Enterprises have been using security information and event management (SIEM) systems mainly for compliance reporting to meet PCI DSS and other mandates, but infrastructure vendors are trying to develop a new breed of more powerful SIEM platforms
There is a fundamental change that is occurring in the security world where focus is moving from individual point products solving a particular job to something more expansive.
Brendan Hannigan, general manager, Security Systems Division, IBM
Growing networks have created a larger attack surface for cybercriminals, and while early SIEM deployments could collect logs from a few appliances, they have grown to support a vast array of network devices, said John Kindervag, principal analyst at Cambridge, Mass.-based Forrester Research Inc. While vendors are betting on more robust SIEM platforms, whether or not enterprises have the money and expertise to do the kind of powerful event correlation needed to understand the threats on the network is still anyone’s guess, Kindervag said.
According to a Forrester survey of IT decision makers at 157 organizations, the primary use case in more than 80% of SIEM deployments is for reporting capabilities for compliance mandates. Fewer than 40% of respondents said their organizations use the technology’s event correlation capabilities.
“SIM is a reporting tool driven by PCI compliance and it wouldn’t exist if PCI hadn’t come out,” Kindervag said. “People get enamored by event correlation, but that’s just not how it works in real world deployments.”
The survey, conducted on behalf of San Jose, Calif.-based log management vendor LogLogic Inc., found reports generated by the systems are currently serving IT auditors, the CIO and other C-level executives. But the survey report concludes that SIM will become the foundation for comprehensive IT data analytics.
Brendan Hannigan, CEO of Q1 Labs, is betting his firms’ customers will want to get more out of their SIEM deployment. Hannigan, whose firm was acquired by IBM recently, is going to lead a new division that brings together all of IBM’s security offerings. With Q1’s SIEM platform as the foundation, IBM plans to tie together its database security, endpoint management, network security and application security offerings and bolster them with analytics capabilities to get more actionable data out of those systems.
“There is a fundamental change that is occurring in the security world where focus is moving from individual point products solving a particular job to something more expansive,” Hannigan said.
Firewalls, IPS appliances and database and application servers generate heaps of data that can help organizations better understand the threats to their network and ultimately give CISOs the ability to make wiser security decisions. It’s the need for a more powerful analytical engine to get value out of all that data that is driving large infrastructure vendors such as IBM and HP to acquire SIEM systems, according to analysts.
HP is so bullish on the technology that it shelled out $1.5 billion for ArcSight in 2010, arguably the leader in the space. RSA, the security division of EMC Corp., is merging its EnVision SIEM system with its newly acquired NetWitness network monitoring platform, which adds network context and analytics to SIEM data.
Analysts agree that many of the early SIM vendors may not be able to handle the processing power needed to apply analytics to different data sources. Scalability is turning out to be the one of the most important capabilities of SIEM systems, said Mark Nicolett, vice president and distinguished analyst at Gartner Inc. SIEM platforms that can support heterogeneous event sources on a broad scale have a better likelihood of maintaining a strong market presence, Nicolette said.
Gartner believes SIEM systems should be able to efficiently collect logs and have real-time monitoring capabilities. “If a vendor doesn’t have both they’ll end up only being marginal in the market,” he said.
I don’t think the possibility of a singular data repository that collects all relevant information critical to security analysis is ever going to exist.
Amit Yoran, senior vice president and general manager, Security Management and Compliance Business, RSA, The Security Division of EMC.
SIEM systems are good at collecting data, but they need tools that help analysts manipulate the data to uncover various aspects of an incident or find anomalies that raise concern said Amit Yoran, senior vice president and general manager of security management and compliance business at RSA, The Security Division of EMC.
“With complex attacks and advanced threat actors, your current assessment can’t be limited to just the traffic you are seeing at this moment,” Yoran said. “An action may not set off alarm bells when it is isolated on its own, but when you have it in context, it gets a lot more interesting.”
The former NetWitness CEO is overseeing the integration of the technology into the RSA EnVision SIEM platform. EnVision, Yoran said, really shined in efficiently retaining large amounts of data and also from understanding diverse logging formats and protocols. At the same time, Yoran said he is practical about how powerful a SIEM system can be to an organization.
“I don’t think the possibility of a singular data repository that collects all relevant information critical to security analysis is ever going to exist,” Yoran said. “This one-size-fits-all, build something large, doesn’t seem to be a practical way for large enterprises to operate.”
Enterprises may start off with compliance mandates in mind, but if there is a choice between buying a SIEM system only strong in log management or a system designed for log management and real-time monitoring, most organizations will see value in the monitoring unless there is a huge premium on the price. Nicollete said he is watching HP ArcSight closely, since HP has left ArcSight’s core development teams intact, enabling the SIEM vendor to quickly come to market with new features. Under HP, ArcSight has done a better job of supporting large deployments, he said.
Tom Reilly, vice president of HP enterprise security and the former CEO of ArcSight said SIEM should be the integration platform of an enterprise’s security program. Like RSA and IBM, HP is also developing tools that give enterprise a better look at network threats by ramping up analytical capabilities in ArcSight’s SIEM platform. It’s all about network awareness, he said.
“If you believe in the tenet that every company has to move to gain security visibility, they all need to invest in SIM,” Reilly said. “I hear those complaints around complexity and cost, but I hear more about successful implementations; better time to value, prebuilt integration and ease of use.”
HP is striving to make IPS and log collection an out-of-the-box experience, Reilly said. The goal is to target companies with limited IT staff and expertise by providing prebuilt interfaces for integration, he said.
Having out-of-the-box capabilities drove McAfee to acquire NitroSecurity this month and begin merging the NitroView family of products into the ePolicy Orchestrator suite. McAfee had a close relationship with NitroSecurity and saw its proprietary database, which provides correlation and profiling capabilities, as a strong differentiator to other SIEM vendors, said Martin Ward, senior director of risk and compliance at McAfee.
“Speed with NitroSecurity is over the top,” Ward said. “Reports that are being run by existing SIEM vendors can take hours and hours, whereas Nitro can do it in minutes.”
The future of SIM appears to be data warehousing technology with powerful analytical tools that help IT teams crunch a massive amount of data, said Forrester’s Kindervag.
“It’s really about making better decisions based on facts, not conjecture,” Kindervag said. “If IT departments can take actionable data out of their systems and put it to use, we could see more decisions that align with the business side and address threats based on their risk impact.”