Securing the SIEM system: Control access, prioritize availability

Given the role a properly implemented, managed and utilized security information and event management (SIEM) system plays in an organization's security infrastructure environment, it’s clear that compromising SIEM activities could be a successful strategy for an attacker looking to avoid detection or undermine management of the environment's security.

What are the potential implications of a compromised SIEM system, and what defenses are available for enterprises looking to secure their SIEM systems? Those are questions we'll seek to answer in this tip.

Treat the SIEM system as a high-priority enterprise resource
It should be recognized that while a SIEM system is the infrastructure's nerve center from a security operations point of view, it is also one of many systems within the managed enterprise environment. For this reason, the SIEM should be polled regularly to ensure it is running and fully operational. Part of the SIEM deployment plan should be to ensure the SIEM system is identified as a critical system in the enterprise landscape, and the hardware and software systems on which it runs are configured and managed as high-risk areas.

It is also necessary to consider the SIEM system's resilience. Future SIEM system designs will focus on attributes like adaptive routing to ensure that if one path for security event delivery cannot be traversed, another path is followed, and out-of-band signaling to the central node, where alternative communication channels may be used.

Practical steps for achieving SIEM system security today
While these next-generation SIEM protections will be incorporated into future SIEM system products, a lot can be done now to ensure SIEM security. By ensuring a typical security review approach is applied to the SIEM system itself, the security event-collection process can be implemented effectively:

• From an authentication and access control point of view, SIEM system access should be carefully set up and managed. Integration with the enterprise's LDAP directory services could be a way to ensure the SIEM system is seen not as an island, but rather as part of the managed environment. Access to the system should be limited, and privileged access in particular should be carefully controlled, possibly within a "separation of duties" type of approach whereby no single individual or administrator is able to act in isolation.
  

  Listen to this tip as an MP3

  Listen to Securing the SIEM system: Control access, prioritize availability as an MP3 here!

• The confidentiality and integrity of the security information must be considered, specifically with respect to how information travels between the collection agents/aggregation points and the central management node. Where information is stored -- for example, a database at the central node -- confidentiality needs to be considered. Privacy could also be an issue to consider, depending upon where and how security events are being used.
  
• In some instances, anonymization is applied to security events so general trends can be determined -- especially if conducted off-site or across multiple clients -- with only limited scope to reverse this to reconstruct the actual event, under the control and policies of the organization.

  Special report: The future of SIEM

  This article is part of SearchSecurity.com and Information Security magazine's special report on SIEM. See below for more.

  Video presentation: Andrew Hutchison covers how to use SIEM technology to spot indicators of potential attacks
  
  Information Security magazine feature story: Get a coordinated view of security-related information and events with SIEM.

• Nonrepudiation could be considered to ensure actors, authorized or otherwise, cannot repudiate event evidence of particular actions. How SIEM events are stored, both centrally and in the originating systems, needs to be considered to ensure sufficient evidence can be gathered.
  
• Finally, the availability of a system is considered a security issue, and this is no less of an issue for a SIEM system. It has been indicated that future SIEM products will have self-healing, adaptive-type capabilities from an architectural perspective. In the interim, the disaster recovery aspects of a business should ensure the SIEM system is also implemented on a high-availability type infrastructure and that, along with recovery of other mission-critical systems, the SIEM is prioritized to ensure orderly monitoring and insight. After all, depending on what has caused an outage or disaster, having the security systems running first could be most important, ensuring any unexpected patterns, alerts, events or incidents are visible, that they can be investigated, and that responses can be deployed.

Through careful deployment, the security of SIEM systems can be enhanced. While it will take more time to create architectures that increase the resilience of SIEM products, treating them as high-availability, critical systems within the overall management landscape can be done immediately.

About the author:
Andrew Hutchison is an information security specialist with T-Systems International in South Africa. An information security practitioner with 20 years of technical and business experience, his technical security work has included secure system development, security protocol design and analysis, and intrusion detection and network security solutions. He has held executive responsibility for information security in a large enterprise, establishing its chief security officer role and initiating an ISO27001 security certification program. As business sponsor for large SIEM rollouts, he has experience in deploying and operating SIEM systems in a managed service provider environment. He is an adjunct professor of computer science at the University of Cape Town in South Africa.