SIEM: Not for small business, nor the faint of heart

By Neil Roiter, Senior Technology Editor, Information Security magazine 22 Apr 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

"We invested in SIEM four years ago, and it wasn't long before we realized it wasn't the nirvana we hoped it would be" said Denny Dean, CISO for a Fortune 500 insurance company, and a participant in a SIEM panel Tuesday at the 2009 RSA Conference.

"In my experience the program around SIEM is vastly more important than SIEM itself," Dean said. "If you extracted SIEM from the program, the program would still operate in pretty good shape."

Dean said at first the SIEM tool produced a lot of information, including a number of alerts that didn't trigger action because there was no information management program to support them. His company used it as a forensics tool until "we started producing services around SIEM and an information management program as a whole."

While companies like Dean's get measurable value from SIEMs with the right kind of supporting information management program, the reality is that most companies have purchased products for compliance, plain and simple.

"PCI and other compliance initiatives drove the market," said John Kindervag, senior analyst with Cambridge, Mass.-based Forrester Research. "In Fortune 500 companies, SIEM for compliance is highly commoditized. They have lots of FTEs.

But how can smaller companies [without the staffing] leverage it? How do you derive value without analysts?"

"Vendors did a great disservice by claiming that this box could do everything," said Nick Selby, senior analyst with New York-based research firm The 451 Group.

Kindervag insisted SIEM is more of a reporting and compliance product than a security product. He suggested -- only somewhat facetiously -- the market would be better served with a new acronym, "SIRS" or security information reporting system.

SIEM can serve as a barometer for measuring increasing risk and as an indicator of what is going on across the environment, said Chris Leach, CISO for Affiliated Computer Services (ACS). In his view, compliance is of less importance.

"But we can have too much information," Leach observed, "That can be worse than not having enough."

Dean described SIEM as a fact-collection system to make better business decisions and monitor things like change management for compliance.

RSA Conference 2009 For all the latest news, podcasts and more direct from the show floor in San Francisco, visit our RSA Conference 2009 special news coverage page.

"I thought I would find bad guys, but in the end found good guys doing bad things," Dean said. For example, he found he was collecting "information about the ineffectiveness of my peers." He discovered 3,000 vulnerabilities in his company's systems, an indication that patch management was failing.

He cautioned, however, not to "get in people's knickers about stuff," but to attack the process that allowed this state of affairs.

Dean also advised that a security manager's job is to provide information for business people to make decisions. "You are not the risk manager," he cautioned.

ACS's Leach recommended that companies beginning a SIEM program learn from others who have gone through the experience, and set realistic expectations.

"Don't try to boil the ocean," he said. "Say, 'this is the piece I'm going to tackle now,' and stick to your guns."

Tags: Security Event Management,  Network Device Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Event Management Network traffic collection, analysis helps prevent data breaches Best Security Information and Event Management Products Understanding PCI DSS compliance requirements for log management Data breach notification legislation: What info must be released? How to prevent a denial-of-service (DoS) attack Mature SIMs do more than log aggregation and correlation The top 5 network security practices SIMs tools and tactics for business intelligence Should IDS and SIM/SEM/SIEM be used for network intrusion monitoring? Tying log management and identity management shortens incident response Network Device Management Researchers find thousands of flawed embedded devices Is there a way to block iPhone widgets that bypass Web filters? Will an application usage policy best control network bandwidth? What is the difference between static and dynamic network validation? How to manage network bandwidth with distributed ISP bandwidth DNSSEC deployments gain momentum since Kaminsky DNS bug Firewall rule management best practices What are best practices for fiber optic cable security? The requirements for being a PCI DSS-compliant service provider Enterprise UTM security: The best threat management solution?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary security information management (SIM)  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary