormal
events are a strong indicator of an advanced
HOME
threat or breach. SIEM also has to be able to
EDITORS NOTE identify an attack pattern, even if it is spread
out over a period of time.
NEW ADVANCES
IN SIEM Setting up SIEM rules is an iterative process,
but products that allow the simultaneous use
RETHINK
HOW YOU USE of rule-based and rule-less correlation can
YOUR SIEM PRODUCT
reduce initial configuration times, automate
TIME FOR A parts of the login and authentication monitor-
SIEM REBOOT
ing process, and reduce the number of false
positives. While self-learning algorithms are
still in their infancy, real-time identity correla-
tion using fuzzy logic, behavior analysis, clus-
tering algorithms and policy rules are close to
providing true signature-less detection to pre-
vent unauthorized access and pick out abnor-
mal activity at the user, account and resource
levels.
Incorporating external threat intelligence
feeds from the global security community can
further clarify whats normal or acceptable by
6 RESOLVE TO REVITALIZE YOUR SIEM
not limiting analysis to just the data one orga-
nization creates. Look for feeds that are flex-
ible, easy to deploy and that existing security
monitoring products can use effectively. Real-
time analysis of both structured and unstruc-
tured data is essential.
DONT FORGET THE DATA UP THERE
Enterprises with data in the cloud should look
for service providers that make SIEM data
available for collection by an on-premises
SIEM. This enables a unified view of both
cloud and on-premises environments as long as
the SIEM can handle the providers data, which
may be in different formats. In platform as a
service (PaaS) environments there is the option
of installing monitoring agents to push traffic
and logs to an in-house server for processing,
while some SIEM tools can make use of spe-
cific software as a service (SaaS) application
program interfaces to collect logs from public
cloud services so events across multiple plat-
forms can be correlated to produce dashboard
views and audit reports that combine both
internal and cloud-based applications. Network
 RETHINK
bandwidth, latency and data-transfer costs can,
however, impede timely interruption of mali-
cious activity.
WHAT TO DO WITH THE DATA?
HOME
Dashboard views of the information collected
EDITORS NOTE and analyzed are an important feature of any
SIEM, as are actionable reports that include
NEW ADVANCES
IN SIEM effective countermeasures so administrators
can see where attention is needed most. Do not
RETHINK
HOW YOU USE overlook the importance of being able to export
YOUR SIEM PRODUCT
information in different ways; different stake-
TIME FOR A holders will want information about security
SIEM REBOOT
risks pertinent to their interests and presented
at a level they can understand so as to fully
appreciate the relevance.
Accelerated decision making is not solely
about feeding a SIEM more and more informa-
tion and tuning it to be able to spot incidents
faster; security teams must be able to react and
respond faster, too. Incident response teams
need to be familiar with the types of warnings
and alerts a SIEM produces and have well-
tested procedures in place that they can follow.
This not only ensures the right people know
7 RESOLVE TO REVITALIZE YOUR SIEM
the right actions to take, but also that those
efforts are coordinated.
THE BOTTOM LINE? BUDGETS
Of course, security teams need to have the
resources required to handle and respond to
the additional alerts and warnings a well-tuned
SIEM will generate. Taking the time to fully
inventory and classify data assets will enable a
SIEM to better prioritize threats. An asset dis-
covery and profiling tool, sometimes included
in a SIEM, will cut the time spent categorizing
network assets and will also pick up configura-
tion drift and hardware and software changes.
Good security is a continuous process, and a
well-resourced and configured SIEM can pro-
vide constant awareness of the state of security,
vulnerabilities and threats, and thus support
the teams that manage and protect information
systems running core mission and business
functions. If the teams have ample resources
and well-tested procedures to follow, overall
enterprise information security will improve.
Thats a worthwhile objective any day.
Michael Cobb
 REBOOT
Time to Reboot Your SIEM? Probably
Is your security information and event
HOME
management stuck in the past? Is it mature?
