Security Information and Event Management
Information & Event Management (SIEM) concepts and functionality
Security Information and Event Management
When a corporate network is breached, the time between the attack occurs and when the incident response team responds can make the difference between protecting the organization's most vital data and having embarrassing corporate emails splashed across the Internet and read on the evening news. Recent breaches at major retailers and entertainment companies clearly demonstrate what happens when the worst-case scenarios hit. But Security Information and Event Management (SIEM) software, when correctly configured and monitored, can play a significant role in identifying breaches as they're happening.
Sizing Your SIEM
Companies are likely to overspend on their SIEM implementation if they do not size the software appropriately for the kind of results they require, says Vikas Bhatia, CEO of the New York-based cyber security consultancy Kalki Consulting. This is particularly true for a company making its first SIEM purchase.
The challenges of sizing a SIEM system to meet a company's need are not new. Anton Chuvakin, security research VP at Gartner, cautions companies buying their first SIEM that even free SIEM is not entirely free. He details some of the initial hard and soft costs, as well as the ongoing and occasional costs, related to acquiring and using the software in a blog post written nearly four years ago.
"The best way to compare SIEM products is to fully understand what problem is you are looking for them to solve," says Mav Turner, director of the security group at Austin-based SolarWinds Inc. "As fun as it is to play feature bingo and to let a vendor demonstrate the thousands of things a product can do, administrators should make sure they understand the few critical things they absolutely need to the product to do. If the core use cases can't be quickly demonstrated, they should probably evaluate other products."
Essential SIEM Functionality
The leading SIEM products, including HP ArcSight, LogRhythm, McAfee ESM, Splunk Enterprise Security, and IBM QRadar, all incorporate some or all of the following functionality:
- Integration of traditional logs with other event sources, such as Threat Intelligence, Identity and Access Management systems (IAM) Database Activity Monitoring (DAM), NetFlow/DPI, File Integrity Monitoring and Application logging
- Capabilities to support a Security Operations Center
- Scalability from SMB to large implementations
- Import and export of content (rules, reports, trends)
- Multi-value lists (active lists, watch lists)
- Expiration times on lists (expire after X number of minutes/hours) and event on expiration for state table usage
- Indexed array for event enrichment
- What available threat intelligence data can be incorporated?
- Ability to create custom log source feeds
- Import CSV simply
- Open Database Connectivity (ODBC) queries
- Regex (regular expression) for file parsers
- Aggregation and filtering at the collector level (with selectable fields and summarization of fields)
- Reusable and movable objects
- Filters/building blocks -- named reusable objects
- Folder/tree structure for rules, network hierarchies
- Summarization tables
- ArcSight Trends and Splunk data models
- Selection of critical fields and scheduled summarization of events
- Health status monitoring
- What self-monitoring and reporting features are available?
- Free space, event rates/device, CPU and memory utilization
- Dropped/unparsable events
- Redundancy
- How do I feed data in from a host through redundant parsers to redundant log management (compliance/1 year) data stores?
- Correlation engines are not required to be redundant
- Ability to forward the same log source from a single collection point to multiple destinations (primary log management, secondary log management, product correlation, development correlation)
- Scalability – at the correlation engine level
- How many concurrent queries can be run for SOC operations?
- How do I scale performance for ad-hoc use?
- Concurrency – Can I run multiple queries at the same time?
- Are overlapping intrusion protection systems supported?
- Role-based access controls – Can the system be configured for Umpqua access to specific subsets of data/content with a mix of read and read/write/create permissions?
- Can the system be configured in a hierarchy? Correlation engine and log management locally at each Umpqua, but master/global content pushed and synched from a managed services group with local content not overridden, but global content incorporated and overwritten?
- Inputs
- What log sources are supported natively?
- Long term
- How do we integrate with a ticketing/workflow system?
- How can we integrate with an existing configuration management database (CMDB) to pull asset tag information?
- How can we integrate with Government, Risk, Compliance (GRC) and vulnerability management to provide a common dashboard?
Source: Kent Saunders, Senior Consultant, Accuvant 2015
"Ideally, companies should also look for the ability to deploy an evaluation or a proof of concept in their environments to make sure the reports and data they expect are available as well. Even if they are only able to collect data from a few devices that will be a huge indicator of whether they are buying a product that solves their specific problems, as opposed to a product that just sounds really cool," says Turner.
Cloud-Based SIEM Options
One approach that is starting to grow is cloud-based SIEM as a service, says John Howie, founder of Seattle-based Howie Consulting and the former chief operating officer of the Cloud Security Alliance. While boutique cloud providers might offer special programs for first-time SIEMaaS customers, the larger and more established SIEM providers that also offer on-premises SIEM generally assume the company also has experience with the technology, says Howie.
