Q&A: Security Information and Event Management

Why current security tools aren’t adequate, and what vendors and IT must do now to secure their environment.

IT is increasingly battling a host of security vulnerabilities. Although most shops have viruses and intrusions under control, a major concern still remains: knowing when security ”events” occur and understanding how to respond.

To learn more about the state of security information and event management (SIEM) tools, we spoke with John Linkous, product evangelist at eIQnetworks.

Enterprise Strategies: What are SIEM tools, and what is the business problem they attempt to solve?

John Linkous: Security Information and Event Management (SIEM) tools provide a platform for consolidating a broad range of security-related event data from across the enterprise. Primarily based around log files, SIEM provides a mechanism for centrally collecting and managing disparate data that may come from a wide range of platforms and devices, including operating systems, applications, services/daemons, and infrastructure services such as firewalls and VPNs. Organizations use analytics within their SIEM tools to provide a range of functions, including trend analysis, event identification, correlation, and alerting, and evidence of compliance with regulations and statutes.

One business problem that SIEM tools address is “bad behavior” -- identifying when things go wrong within a system or group of systems. These bad behaviors -- regardless of whether they are accidental or intentional -- can have significant and direct impacts on an organization’s ability to function. Financial reporting, employee onboarding/offboarding, and operations are just a few examples of business processes that can all be negatively impacted by the bad behavior of technology.

Another business problem addressed by SIEM is the need for consolidating and reporting on data to meet compliance drivers. As regulations, best practices, and adopted security standards continue to increase, organizations find themselves mandated to monitor and report on certain types of events, such as failed authentications and inappropriate use of system resources. By using a SIEM platform, organizations can provide evidence of compliance with portions of drivers including SOX, PCI-DSS, and others.

Why do these problems exist?

Security issues have always existed within IT, but have increased in scope as distributed systems have been rapidly adopted. Consider a highly distributed, multi-tiered ERP system. Dozens of specialized, optimized hosts handle different components of the system -- database, presentation tier, authentication, messaging, and business logic -- all of which are connected together through multiple network devices. Each component can (and does) introduce potential security issues and attack vectors to the overall system, and there is no easy way to monitor and alert on systemic issues that can affect underlying business processes.

The primary driver behind the compliance business case for SIEM is simply the increasing number of mandates that have been issued within the past several years. While the concept of modern electronic information security goes back to the mid-1970s, security provisions within laws really started to take a foothold with HIPAA in 1996, and then snowballed after the coincidental events of 9/11 and the widespread corporate malfeasance of Enron, Tyco and others.

At the same time as mandates such as SOX, GLBA, and PCI-DSS were established, both new and existing guidance for how to specifically implement these mandates was widely adopted, including COBIT, ISO17799/27002, and ITIL. Today, the number of new mandates shows no sign of slowing down, and dealing with a multitude of regulations, best practices, and security standards is now simply a fact of life within IT.

What kind of SIEM tools exist today?

At the most basic level, all SIEM tools share the same capabilities: they collect event data from a wide range of sources; store these events in a pristine condition in a centralized database; provide users with the ability to establish monitors and alerts for specific events (and sequences of events); provide an intelligent correlation engine that automatically discovers unusual or potentially damaging patterns; and generate both stock and customized reports.

However, some SIEM tools do separate themselves from the pack by providing abilities that go beyond this basic definition. For example, some SIEM tools also collect vulnerability data from trusted sources (such as CERT and CVE), correlate this with log data from vulnerability scanners, and can identify the risks to hosts and devices based on their exposure to known vulnerabilities.

What are the strengths of these tools?

The primary strength of SIEM tools has always been that they provide a centralized, searchable repository of log data from across the enterprise. From a business perspective, this has several advantages: customers can quickly identify correlated events from across different hosts and network devices, which provides a systemic view of what’s going on; a larger number of systems can be monitored by a smaller number of personnel; and event data can be correlated to specific regulatory and compliance drivers such as SOX and PCI-DSS.

How and why are current SIEM tools deficient?

Although SIEM tools continue to extend the scope of log collection to new platforms (such as wireless infrastructure devices, or messaging/middleware products), the type of data they collect has remained static: event data. Although event data is definitely useful, it only presents a partial view of the information that is required to achieve security that is not only systemic but holistic as well.

Take the common example of a malicious attacker. If an attacker is able to compromise a system to the root/admin level, one of the very first things that attacker is likely to do is disable logging. A SIEM tool may be able to identify the events that led up to the compromise, but will have no visibility into other things the attacker did on that system: created new credentials, installed trojan code, or used the system to attack other hosts in the environment. Because SIEM tools are limited in the scope of the data they can collect, users must rely on other tools to manually correlate data. This is a labor-intensive process and keeps holistic security a reactive, rather than proactive, process.

What can vendors do to overcome these deficiencies in the long term?

The best way to make security a proactive effort inside the enterprise is to establish a centralized repository of all security data, not just events. Today’s SIEM point solution vendors should consider integrating with other platforms that capture the types data they don’t -- asset, configuration, performance, vulnerability, and network flow data -- or building the collection of this data into their own products. We see this today with large, established vendors such as Symantec and CA, who are trying to build bridges between their individual point products, and turn them into a consolidated repository for security data.

These vendors are not quite “there” yet (since most that employ this model are relying on disparate technologies acquired through mergers and acquisitions, rather than organically grown technologies), but it does represent one way to address the growing clamor of customers who are seeking end-to-end, fully-integrated security and compliance platforms.

What should IT do in the meantime? What best practices do you recommend?

Until SIEM tools start extending into true security platforms, the best option for enterprises of all sizes is to adopt multiple point solutions to address these gaps and provide complete security coverage. Some of the most useful tools that complement SIEM, but don’t necessarily feed event data into SIEM products, include: enterprise security management (ESM) tools that can address system configuration and patch management; network performance management tools that identify ports, protocols, and applications moving across networks; identity and access management (IDM/IAM); and data loss prevention (DLP) technologies. Of course, no software (SIEM or otherwise) can substitute for a true security program that addresses security technologies, as well as human factors such as governance and security awareness.

What products or services does eIQnetworks offer in the SIEM market?

eIQnetworks is the developer of the SecureVue enterprise security and compliance platform. SecureVue is an agentless technology that captures, correlates, and analyzes event data just like SIEM solutions, but extends this into other types of security information including asset and configuration data, performance metrics, vulnerability data, and network flow analysis data.

SecureVue provides a correlation engine, pre-built and fully customizable monitors and alerts, and drill-down visualizations across all collected security data. An additional component of SecureVue, Audit Center, provides the ability to map collected security data to specific regulations, best practices, and standards, including SOX, PCI-DSS, HIPAA, COBIT, and ISO17799/27002.

eIQ also offers a broad range of professional services related to the SecureVue platform, including implementation architecture and hands-on product implementation, custom compliance content development, and security and compliance program management consulting.

Must Read Articles