Building a secure IT infrastructure including firewalls, advanced threat detection, two-factor authentication, encrypted data, segmented networks and the like helps create a robust defence against cyberattacks, but CISOs still have to deal with a torrent of log, flow and packet data.
The solution was supposed to be security information and event management (SIEM) suites, which ingest and correlate the signals for analysis. But SIEMs have a reputation for being complex to manage and generating too many alerts.
“Even a successful SIEM deployment — whether the company acquired it or is running and maintaining it — is an expensive and resource-intensive proposition,” Oliver Rochford, Gartner’s research director for security management solutions, has written.
“It failed as a technology,” John Kindervag, enterprise security analyst at Forrester Research says flatly. “That’s why we’re telling our customers not to use traditional SIEM.” Instead they should be looking at newer versions that includes threat monitoring and analytics.
“If you’re buying traditional SIEM you’re wasting your money,” he says. “You need to move to a security analytics platform that gives you the ability to look at all traffic — external and internal.”
But recently these solutions have improved thanks to competition, demand by CISOs for more automation and for solutions that meet the needs of mid-sized organizations.
Take, for example, CanDeal Inc. a platform that facilitates electronic bond and derivative trading in this country. Owned by the Toronto Stock Exchange and Canada’s six biggest banks, it executes about $2.5 trillion a year in trades so expects to be a target of attackers. Yet when Kristofer Laxdal joined the company two years ago as head of information security CanDeal was relying on separate solutions for log alerts from firewalls, switches and servers. Laxdal wasn’t surprised.
“I think a lot of companies that are mid-sized might not be at the point where they are seriously thinking of a SIEM,” he said in an interview. But, he added, “there’s been a bit of a tipping point in the last two years in terms of maturity of SIEMS. … One can get more value out of SIEM today.”
In CanDeal’s case he chose Splunk Enterprise and Splunk App for Enterprise Security as the company’s SIEM. Not only does it correlate data from internal systems, it also takes STIX and TAXI feeds from the financial services incident and analysis centre in the U.S. that shares indicators of compromise at member financial institutions. (The ability to take such feeds is offered by a number of SIEMs).
“Malware is ever-evolving,” Laxdal said. “Having a tool like a SIEM that will provide indexing and bring in those indicators of compromise almost in real time, and troll through that data, is very helpful in that battle.”
There’s no shortage of SIEM solutions. Gartner counts 12, including IBM Corp.’s QRadar, Hewlett Packard’s ArcSight, Splunk Enterprise, Intel Corp.’s McAfee Enterprise Security Manager, LogRhythm, MicroFocus Int.’s NetIQ Sentinel, SolarWinds Log and Event Manager, AlienVault Unified Security Management, EventTracker, AccelOps and BlackStratus.
To meet the competition these vendors are adding usablity features. For example, Barbara Kay, Intel’s senior director of strategic solutions, notes the maxi version of company’s McAfee Enterprise Security Manager has downloadable content packs that have pre-packaged correlation and configuration roles for particular problems.
Eric Schou, director of product marketing for HP ArcSight, said the suite comes in an Express version for mid-size organizations.
Renee Bradshaw, a senior solution marketing manager at Micro Focus said the company’s NetIQ Sentinel solution pulls identity information from an organization’s infrastructure (like roles and access rights) to provides context so an analyst can be alerted to signs of insider threats.
Still, easily installing, configuring and taking advantage of a SIEM seems to be the exception and not the rule. Sandy Bird, CTO of IBM Security Systems, says much depends on the maturity of infosec teams and their ability to take advantage of the signals the SIEM sends out. Some organizations, he notes, never correlate alerts back to their root cause.
“It’s one thing to put a technology in, but the problem is you need to operationalize it, you need to go through use case development — what are you going to detect, once you’ve detected those, what’s your response? We hope you compile a playbook. But do you practice the playbook?”
And, he adds, just because there’s an advanced SIEM doesn’t mean customers can skip basic security.
“The most frequent mistakes that we see is selecting a SIEM solution before having established a clear plan of engagement, that includes the objective of the deployment, the scope of what is to be monitored and what for,” Gartner’s Rochford said in an email interview. “Without this planning, organizations can find themselves with a SIEM solution that does not fulfill their requirements. Instead, they should follow a formalized planning approach that covers the objectives, scope and use cases the SIEM will be used for.”
Monzy Merza, chief security evangelist at Splunk agrees there is a maturity curve. When looking for a SIEM solution, he adds, look for one that enables analysts to pay attention to signals that are important.
Two things analysts we talked to agree on: a SIEM — or any solution that aggregates and analyzes machine data — is essential today, but infosec staff have to start slow and build on what they learn to tune the solution.
“Trying to throw everything at the SIEM at once is the biggest mistake we see,” said Rochford — “the belief is that a SIEM just takes logs and automatically detect security issues. The reality is that SIEM only requires specific logs for this, and more importantly, they have to be associated with correlation rules, dashboards and reports. Adding too much at once makes adding and optimizing these more difficult, as well as impacting the performance and scalability of the overall solution. We recommend a phased approach, adding only the sources required for each use case, use case by use case.”
“You have to match your SIEM solution to your capabilities,” says Jon Oltsik of the Enterprise Strategy Group. “A SIEM solution that can do anything if you customize may not be the right fit if you don’t have the skills or the resources to use it appropriately.”