Howie noted that while the providers he has dealt with recognize that log data is the property of the client, the clients need to understand that log data potentially can contain personally identifiable information (PII) or protected health information (PHI). For example, the SIEM could alert on a file transfer and collect the data from the transfer in a log file. That log file could contain a Social Security Number or a patient's private data. He recommends that if the company collects protected data, it should sign a Business Associate Agreement or a similar agreement with the cloud provider to ensure the data is handled appropriately.
Unlike traditional, on-premises software, cloud-based SIEM generally is billed on a usage model rather than per server or per user, Howie says. However, if the SIEM software sends all data logs to the cloud or is otherwise improperly configured, the bandwidth cost from the cloud provider could be very high and negate other cost efficiencies from the cloud.
"Continually tuning a SIEM as well as looking at the alerts can be a time-consuming task for skilled professionals," says 451 Research senior security analyst Javvad Malik. "Smaller enterprises may find greater benefits in utilizing a SaaS-based or managed security services provider (MSSP) offering that will alleviate some of the ongoing demands."
"SIEMs as a product family set vary tremendously in deployment types, pricing structure, features and the like. Some may be on-premises, others SaaS, some may charge per device, others by number of events processed, some have features built into their own offering whilst others partner with other vendors – so comparing pricing and offerings is not a straightforward task," Malik adds.
Enterprise and SMB SIEM Solutions
Companies such as SolarWinds and San Francisco-based Splunk are among the SIEM providers that specialize in the SMB market. While an enterprise-class HP ArcSight SIEM systems can cost upwards of hundreds of thousands of dollars, SMBs can enter the market with the SolarWinds Log & Event Manager for $4,495. This entry-level SIEM is a software-only, virtual security operations center that can produce reports with what the company calls "audit-proven templates" for Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Federal Information Security Management Act of 2002 (FISMA), Sarbanes-Oxley Act of 2002 (SOX) and other compliance standards. The software runs on VMware or Microsoft Hyper-V virtual machines.
"Any SIEM can do log aggregation," Turner says. "This is a basic feature for a SIEM and often what a lot of people are looking for in order to check a box for their auditor. Once they have the logs, though, to get real value they need a solution that will also find problems and help sort through the massive amounts of data quickly."
Users should see clear categories of activities so they can drill into the ones that are suspicious, he adds. Event normalization is critical to a powerful SIEM and SolarWinds is starting to see the emergence of threat intelligence feeds and integration of SIEMs with them. "While this is a great addition," Turner notes, "it's critical to understand where the value is here and not get fooled into thinking it equates to 'security in a box' by deploying solutions simply because they claim to have that functionality."
"If a managed service provider is not an option, several SIEM vendors tailor to the SMB space by offering solutions that are relatively less expensive and easier to manage when compared with their full blown offerings," says Kent Saunders, a senior consultant at Accuvant.
These include:
- ArcSight Express for SIEM/Correlation functionality and ArcSight Logger for Log Management;
- McAfee ESM (Enterprise Security Manager) appliance handles both SIEM/Correlation and Log Management;
- IBM Security QRadar All in One appliance handles both SIEM/Correlation and Log Management;
- Splunk Enterprise software or virtual machines for log management has ability for a user to write their own custom correlations and SIEM-like dashboards;
- LogRhythm's appliance, software and virtual machines handles both SIEM/Correlation and Log Management
Here's a more detailed look at HP's ArcSight, LogRhythm, SolarWinds, and Splunk.
ArcSight
Hewlett-Packard's ArcSight is primarily an enterprise-class SIEM offering, although the offering can scale down for smaller enterprises. The ArcSight Express rack-mount appliance includes a vast array of built-in capabilities. In addition to the log management capabilities that comprise the raison d’être for SIEM, the appliance can collect, store and analyze all security data from a single interface.
The software is capable of analyzing millions of security events from firewalls, intrusion protection systems, end-point devices, and an array of other log- and data-producing devices. It boasts built-in security dashaboards and audit reports that visualize threats and compliance and is able to protect against zero-day attacks, advanced persistent threats, breach attempts, insider attacks, malware and unauthorized user access.
ArcSight Enterprise Security Manager (ESM) is targeted at large-scale, security event management applications. ArcSight Experess "should be considered for midsize SIEM deployments (while) ESM is appropriate for larger deployments, as long as sufficient in-house support resources are available," according to Gartner.
