Everyone is talking about
security information and event management (SIEM), which gives
organisations a unique vision of the threats they encounter.
By David Waller.
Being a property owner can be a massive headache. You end up spending
thousands to protect what's yours – securing doors, windows, and every
other feasible point of entry. Yet all a criminal needs is one shot – a
misplaced key, say – and he is in. That's why people turn to CCTV. The
all-seeing mechanical eye won't stop the intruder, but at least it shows
what he looks like, how he got in – and exactly what he's doing to that
antique rug.
These days, threats to network security are no different and it is
increasingly common to find endpoint security, such as firewalls, being
beaten. Three cheers then for security information and event management
(SIEM), sold as a kind of CCTV for your system. It is a technology that
pulls together logs of information and events from across the network to
provide users with a real-time analysis of all the dangers.
It is certainly easy to see why it should attract attention right
now. In a world of WikiLeaks and Stuxnet, a platform that is built to
battle both internal and external threats is not a hard sell.
Yet that's not all. SIEM also enables companies to collect, store and
analyse a colossal amount of log data, helping to ensure compliance
with the spread of increasingly stringent and far-reaching regulations.
SIEM is very much of the moment. According to Gartner it is the
fastest-rising sub-section of the security sector, growing at a rate of
21 per cent a year. And when HP stumped up $1.5 billion for ArcSight in
October 2010, SIEM had its first big-money buy-out.
Yet as even its vendors will tell you, SIEM is merely a small part of a bigger security puzzle.
The meaning of SIEM
The term SIEM was coined by two Gartner employees in 2005, and describes
the point where IT meets surveillance: security products have
traditionally focused on perimeter defence; but relying on firewalls,
IDSs and virus detection won't cut it these days.
“Penetration is a given,” says Jay Huff, EMEA marketing director at
ArcSight. “The problem with those endpoint solutions is that once
someone's through, that solution is finished. And once that threat is
inside, companies need to know what it's up to.
SIEM takes all the information gathered from events across the
network – from system logs to who is swiping themselves into the
building – and tailors it to inform the business about exactly what is
happening and when.
Gartner lists 20 key players in the SIEM space, which suggests a
market with a healthy dynamism and offering a raft of commercial
products. Those companies include ArcSight, BlueSOC, Cisco Security
MARS, LogLogic, Logica, NitroSecurity and RSA enVision.
These platforms are tasked not just with keeping those nasty elements
on the far side of your firewall. When the technology first emerged for
gathering the huge stores of data that networks were spitting out,
security was simply the first logical use, but that data can also be
mined for other things.
An intelligent view
Recently, the focus of SIEM has moved away from the S and toward the I
and the E – the information and events. It can help provide operational
intelligence and proactive hardware management, as well as monitoring of
mobile users, laptops and access to applications.
“I liken all this to digital detective work,” says Bill Roth, chief
marketing officer at LogLogic. “Every action leaves footprints in the
sand. Our job is to say who left them and when, and where that trail is
leading.”
Pre-Stuxnet, major utilities operations may have only used such data
to improve their processes. Now they can see how vulnerable they are to
security breaches too. But security is only half the picture. The
biggest driver for SIEM is in fact the increasingly treacherous
minefield that is regulatory compliance. According to Gartner, more than
80 per cent of SIEM take-up in the US comes from the need for
organisations to show they are on top of regulation.
This trend is also starting to apply to Europe. Retailers handling
credit cards need to comply with the Payment Card Industry Data Security
Standard, proving their responsible handling of customer credit card
data. Rule ten says you have to log all access to cardholders' data and
store it for regular review. “We like that rule,” says Roth.
Retailers can align SIEM to their policy, creating, say, alerts when
any credit card data is accessed on the system outside of business
hours.
Its use spreads far further than retail: to telco companies,
financial organisations sensitive to the regulations coming out of
Basel, and those organisations working with the Government, which have
to comply with GPG13 and CESG Memo 22, covering connections to the
secure government intranet.
There are similarly tight standards for dealing with patient details
in the UK and the US healthcare systems, and the more general ISO 27002
information security standard.
