Breaking Through the Cyberattack Noise with SIEM

Security information and event management (SIEM) can help administrators track security data in a networked environment and counter potential threats.

by Jim Ebzery

The frequency and increasing sophistication of cyberattacks are drawing headlines in many of today's business and IT publications. Each year, more companies are confronted with the harsh reality of these attacks and the associated price tag of millions of dollars in network downtime. In a February 2007 report, Infonetics Research found that the average cost of downtime per large organization resulting from information security attacks is more than $30 million each year. This amount includes revenue loss from slow or non-working systems and lost productivity, which, when coupled with lost revenue from non-security related downtime, pushes the expense even higher.

Whatever the reasons these attacks occur—financial gain, malicious intent, or virtual harassment—they are not going to stop anytime soon. For cybercrooks, causing network downtime is enormously successful because organizations are unable to effectively monitor and prevent it—there is just way too much security data to sort through.

Data, Data Everywhere

Each day, networks gather thousands, if not millions, of security incidents and event data from point products such as firewalls and intrusion detection systems, and accumulate this information into log files. These daily security incidents add up to a lot of buried information and require hours of complex data sorting and managing. In many cases, the events may be interpreted as “alerts” or requests for information. Even though some of these alerts represent real security issues, the vast majority do not. Furthermore, it is impossible to tell the difference quickly with data stored in log files without applying context.

To prevent cyberattacks, it’s critical for organizations to have effective enterprise management tools in place to make sense of the data stored in log files and respond quickly to security incidents. One popular tactic employed by “bad guys” is to launch a flood of requests to your Web site, known as denial-of-service (DoS) attacks. These attacks overwhelm your servers with communication requests to the point of collapse. Recently, this tactic was used in Estonia, where a number of government Web sites were bombarded by botnets and temporarily shut down. While the actual source of these attacks is unclear (Estonia has accused Russian cybercriminals of launching the attacks), what is clear is that these attacks disrupted the Estonia government's online work.

To respond quickly to malicious tactics (such as the Estonia attack) and determine their source, organizations require real-time visibility into their networks. Some organizations solely rely on log collection to secure their environments. While capturing data in log files is a start and is useful for historical record keeping, it does not provide the ability to analyze, interpret, and respond to data events as they occur. Organizations that rely on log management alone may experience trouble balancing limited resources with the continuous supply of log data. Other concerns include: the large number of available log sources, inconsistent log content, formats and timestamps among sources, and large volumes of log data.

Perhaps the biggest challenge of solely relying on log management is ensuring that security systems and network administrators regularly perform effective data analysis, as this is where many mishaps occur. Weekly, daily, even hourly reviews are too late if an incident occurs that needs timely attention.

Breaking Through the Noise

The best solution to help administrators track security data in a networked environment and effectively counter potential threats is security information and event management (SIEM). Companies rely on this technology to visualize and monitor security events in real time, respond immediately, and analyze and report on log data for compliance purposes.

SIEM solutions break through the noise and detect multi-source attacks by:

  • Collecting event records
  • Detecting and prioritizing incidents
  • Separating real security violations from false alarms
  • Aggregating security events from different locations and devices

Because of these capabilities, analysts at IDC say SIEM is one of the fastest-growing sectors in the security industry, and the market is expected to grow from nearly $380 million in 2006 to $873 million in 2010.

SIEM has evolved over the years. In the late 1990s, the technology was solely focused on perimeter security infrastructure and external threats. Today's SIEM solutions not only protect against security threats, they are a critical element of an IT compliance program, helping companies meet government regulations, industry standards, and internal policies.

SIEM products are also incorporating more identity and access management (IAM) information, enabling organizations to better identify the source of network and application events. This convergence of identity, access and security management allows companies to make sense of large amounts of security and auditing data with one cost-effective, reliable monitoring and response-oriented solution.

Benefits of IAM and SIEM Convergence

Where SIEM has most benefited from integrating with identity and access management solutions is connecting user accounts captured in logs to identities and roles. For example, while it is acceptable for John and Jane Smith to both have valid access to key IT applications, the event-centric view of the SIEM products has made it very difficult to determine if the access failures of JSmith01 or JSmith02 are malicious or just circumstantial.

SIEM solutions tend to focus more on the criticality of the system being monitored and sometimes lack the reference points to successfully reconcile user behaviors based on identity and roles.

A combined IAM with SIEM approach helps associate relevant event logs to real individuals and provides the confidence and urgency to take action in a timely manner. By offering user provisioning tools, managing multiple roles and passwords, and supporting regulatory attestation claims, IAM solutions truly round out SIEM's real-time monitoring and log breakthrough, and ensures the right user has access to the appropriate resources.


Managing large volumes of data is challenging for organizations. Cyber thieves see this chaos as an opportunity to stage their exploits. As seen from the Estonia attacks, the chaos is sometimes a key part of the exploit itself. SIEM tools provide more real-time visibility into the events on your network and create some clarity through the overwhelming amount of information that can pile up and create more opportunities for breaches to occur.

To strengthen SIEM’s capabilities, integrating identity and access management will identify who is accessing your company's critical data and help prevent an attack from bringing down your business.

- - -

Jim Ebzery is the senior vice president, Identity and Security Management, for Novell. Before joining Novell, he served as president of the Viisage Division of L-1 Identity Solutions, a leading identity management vendor, until the company was acquired by L-1 Identity Solutions. Ebzery has a Bachelor of Science degree from Boston College in Computer Science.