How to define SIEM strategy, management and success in the enterprise
A comprehensive collection of articles, videos and more, hand-picked by our editors
The current generation of SIM products was developed for the physical infrastructure with the assumption that components stay put. Virtualization completely violates this assumption.
There is a significant disconnect between security management and the virtual data center. Today's data center is undergoing tectonic shifts while moving from a static physical model to a dynamic virtual infrastructure driven by server, network, storage and security virtualization. To be successful, security information management (SIM) must become virtualization-aware and act as your organization’s virtual server security management...
Server virtualization adoption is ubiquitous, with more than 97% of organizations participating in Nemertes’ 2010-2011 benchmark survey are in some stage of deploying virtualization. Server virtualization abstracts the operating system from the underlying hardware via a hypervisor. The advantages are significant, including server consolidation, faster server provisioning, more dynamic disaster recovery and higher availability. Yet the hypervisor introduces a new layer of complexity, particularly when considering SIM. This presents a challenge and an opportunity: the challenge is being virtualization-aware and correlating events across the virtual/physical realms, while the opportunity is a greater role in infrastructure management by becoming the foundation of a management bridge across the virtual and physical divide.
SIM must match virtualization’s agility and flexibility
The greatest benefit of SIM is cross-device event correlation. This requires close tracking and correlation of events, alerts and network flows across network switches, routers, firewalls and intrusion detection and prevention gear. For example, a SIM identifying outbound traffic from multiple servers to the same external IP address may indicate a botnet infection.
The current generation of SIM products was developed for the physical infrastructure with the assumption that components stay put. Virtualization completely violates this assumption: servers, switches and even security devices move through functions, such as Citrix XenMotion, Microsoft Live Migration and VMware VMotion. And, not only do servers move, but they can start and stop with the click of a mouse; far more rapidly than provisioning/deprovisioning physical servers. This is intentional.
The fluidity of the virtual infrastructure is key to delivering a more agile and flexible IT infrastructure. SIM, too, must be more agile and fluid correlating events in relation to the movement of virtual components.
To complicate matters, security information management must correlate events across virtual and physical environments. Even when organizations are 100% virtualized, 10% to 15% of workloads remain physical. This gets tricky when you have an application stack spanning virtual and physical servers. For example, enterprises running virtual Web and middleware tiers while the backend database remains physical. It is imperative for SIM systems to track this relationship when assessing a security event affecting the application stack.
Track and correlate hypervisor events
To properly address the virtual infrastructure, SIMs must become hypervisor-aware. The hypervisor is an abstraction layer between physical and virtual infrastructure that hosts a variety of functions the SIM must track. For example, the hypervisor has virtual switches, virtual NICs, its own management interfaces and, in the case of VMware, security APIs. Tracking the hypervisor is a critical function of a virtualization-aware SIM, since hypervisor events must be correlated with physical and virtual components for successful network behavioral analysis.
Another aspect of virtualization awareness for SIMs is correlation across a new breed of security products: virtual IDS/IPS, firewall and anti-x services. Though security functions -- and security events -- are the same as physical security devices, security devices can move. Therefore, the SIM must not only track the events, but also track where the events are coming from, especially when the security device may physically reside on the same physical server as the assets it protects. An added complication for the SIM is that virtual security devices often use a different management system than physical security devices. As above, this is an opportunity and a burden: Having a link between physical and virtual security is an opportunity, but making a link between physical and virtual is a burden. To be effective – virtually – the SIM must log the hypervisor state and have access to hypervisor management interfaces, particularly when there shouldn’t be any direct access to the hypervisor outside of the virtualization management system.
Addressing these concerns requires more time than money. The security team must meet with the virtualization team to discuss the specifics of hypervisor deployment and configuration so the SIM rule base can properly identify virtualization-related anomalies. This involves cross training and bringing the virtualization team up to speed on potential vulnerabilities and on the inner workings of virtualization.
Most SIM products are now virtualization-aware, as long as they are at current revision levels. Any SIM without a virtualization-specific update in the past 12 months is running virtualization blind.
SIMs need visibility into dynamic workload zones
A SIM must also be zone-aware. In the physical infrastructure, virtual LANs and network segmentation are the primary workload segregation tools for security and compliance. Both strategies still apply to the virtual infrastructure, but the zone is becoming best practice for workload segregation. The zone is a higher-level construct defining a range of workloads, located anywhere in the virtual or physical infrastructure. A primary application of zones is segregation of in-scope workloads for PCI DSS or IPAA compliance.
The zone facilitates virtualization dynamics, freeing a workload to move anywhere within the zone: on the same server, across the rack, across the data center or even between data centers. The SIM must be zone-aware to catch any zone violations. Though zones are secure, there are still opportunities for zones to fail. Failure comes from an unintentional misconfiguration, a workload moving out of a zone during a workload migration or malware generating traffic crossing the zone boundary. So, the SIM must track changes to configuration files and logs for virtual machine migration as a point of reference to identify a zone violation. As above, this requires a combination of cross training and SIM virtualization awareness. Zones are a new concept that require frequent updates to the SIM rule base in order to properly assess zone status. Security practitioners should contact their SIM vendor to determine the SIM’s zone awareness.
Securing the virtual infrastructure with tools isolated to the physical realm is impossible. Security practitioners must align security management with the virtual data center. Server virtualization will be part of nearly every data center infrastructure for up to 95% of the workloads. A key to a successful SIM is making sure the solution is virtualization-aware.
About the author:
Ted Ritter is a senior research analyst with Nemertes Research, where he conducts research, advises vendor and end-user clients, develops research reports and delivers strategic seminars.A Certified Information Systems Security Professional (CISSP), Ritter leads Nemertes' research on cloud, virtualization and data center with an emphasis on compliance, risk management, and business continuity/disaster recovery. He is also one of Nemertes' dedicated experts on virtualization security, Internet infrastructure, efficient data centers and green IT.