SIEM technology primer: SIEM platforms have improved significantly

Security information and event management (SIEM) products grew out of two narrower product categories in the past decade. Security information management (SIM) software and appliances were used to collect and review logs of data from host systems, network devices, security devices and applications. Security event management (SEM) products came next, providing automated reviews of log data in real time, looking for anomalies or event correlations that signaled a security threat or a compliance violation. Gradually, SIM and SEM vendors merged these tools into SIEM technology platforms.

We expect further consolidation as more vendors try to pull these three prongs of SIEM, GRC and security infrastructure together.

Jessica Ireland, Info-Tech Research Group

SIEM platforms recently evolved further to collect data about users’ behaviors and data access. SIEM platforms may collect data from hundreds of sources, including hardware devices, virtual machines and applications such as Microsoft Exchange and Oracle databases. 

Rocky start for SIEM technology
The earliest SIEM deployments were often a disappointment, according to Jessica Ireland, research analyst for Ontario-based Info-Tech Research Group. Customers tried to implement all of the SIEM functions with all available sources, which added more complexity than most customers could absorb in a short time. As a result, most of the logs collected by the SIEM sat unviewed, and many customers would label their SIEM project as a failure. Over time, customers were encouraged to start their SIEM project with just one objective (threat monitoring or compliance reporting, but not both) and just a small set of sources (for example, just the network devices), to gain skills and experience and gradually grow their SIEM project at a manageable pace.

Current SIEM technology offerings
SIEM platforms have improved significantly in the past few years. “The products keep getting better,” Ireland said. “We’re seeing a lot of fluid and intuitive interfaces, which make SIEM easier for clients to use.”

One example of the easier interface is the “replay” function. This enables the administrator to recreate a past incident or attack and develop a new policy for times when a similar incident occurs in the future.

Alerts and responses have also improved in most SIEM platforms, according to James McCloskey, senior research analyst at Info-Tech Research Group. Early implementations of automated responses caused problems, such as actions being taken when the alert was actually a false positive. “A lot of the kinks in automatic response systems have been worked out,” McCloskey said. “More people are comfortable that their SIEM will properly correlate an attack with information from other tools, such as a Web content filtering product, and respond appropriately.”

Major SIEM technology vendors
There are approximately two dozen vendors actively selling in the SIEM space. In its 2011 Magic Quadrant for SIEM report, Gartner Inc. placed HP/ArcSight LLC, Q1 Labs (acquired by IBM), RSA (the security division of EMC), Symantec Corp., LogLogic Inc., NitroSecurity Inc. (acquired by McAfee) and Novell Inc., in the leaders quadrant. Vendors such as NetIQ Corp, eIQnetworks Inc. and others fill the remaining quadrants of Gartner’s report.

The majority of SIEM vendors are particularly active in North America, where most of the first SIEM platforms were sold. In recent years, interest in SIEM technology has expanded to Europe, Latin America, Australia and Asia/Pacific regions.

SIEM market
According to the Gartner report, the SIEM market is mature, with many customers having their SIEM implementations in place for more than a few years, and some shopping for an upgrade or replacement to their initial SIEM choice.

Large enterprises continue to be the predominant purchasers of SIEM platform products, Ireland said. SMB customers are more likely to employ a managed security services provider (MSS) for SIEM functions. Some SIEM vendors now offer scaled-down versions of their platforms, supporting a small number of logs from a limited number of log sources, to provide a lower price point for SMB customers. 

SIEM technology: Typical uses
Customers typically use SIEM products for two reasons: to spot evidence of security threats or security breaches, and to ensure their organization is complying with regulatory standards. A 2011 Forrester Research survey (sponsored by SenSage) showed most customers are currently using their SIEM tool for both threat management and compliance reporting.

While the decision to install a SIEM platform may be made by the IT department, the compliance manager, or a business unit within an organization, Gartner’s report stated ownership and management of the SIEM platform usually goes to the IT team.

The future of SIEM technology
All those logs of data captured by the SIEM are growing, especially as SIEM platforms begin to capture usage and incidents from mobile devices. For this reason, some vendors are working to connect business intelligence and analytics tools to SIEM data. In its 2011 report, How Proactive Security Organizations Use Advanced Data Practices to Make Decisions, Forrester said the IT industry is currently poised at the intersection of SIEM, data warehousing and business intelligence, which could potentially unlock the ability to discover and respond to new threats.

In addition, many of the larger SIEM vendors are working to integrate their SIEM platforms with GRC (governance, risk and compliance) products, or with identity and access management products.  

Ireland believes some vendors will accomplish this three-pronged approach of SIEM, GRC and security infrastructure through acquisitions. “We expect further consolidation as more vendors try to pull these three prongs of SIEM, GRC and security infrastructure together,” Ireland said. “Some of the larger vendors may grab up the few remaining niche players.”