EDITORS NOTE Some organizations procure and deploy a
SIEM tool only to wonder whether, with all
NEW ADVANCES
IN SIEM that unmonitored log data, it is collecting dust
instead of improving their security posture.
RETHINK
HOW YOU USE Organizations use SIEM for collecting,
YOUR SIEM PRODUCT
normalizing and correlating security events
TIME FOR A based on log data from an array of systems and
SIEM REBOOT
devices. Today, many SIEM tools also support
threat intelligence feeds and other data from
external sources. The best path for a SIEM
deployment is from one successful security
incident response to another, with constant
refinement of the technologys configuration
and processes. There is nothing more moti-
vating than value realized with a sequence of
quick wins and security problems solved.
A number of SIEM deployments, however,
are stuck in nonproductive stages. Ask your-
self: Is your SIEM evolving? Is it solving just
8 RESOLVE TO REVITALIZE YOUR SIEM
one problem or addressing multiple security
monitoring and analysis issues?
If your SIEM architecture is still solving the
original security problemmonitoring user
access to servers or reducing IDS/IPS false
positivesthere is absolutely nothing wrong
with your implementation. As long as you are
not paying hundreds of thousands of dollars
every year for legacy network intrusion detec-
tion systems false positive reduction, then a
static SIEM deployment or one that is in main-
tenance mode is not inherently worse than a
dynamic deployment.
SIEM evolution offers advantages for many
enterprises that should not be overlooked,
given the cost of these tools. It helps retain
security personnel, unlock budgets, refine pro-
cesses, improve collaboration and integration
and ultimately creates a self-fulfilling prophesy
of a successful security monitoring program.
What are some of the common mistakes that
 REBOOT
organizations make with SIEM? And how can
you go from deployment to steady-state opera-
tion to successful SIEM expansion?
MIRED IN DATA COLLECTION
HOME
One reason your SIEM deployment may be fail-
EDITORS NOTE ing to evolve is that it is stuck in the collection
phase. This deployment scenario often happens
NEW ADVANCES
IN SIEM when IT security teams plan a SIEM project
in a horizontal mannerall collection first, all
RETHINK
HOW YOU USE analysis laterrather than on a use-case by
YOUR SIEM PRODUCT
use-case basis. The end result of that is a good
TIME FOR A log collection system at ten times the price.
SIEM REBOOT
The way to resolve this issue is to use out-
put-driven SIEM. An output-driven approach
simply means deploying a SIEM tool in such a
way that no data comes into the system until
there is clear knowledge of how that informa-
tion will be used and presented. Here, only
existing/planned reports, visuals, alerts, dash-
boards, profiling algorithms, context fusion and
so on can make a SIEM team open the flood-
gates and admit a particular log or context
type into the tool.
With this model of SIEM, the what if we
9 RESOLVE TO REVITALIZE YOUR SIEM
need it someday? argument does not work.
Log entries can be collected by a log manage-
ment tool (commercial or open source) with a
much lower per-log cost. The use-case-driven
collection facilitates just the right amount
of analysis because the SIEM tool stays at its
optimum performance level without incurring
excessive hardware costs.
FOCUSED ON COMPLIANCE CHECKLISTS
Another reason a SIEM deployment may
remain stuck is compliance. This happens
when organizations buy a SIEM tool to check
the box and never start using it for anything
beyond scaring away the auditors. The result is
onereally expensive checkbox.
Todays SIEM products come with reports,
dashboards and correlation rules that are cre-
ated to address common scenarios for security
as well as address regulatory compliance such
as PCI DSS, Health Insurance Portability and
Accountability Act (HIPAA) and Sarbanes-
Oxley Act (SOX).
Some vendors claim that such off-the-shelf
SIEM content is useful out of the box with no
 REBOOT
customization. But customer experience has
shown that most off-the-shelf SIEM content
is useful only when it is applied to specific
systems (and thus customized by adding fil-
ters) or when it is tweaked to better match the
environment.
