Security information management (SIM), sometimes called security information and event management (SIEM), has been a problematic security category for years. In a nutshell, this segment of the information security market has featured products that strive to collect and analyze security events, ideally detecting malicious activity. Plagued by expensive and integration-heavy implementations, SIM products and vendors have never lived up to their promise, taking millions of venture capital with it.
Yet, if you look at SIM from a security professional's perspective, the idea of integrating and correlating security information from a variety of data sources is compelling. Just think: How great would it be to look at one screen, or one dashboard, and be able to pinpoint problems, maybe even before they occur?
SIM technologies of the past had their shortcomings, and unfortunately many end-users learned this the hard way. One problem is the overactive nature of SIM; its inputs, like firewalls and IPS devices, are inherently noisy. If the inputs are rife with false positives, it has historically been difficult for SIM offerings to provide actionable information without a tremendous amount of experimentation and tuning.
Also, SIM products seem to address problems after it's too late; by the time information is correlated from log files, the attack has already happened. And in today's environments, where attacks can proliferate throughout the world in a matter of minutes, playing catch-up can be crippling.
But all is not lost, and SIM is not dead yet. In fact, the idea of security management is transforming, and this evolution may bring some new life to SIMs. Combining SIMs with a few other technologies may actually make for an effective systems-based approach to security management.
First, security management is increasingly being integrated with network behavior anomaly detection (NBAD), providing pseudo real-time visibility into what's happening on your network. Not in a few minutes or seconds, but right now.
To be clear, "pseudo" real time is not exactly real time. The inherent nature of attacks, especially zero-day attacks, make it impossible to be truly proactive in protecting an environment. The goal with network behavior anomaly detection, however, is to shorten reaction times. Also, by defining thresholds based on abnormal behavior, NBAD products can trigger a more specific analysis and contain damage more effectively.
With NBAD, security professionals are not exclusively looking in the rear view mirror, trying to figure out a disaster that's already happened. Because of the technology's faster reaction times, network behavior anomaly detection is poised to break out in 2007, especially if it's integrated with the SIM software sitting on your shelf.
But that's not the only way SIM is morphing in front of our eyes. When a security incident happens in an organization, it's important to have controls in place so that a similar mess doesn't occur in the future. With many SIMs, however, such preventative responses are difficult to make. During the performance improvement process, security data is often normalized and manipulated, making it useless for forensic purposes.
With early SIM products, the raw log files were altered to facilitate insertion into a database and provide data reduction; this optimized the use of space. It was important when SIM first hit the market 5 or so years ago, as the technology was not fast enough to store all the data in a forensically clean way, and the problem being addressed was event correlation, as opposed to compliance or forensics.
Ergo, the emergence of log management products. These purpose-built boxes quickly gather log data from a variety of different devices, and they do so in a forensically clean way, maintaining the integrity of the data, so it can be easily analyzed for forensics and compliance purposes, although not necessarily for real-time management. This log management data, though, will hold up in a court of law.
Security management is evolving from one generation to the next, and with that transition, there will inevitably be some carnage. Aggressive vendors have chosen to either focus on offering pseudo real-time management capabilities or log management functions. But even if your vendor is a bit of a dim bulb, it's still possible to integrate many of these solutions together yourself and get your desired results. In fact, that's addressing problems before they become problems.
So what makes the most sense for you? It gets back to what problem you are trying to solve and also being a bit understanding of the sunk cost of an existing implementation. Many organizations have spent a lot of time and money to make SIM work for them, and there is no reason to dump that investment. You may need to supplement an existing product with log management or NBAD, but that's OK.
But if you don't have anything in place now, it makes sense to focus on the products that can offer both a forward, as well as a backwards look at your networking environment. There is no need to compromise if you are playing in a green field.
About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.
