| Raise the Standard(s)!
SIEM vendors champion solutions to a mishmash of log formats.
Security information and event management (SIEM) and log management tools are bedeviled by the absence of a standard log format. Consequently, vendors have to build some sort of connector to each supported device, application or OS, usually starting with those generating the most business, such as Cisco Systems and Check Point Software Technologies firewalls, then adding connectors for others customers demand most.
The problem has grown as SIEM products and their requirements evolve from "a better IDS than IDS" for detecting and alerting on possible network security events, to compliance-driven tools for user tracking, auditing and reporting.
"Six or seven years ago, SIEM was focused around the perimeter threat," says Ansh Patnaik, ArcSight senior product manager. "Now, compliance is exploding; there's more logging from more sources, and we're going higher up the stack into applications--in many cases, proprietary applications."
So advanced SIEM tools need to support myriad commercial and custom applications, with hooks into directory services.
"There are thousands of vendors with thousands of devices," says eIQnetworks CEO Vijay Basani. "The challenge is when a SIEM vendor tries to look at the data and has to write product-specific translators or parsers. If you go to a large company, the customer wants to analyze data from unsupported products."
Once again the security industry finds itself in need of a standard. In June 2006 ArcSight announced its Common Event Format (CEF), which the vendor touts as an open log management standard. Now, competitor eIQnetworks has weighed in with the Open Log Format (OLF), which it characterizes as "the industry's first open source event logging standard." There are other initiatives as well, including Mitre's Common Event Expression (CEE).
| This leaves us with at least several standards, which is to say, no standard, but steps in the right direction nonetheless.
"Adoption of a common format would solve huge maintenance problems for the SIEM vendors and would probably improve quality of the analytics that SIEM vendors could produce," says Gartner analyst Mark Nicolett.
Although the eIQnetworks and ArcSight initiatives have some vendor support, a real standard is way off. The SIEM vendors have to reach some sort of understanding for the long process of proposing and ratifying a final standard to proceed. NIST has published its Guide to Computer Security Log Management (Special Publication 800-92), which should help give context to a final standard.
Nicolett says no SIEM vendor has the market muscle to push through a standard on its own, but vendors aren't the only ones calling the shots.
"Adoption by event producers is another hurdle. There has to be some sort of pressure on and economic incentive for those vendors to put work in," says Nicolett. "Right now, I don't see it. There's no economic incentive for application, database vendors, etc., to put all that work into a standard format."