HOME
EDITORS NOTE
Threat management and breach
NEW ADVANCES detection have also emerged
IN SIEM
as the primary drivers of SIEM
RETHINK
HOW YOU USE
in the past few years, but compli-
YOUR SIEM PRODUCT ance is still holding strong.
TIME FOR A
SIEM REBOOT
The way to evolve out of this logjam is to
explore the use cases at the edges of your
compliance usage, from monitoring users that
touch card data to observing all users that
interact with sensitive data. Threat manage-
ment and breach detection have also emerged
as the primary drivers of SIEM in the past few
years, but compliance is still holding strong.
Today, most customers at least ask about using
their SIEM tools for detecting breacheseven
if compliance is top of mind. The functionality
required to satisfy the two use cases overlaps,
10 RESOLVE TO REVITALIZE YOUR SIEM
and many customers look for SIEM product
capabilities that satisfy both. Finally, even
compliance requires that your SIEM be used
and not just connected to the network.
ONE PROBLEM SOLVED, N TO GO
Sometimes an organization builds a SIEM
deployment, solves the initial problem and
then something breaks. Maybe staff turns over,
the security team gets downsized or the con-
sulting budget runs out. And then the deploy-
ment focus shifts to maintaining the status
quo.
Many SIEM deployments have failed to adapt
to business changes as well as developments in
surrounding IT environments. A SIEM project
that is deployed to solve a particular problem
with no specific plans to expand sometimes
gets left behind when business changes make
the problem irrelevant.
To resolve this issue, security architects
should plan to deploy SIEM tactically, achiev-
ing quick wins as part of a phased approach.
A phased approach by use case, further divided
by log source types, geography and functions
 REBOOT
(such as report before alert or review before
correlation) can be used to slice this large effort
into manageable chunks. The opposite of using
any phased approachescollect all at once
or implement all use cases at oncealmost
never results in success and often leads to a
HOME
large-scale waste of resources.
EDITORS NOTE
NEW ADVANCES
IN SIEM CAUGHT UP IN INCIDENT INVESTIGATIONS
Finally, some organizations fail to get the most
RETHINK
HOW YOU USE out of their SIEM deployments because the
YOUR SIEM PRODUCT
tool is tied up in incident investigations. This
TIME FOR A model of SIEM is nowhere near as harmful
SIEM REBOOT
as the previous ones. It happens when a SIEM
is primarily used to investigate, rather than
detect, incidents because the organization
never matures to the security monitoring
stage.
A common result of such deployments is
that the SIEM product gets replaced with a
commercial or an open source log search tool,
such as an emerging ELK stack (a combination
of Elastic Search, Logstash and Kibana).
To resolve this issue, take a long hard look
at your SIEM. Do you only plan to use it for
11 RESOLVE TO REVITALIZE YOUR SIEM
incident investigations and not for security
monitoring? Or, similarly, do you plan to evolve
to monitoring but have not done so in the past
5 years? If the answer is yes in either of these
scenarios, consider scrapping your SIEM and
replacing it with a log analysis tool. The money
that you save on SIEM can buy a lot of fast and
effective log management.
Overall, the best strategy for a SIEM deploy-
ment is constant refinement and expansion.
SIEM works like a bicycle: You are happy with
the technology only if you pedal and move
forward.
SIEM REALITY CHECK
What is the best way to get there? A SIEM
program requires an annual or biannual check
of its health and operations. This evaluation
process allows an organization to track its
achievements with SIEM and plan deployment
expansion. The key question is, what security
issues can we solve next?
Just as youd check that the proper network
systems and device logs of security events
are flowing into the SIEM, you should also
 REBOOT
consider this: Is the value of the SIEM deploy-
ment being delivered? If no real value to the
deployment is seen, what can you change, add,
subtract, refine, or improve? (Hint: It is rarely
The best strategy for a SIEM
HOME
deployment is constant refine-
EDITORS NOTE
ment and expansion. SIEM
NEW ADVANCES
IN SIEM
works like a bicycle: You are
happy with the technology only
if you pedal and move forward.