Beware the cons
While the downside to not complying with regulations is abundantly clear
–“There are now huge fines or even imprisonment as a punishment for the
misuse of data,” explains Roth – that's not to say the proposed
solution comes without its criticisms.
SIEM products have been written off by some as expensive, hard to
implement and lacking sufficient standardisation. Setup requires a fair
amount of planning, installation, systems integration and training.
What's more, running it requires constant monitoring.
Some critics also highlight the danger of being overwhelmed by data.
Customers plump for the well-marketed ‘next big thing', splash out on a
SIEM package, and watch in awe as the records of billions of events come
flashing across their screen. Then they realise that they do not have
the first clue what to do with it all.
Vendors acknowledge that this is a risk, yet argue that it is simply a
case of knowing where your priorities lie. Receiving all this data for
the first time can be daunting – for many it will be an eye-opener as to
how much information they didn't previously have access to – yet rare
is the company that isn't grateful for the visibility.
Too much information?
Big customers such as banks could be getting 20,000-30,000 logs a second
through a single firewall. Imagine the numbers at eBay or Amazon. It is
a huge data challenge. “There's no point in spitting out pages and
pages of the stuff,” says Gary Nation, head of SIEM at RSA. “Even a big
IT team can't handle too much. Think of it like a funnel. There's all
this stuff on top, and you want the stuff coming out from the bottom to
be actionable, relevant information.”
It is a matter of thinking about the critical business assets so that
the customer can tell the provider which data to collect. A bank may
look to prioritise customer-facing applications; a retailer looking to
comply with PCI will need to focus on events relating to credit card
transactions. Instead of being daunting, the data soon becomes a useful
capability. SOC operatives, meanwhile, become far more efficient.
Vendors can provide out-of-the-box solutions, training on the
technology, advice on best practice and consultation on compliance. The
hard part is knowing your policies and matching it all up. Hence they
are moving towards easy-to-use interfaces that integrate SIEM with other
solutions, such as log management, database management and application
layer tools, and developing real-time monitoring so that a company can
stay on top of compliance year-round.
This scenario, says Mehlam Shakir, CTO at NitroSecurity, is the
alternative to “running around like headless chickens for a month
preparing for the audit, then forgetting about it for another year”.
HP's big-money punt on ArcSight shows just how seriously the industry
is taking SIEM. But even ArcSight's Huff is quick to caution against
any shouts of ‘the next big thing', pointing out that this is not the
solution to end all others; he sees it more as an “additive technology”.
It won't stop malicious attacks – you will still need endpoint
solutions for that; rather, SIEM is about collecting as much information
as possible and making sense of it in order to better arm users in the
fight against threats.
The other key bonus of SIEM, Huff says, is that it frames the
security issue in a way the average business leader can understand.
Suddenly able to see the malicious threats to the network, they are more
likely to do something about them. As such, it could be a real boon to
security intelligence.
“Endpoint tools don't work when it comes to boardroom discussions,”
says Huff. “They don't give you any visibility. SIEM lets people look at
their organisation's security from a technical perspective and create a
dialogue: ‘Here are the bad things going on across your network, and
here's how to shore up your defences.'”
So what can we expect from the SIEM space in the future? For one,
consolidation – the current glut of smaller vendors may soon go the way
of ArcSight, as more of the big boys plant their flag in the security
patch.
Second, there will need to be a move toward standardisation. “In five
years' time, you will see a common profile for security technology,”
explains Roth. “It could well be a case of saying ‘do these 12 things
and you shouldn't end up being sued'.”
Yet SIEM remains just one part – albeit a key part – of an
organisation's wider security infrastructure. As the industry moves
toward the adoption of security intelligence platforms, it will have to
fight for its place alongside other solutions that help provide defence
in-depth – think data filtering, IDS and encryption.
Regulation is hardly going to disappear overnight, and the future for
organisations is certain to involve ever-more malicious attacks in the
Stuxnet mould, as well as an increasing threat from within. So it seems
that CCTV could well come in handy.
