BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
If you have ever deployed a security information and event management system (SIEM) from scratch, you're aware of what a beast it can be. Deployments frustrate those who are responsible for the rollout of the platform and can consume many months -- if not years -- before implementations yield the desired results. SIEM systems collect just about every event type and piece of configuration data available, but the compilation of that data often fails to deliver actionable information.
If you're looking to better understand the value of a SIEM in preparation of purchasing such a system or if you're looking to replace the one you currently have in place, you need to know what features and functions are available, and how best to evaluate the real cost of system deployment and management.
In this tip, I will discuss why enterprises today may need a new SIEM, as well as the benefits SIEM systems have to offer.
Finding a new SIEM
Security information and event management systems have changed greatly since their inception. There are multiple reasons that organizations today are looking to deploy new systems. For example, many popular SIEM platforms released even during the last three to five years have begun to show cracks in their armor.
Additionally, the number of events today's enterprises collect far exceeds SIEM vendors' initial estimations, and the products may not scale as well as once thought. You may have also discovered that a SIEM is not easy to manage, and forensic analysis is beyond the capabilities of all but the most skilled users. In some cases, vendors have simply not kept up with the rapid pace of advancing technology, and both the features and vendor support are far from class-leading. In some cases it's because your selection team did a poor job of understanding the scope of the organization's requirements, the real cost of SIEM system management and the resource limitations of the team managing the SIEM system. All of the reasons supporting the original SIEM buying decision are still pertinent but now compete with a dozen other security, compliance and operational issues. If much of this sounds familiar, you're not alone: This is the situation many SIEM customers find themselves in today.
All of this can be a bit disappointing, as it feels like you just finished the rollout and customization of the existing system. But for many, given the gap between what the organization needs and what the product has delivered, it's likely time to question whether to reinvest in an existing SIEM platform, or consider ripping and replacing it with a different product. Regardless of which choice you make, it's always good to reassess your requirements. But it's also appropriate to take the opportunity to reassess available products.
As I noted earlier, SIEM platforms have undergone a significant transformation. Understanding the changes as well as the benefits SIEM systems should offer is critical to the evaluation process.
What enterprises need from a SIEM
Security information and event management products have become a cornerstone in IT, serving operations, compliance, and security and risk groups with valuable information they rely upon to get their jobs done. It's become almost essential for enterprises to have a platform that provides a comprehensive view of what's actually happening on the networks. This is not new. What is new are the challenges companies face, and the resultant expectations placed upon the SIEM platforms, including:
Scale: Initial capacity planning estimates for SIEM platforms are typically an order of magnitude below reality. Not only did the number of events increase, but also the number of applications, users and devices generating logs. More internal stakeholders want additional event types captured to aid in reporting and analysis. The resultant explosion in event data has come to mean a significantly larger investment in hardware and software is needed to scale up and, in some cases, has surpassed the original design specifications of the platforms.
Forensics: In the need to comb through a greater number of events to find increasingly subtle attacks, manual forensic analysis is no longer feasible. The need for automated data analysis, alerting and data enrichment to provide needed reference data is crucial to reducing the workload on operations staff. Platforms offer a much greater set of pre-built analysis policies and far better linkage of events for drill-down capabilities.
Speed: A SIEM platform is expected to produce near real-time results. It is no longer thought of as an "after-the-fact" repository of data, but a frontline security tool for the detection of, misuse of and attacks against applications. Alerts and actionable information must be available as close to real-time as possible.
Ease of use: In each of the last two recessionary periods, IT teams have taken hits to their budgets while being expected to perform the same -- or a greater -- amount of work with less money and fewer people. IT automation is how this is accomplished, with many tasks automatically performed per rules and policies built into SIEM platforms. However, as many have learned, the SIEM platform is not a "set-it-and-forget-it" system; most require a significant ongoing investment of time and manpower. Regardless, vendors have greatly improved their platforms' ability to automate rules, have re-worked UIs, and added threat and policy management dashboards to simplify day-to-day use.
About the author:
Adrian Lane is CTO of Phoenix-based analyst firm Securosis. Adrian specializes in database security, data security and software development. He is a former executive at security and software companies such as Ingres, Oracle, Unisys and IPLocks, and is a frequent presenter at industry events. Adrian is a graduate of the University of California at Berkeley with post-graduate work in operating systems at Stanford University. Reach Adrian via email at firstname.lastname@example.org.
Get help unlocking the opportunity of SIEM
Learn about next-gen SIEM from Marcus Ranum