RETHINK
HOW YOU USE
YOUR SIEM PRODUCT
TIME FOR A the product itself.) Could changes related to
SIEM REBOOT
data sources, hardware speed, logging configu-
rations, network bandwidth or load balancing
improve your SIEM deployment? If no obvious
next step comes to mind, ask around the orga-
nization. This process will definitely help you
run your SIEM well.
On a more tactical level, organizations need
12 RESOLVE TO REVITALIZE YOUR SIEM
to benchmark how their SIEM is performing;
the challenge is that measuring SIEM health
and operations is still an emerging area, and
there is no set of accepted metrics.
The core SIEM team has to define success
criteria at the planning stage and periodically
check for progress in regard to these criteria.
Evidence of SIEM success can be found by
measuring SIEM impact on incident severity
and recovery time (similar to the operational
mean time to repair), and incident severity
offers evidence of more strategic SIEM suc-
cess. A reduced incident discovery window, if
observed, can provide a great boost to a SIEM
program.
Even with all of this done right, you still
need a bit of luck. This is not a sentiment
about SIEM; its the same with the any large
IT security projectsuccessful deployments
depend on strategy, expansion and things fall-
ing into place. Anton Chuvakin
 ABOUT
THE
AUTHORS
ANTON CHUVAKIN, Ph.D., is a research vice president at
Gartner for the technical professionals security and risk
management group. As a recognized expert in log man-
agement and PCI compliance, Dr. Chuvakin has published
dozens of papers on log management, SIEM, correlation,
security data analysis, PCI DSS and security management. This Technical Guide, Resolve to Revitalize Your SIEM,
HOME He is an author of Security Warrior and PCI Compli- is a Security Media Group e-publication.

ance. For more, check out his Gartner blog, personal blog Robert Richardson | Editorial Director
EDITORS NOTE
or follow him on Twitter @anton_chuvakin. Eric Parizo | Executive Editor
NEW ADVANCES Kara Gattine | Executive Managing Editor
IN SIEM
MICHAEL COBB, CISSP-ISSAP, is a renowned security Brenda L. Horrigan | Associate Managing Editor
RETHINK author with over 20 years of experience in the IT industry. Sharon Shea | Assistant Editor
HOW YOU USE
He co-authored the book IIS Security and has written Linda Koury | Director of Online Design
YOUR SIEM PRODUCT
numerous technical articles for TechTarget. He has also Neva Maniscalco | Graphic Designer
TIME FOR A been a Microsoft Certified Database Manager and reg- Jacquelyn Howard | Senior Director, Editorial Production
SIEM REBOOT
istered consultant with the CESG Listed Advisor Scheme Doug Olender | Senior Vice President/Group Publisher
(CLAS). Cobb has a passion for making IT security best dolender@techtarget.com
practices easier to understand and achievable.
TechTarget
275 Grove Street, Newton, MA 02466
KAREN SCARFONE is principal consultant for Scarfone www.techtarget.com

Cybersecurity and specializes in network and system
security guidelines. Scarfone was formerly with the
National Institute of Standards and Technology (NIST),
where she oversaw the development of system and network
security publications for federal civilian agencies and
the public. She has coauthored more than 50 NIST
Special Publications and Interagency Reports.
2015 TechTarget Inc. No part of this publication may be transmitted or re-
produced in any form or by any means without written permission from the
publisher. TechTarget reprints are available through The YGS Group.
About TechTarget: TechTarget publishes media for information technology
professionals. More than 100 focused websites enable quick access to a deep
store of news, advice and analysis about the technologies, products and pro-
cesses crucial to your job. Our live and virtual events give you direct access to
independent expert commentary and advice. At IT Knowledge Exchange, our
social community, you can get advice and share solutions with peers and experts.
COVER ART: THINKSTOCK

13 RESOLVE TO REVITALIZE YOUR SIEM