SIEM as a service
Given the obvious benefits of SIEM to businesses of all sizes – right
down to the smallest retailer handling credit card payments – there are
clear advantages to making its provision as cheap and uncomplicated as
possible. Vendors are taking this fact very seriously, putting an
outsourced solution at the centre of their plans: working with managed
security service providers (MSSPs) and taking steps to move to the
cloud. The latter presents hurdles, with some saying the migration will
make the current model of SIEM provision redundant – yet vendors are
bullish about the prospects.
SIEM vendors already have a history of working with MSSPs – third
parties that take the raw SIEM technology and spin it into tailored
packages. Rather than having to bring solutions in-house, end-users can
instead subscribe to specific remote services – to aid compliance, for
example. This may be PCI-as-a-service, or a package to cater
specifically for ISO 27002. It is not a huge leap to imagine the likes
of Integralis developing a compliance package for GPG13, which applies
to all organisations working with the Government.
Dell's purchase of MSSP SecureWorks earlier this year can be taken as
vindication of the outsourcing model, and shows where the industry is
heading. LogLogic has been offering its SIEM technology via third-party
organisations such as Verizon for several years, and says the take-up of
outsourced solutions is accelerating. NitroSecurity also reports an
uptake in managed service activity, and says the provision of enabling
technology for MSSPs to provide to customers is central to its strategy.
Again, it has found this to be particularly popular in PCI compliance.
However, one cannot examine developments in SIEM without hearing
mention of the cloud. That migration has happened in log management, and
there are movements among SIEM vendors to provide managed SIEM services
in the cloud, too. This provides real benefits for smaller
organisations, easing the cost and burden of implementation even
further. The cloud removes the need to deploy their own solutions,
hardware and software; instead they simply subscribe to whatever
services they need for a few pounds a month – and can drop and amend as
required.
Yet a huge amount of uncertainty still exists around the cloud, and
there are issues to overcome in SIEM as in any other technology. The
question facing SIEM vendors in the future will be whether they can
re-engineer their current solutions, designed to be the be-all and
end-all security solution for the customer, to suit a model where
security and incidence response increasingly passes to IaaS providers,
with control increasingly distributed and shared. Here the end-user
business becomes the consumer of information and an audit point – a huge
shift from the in-house model.
Overall, though, the cost and labour benefits of SIEM as a service
remain strong. End-users are demanding security as a utility – they
simply want to plug it in and run it.
Case study: ArcSight
“For most companies, it's not a matter of if you adopt SIEM, but
when,” says Eric Mazurak, a network/security engineer at US law firm
Reed Smith, which uses ArcSight's SIEM products ESM and Logger. He
explains: “Security purposes drove the purchase; it enabled us to detect
events happening across multiple systems that individual tools might
dismiss, but when aggregated and contextualised become more apparent.
“Regulatory drivers didn't force our hand, but we recognise that
regulatory compliance will continue to weave its way into companies more
than it ever has. It's nice to know we can leverage the technology in
future to that end, too. Most companies have implemented security in a
piecemeal way to deal with specific needs or prevailing threats:
everything from client anti-virus and firewalls to technologies such as
NAC, dynamic port policy and .1x authentication for the client.
“Each of these technologies uses dozens of consoles to manage, alert
and report, and it's likely they're all being operated by different
teams. All companies suffer from this disease to some extent, and it
hinders their ability to effectively manage a potential exposure
cohesively, let alone rapidly.
“ESM and Logger give us granular-level control, scale without
sacrificing performance or security, and are a good fit for Reed Smith's
technical abilities. Crucially, it continues to bring the owners of
these varied security solutions together, looking at the same data in
the same console. Graphs that immediately populate with data and
baked-in rule sets may look pretty and provide some unexpected
surface-level information, but that's all the value you'll get unless
you sweat a bit. ArcSight provides a broader awareness of what is
happening across the enterprise. You benefit from planning what logs
you're sending, what data you care about, etc. There follows a burn-in
period where you just let it gather everything, and then you formalise
your rules and alerts based on the logs you're getting.
“We plan to include more customised integration into our helpdesk and
incident tracking software, our NAC, and into more granular database
auditing of our more sensitive systems. At the end of the day, the
deployment of any SIEM has to be a concerted effort – the more work you
put into it, the more the output is relevant to your company.”
扫一扫
207
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