ArcSight Logger can be used for log management capabilities for two-tier deployments. It also has optional modules that can be used for advanced support for user activity monitoring, identity and access management integration and fraud management. ArcSight pricing is based on a more traditional software model that is more complex than SolarWinds or Splunk.
LogRhythm
LogRhythm All-In-One (XM) appliance and software is designed for midsized to large enterprises. It includes a dedicated event manager, dedicated log manager, dedicated artificial intelligence engine, site log forwarder and a network monitor. Each of the software components also is available in a stand-alone appliance as well. LogRhythm's security intelligence platform collects forensics data from log data, flow data, event data, machine data and vulnerability data. It also generates independent forensics data for the host and network.
The system can produce real-time processing, machine or forensics analytics in order to create output for risk-prioritized alerts, real-time dashboards or reports. It also is used for incident response, including case management and workflow.
In addition to analytics, the company's SIEM offering includes, real-time threat and breach detection and alerting, advanced correlation and pattern recognition, a variety of behavior anomaly detection capabilities, data visualization for long-term trending and continuous compliance assurance using out-of-the-box automation suites. LogRhthym, like ArcSight, uses a more traditional pricing model.
SolarWinds
SolarWinds' Log & Event Manager is targeted at the SMB market but can scale for to larger businesses. The offering has prepackaged templates and an automated log management system. Among the features the company identifies as must-haves for a SIEM offering is the ability to collect data from network devices, machine data and cloud logs, as well as in-memory event correlation for real-time threat detection. Additional must-have features include a flexible deployment option for scalable log collection and analysis, out-of-the-box reporting for security, compliance and operations, forensic analysis, and built-in active response for automated remediation.
Other features the company identifies as essential are the ability to do internal data loss protection, embedded file integrity monitoring for threat detection and compliance support, plus high compression and encryption for secure long archival and long management. SolarWinds is using node-based pricing.
Splunk
Like other SIEM products, the core of Splunk Enterprise monitors and manages application logs, business process logs, configuration files, web access and web proxy logs, Syslog data, database audit logs and tables, filesystem audit logs, and operating system metrics, status and diagnostic commands. But at Splunk, the focus is on machine data -- the data generated by all of the systems in the data center, the connected "internet of things," and other personal and corporate devices that get connected to the corporate network.
Splunk offers three versions of its product:
- Splunk Free that caps indexing to 500MB per day and a limited feature set;
- Splunk Enterprise for on-premises SIEM with all of the company's features;
- Splunk Cloud, which can scale up to multiple terabytes per day and offers the full feature set with the exception of the distributed management console and multi-site clustering. The clustering option is available on request for the cloud package.
Although the product has "enterprise" in its name, Splunk says the solution can be used by SMBs as well and has been architected for use by non-SIEM experts. Non-SIEM engineers will be able to use the event pattern detection, instant Pivot interface that enables users to discover relationships in data without mastering the search language, and dashboards that can share pre-built panels that integrate multiple charts and views over time.
Splunk Enterprise offers both a perpetual license that starts at $4,500 for 1 GB/day plus support and a term license that starts at $1,800 per year and includes support.
Questions To Ask SIEM Vendors
Here is a list of questions organizations should ask the SIEM vendors in a Request for Information or a Request for Proposal:
- How well does the platform handle the log sources? Will it work out of the box or will there be a lot of custom development work required?
- What out of the box reports are available for security and compliance?
- What is the cost of maintenance?
- What is the cost of the SIEM product (license or subscription)?
- What is the cost of training?
- How well do they do post-sale technical support?
- What is the speed of access to log data?
- Does it use a dedicated appliance, customer-provided hardware, VMs or cloud?
- How easy is it to integrate with third-party platforms?
- Will it integrate with your current ticketing system?
- How much report/dashboard/alert customization options are available?
- Is there a desire for the product to have an operational role rather than be specific to security?
- Is there a packet capture or flow option?
- How does the product handle older data that has been archived off-box?
- How good is the product documentation?
- What does the product do in the event of a license violation?
Additionally, here are some questions potential clients should ask that generally are not asked:
- How many of the original product developers are still with the company?
- What is your average first contact time as well as the time to resolution for support tickets of each ticket priority level?
- How many full time employees will I need for a deployment of this size?
- How do you do log tiers: Log (Splunk Enterprise, ArcSight logger, Log Logic) > SIEM (Splunk Enterprise Security, ArcSight, QRadar, McAfee ESM (Enterprise Security Manager) > Automation (automatically run a script, open a ticket, take a VM snapshot, etc…) > Data (Hadoop storage)
Source: Jordan Perks, consultant, Accuvant, 2015
0 Response to "Security Information and Event Management"
Post a Comment