Enterprises need dynamic, intelligence-driven defenses to effectively identify malicious behaviors not seen before; these anomalies ultimately enable the plethora of dangerous zero-day attacks that wreak havoc on a daily basis. A key component of enterprise defenses is a security information and event management
Many SIEMs were deployed to meet compliance reporting requirements, without making full use of the technology's event-correlation capabilities.
Unfortunately, painful implementations and overselling by vendors has left SIEM with a sullied reputation. Meanwhile, many SIEMs have been deployed solely to meet compliance-reporting requirements, with few organizations actually making full use of the technology's event-correlation capabilities.
A second generation of SIEM products, however, may change that. Advanced security analytics and increased scope and scale of data collection mean a greater number of diverse events can be put into context to find unusual activities in real time.
Enterprises create colossal amounts of data: email, documents, social media interactions, audio, network traffic, clickstreams, and logs of files being accessed, registry changes made and processes started and stopped. System information, such as processor and memory utilization, can also be useful for spotting unexpected changes in the status of a system. The sheer volume of data to be handled makes scalability, powerful analytical tools and support for heterogeneous event sources the most important capabilities when assessing next-generation SIEM products, particularly when it comes to time-sensitive processes such as fraud detection. Tools for visualizing and exploring this data are another key feature, along with actionable intelligence based on business context, so threats posing the greatest risk can be easily found and prioritized.
To make full use of all this data and increase detection rates by uncovering clues hidden deep in an organization's data, an SIEM needs to make use of "adaptive intelligence"; in other words, it must learn what's normal in order to recognize what's abnormal, because abnormal events are a strong indicator of an advanced threat or breach. It also has to be able to identify an attack pattern, even if it is spread out over a period of time. Setting up SIEM rules is an iterative process, but products that allow the simultaneous use of rule-based and rule-less correlation can reduce initial configuration times, automate parts of the login and authentication monitoring process and reduce the number of false positives. While self-learning algorithms are still in their infancy, real-time identity correlation using fuzzy logic, behavior analysis, clustering algorithms and policy rules are close to providing true signature-less detection to prevent unauthorized access and pick out abnormal activity at the user, account and resource levels.
Incorporating external threat intelligence feeds from the global security community can further clarify what's normal or acceptable by not limiting analysis to just the data one organization creates. Look for feeds that are flexible, easy to deploy, and that existing security monitoring products can use effectively. Real-time analysis of both structured and unstructured data is essential.
Enterprises with data in the cloud should look for service providers that make SIEM data available for collection by an on-premises SIEM. This enables a unified view of both cloud and on-premises environments as long as the SIEM can handle the provider's data, which may be in different formats. In Platform as a Service (PaaS) environments there is the option of installing monitoring agents to push traffic and logs to an in-house server for processing, while some SIEM tools can make use of specific Software as a Service (SaaS) application program interfaces to collect logs from public cloud services so events across multiple platforms can be correlated to produce dashboard views and audit reports that combine both internal and cloud-based applications. Network bandwidth, latency and data-transfer costs can, however, impede timely interruption of malicious activity.
Dashboard views of the information collected and analyzed are an important feature of any SIEM, as are actionable reports that include effective countermeasures so administrators can see where attention is needed most. Do not overlook the importance of being able to export information in different ways; different stakeholders will want information about security risks pertinent to their interests and presented at a level that they can understand so as to fully appreciate the relevance. This will make discussions easier and more quickly lead to the most appropriate course of action.
Accelerated decision-making is not solely about feeding an SIEM more and more information and tuning it to be able spot incidents faster; security teams must be able to react and respond faster, too. Incident response teams need to be familiar with the types of warnings and alerts an SIEM produces and have well-tested procedures in place that they can follow. This not only ensures the right people know the right actions to take, but also that those efforts are coordinated.
Of course, security teams need to have the resources required to handle and respond to the additional alerts and warnings a well-tuned SIEM will generate. Taking the time to fully inventory and classify data assets will enable an SIEM to better prioritize threats. An asset discovery and profiling tool, sometimes included within an SIEM, will reduce the time spent categorizing network assets and also pick up configuration drift and hardware and software changes.
Good security is a continuous process, and a well-resourced and configured SIEM can provide constant awareness of the state of security, vulnerabilities and threats, and thus support those teams managing and protecting information systems running core mission and business functions. If the teams have ample resources and well-tested procedures to follow, overall enterprise information security will improve. That's a worthwhile objective any day.
This was first published in January 2014