BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
In addition to the changing expectations security teams have placed on them, security information and event management platforms have also undergone a period of evolution. Previously niche vendors in a now-crowded field have not only overhauled their products in response to the growing number of requirements enterprises expect from them, but also added new capabilities for further differentiation from other vendors.
The SIEM market is not static, and yesterday's leaders are no longer the sure bet they once were. Many products have added or improved their capabilities in a number of areas. Below are four capabilities vendors are using to gain a foothold in the marketplace and their way into your network.
Application and database monitoring
Making sense of log files and collecting network activity are core values provided by SIEM platforms. But a network-centric view of security is of limited use. The ability to understand how applications work and how users should interact cannot be determined at the network layer. Misuse must be judged in context of the application function. It's for this reason that additional data collection and analysis capabilities have been integrated -- or in some cases fully merged -- into SIEM platforms. Features like application monitoring, database activity monitoring and file integrity monitoring are common additions. These features view high activity in relation to normal activity and are better able to distinguish acceptable activities from an attack.
Identity services integration
The need to map a real user identity to activity has prompted SIEM system vendors to integrate with identity management systems like LDAP and Active Directory. Rather than list a generic service account name (e.g., app user) or account name, SIEM platforms can cross-reference these generic identifiers with actual user identity. This provides a clear picture of user behavior across multiple accounts at different network, service and application layers.
Big data engines
In response to the ever-increasing need to store large amounts of data quickly and perform near-real-time analysis on vast data sets, many SIEM vendors have moved their platforms away from traditional relational data storage methods and now use non-relational big data engines (e.g., Hadoop), data management and storage techniques. These platforms are more elastic -- scaling well beyond relational platforms -- and offer unparalleled data insertion rates, which allows for faster performance with a higher volume of events. While they do not offer many of the benefits of relational platforms (relational storage, transactional integrity), they come with other benefits (intrinsic resistance to hardware failures, flexible data-type storage) beyond insertion speeds and scalability.
The use of MapReduce query techniques in big data allow for massive parallel query operations, speeding up data analysis. Further, the need to aggregate, normalize and correlate in advance is no longer necessary. Intrinsic to the MapReduce queries, the mapping function can handle correlation, and the reduction function will accomplish the aggregation. This means data is available to be searched almost instantaneously.
About the author:
Adrian Lane is CTO of Phoenix-based analyst firm Securosis. Adrian specializes in database security, data security and software development. He is a former executive at security and software companies such as Ingres, Oracle, Unisys and IPLocks, and is a frequent presenter at industry events. Adrian is a graduate of the University of California at Berkeley with post-graduate work in operating systems at Stanford University. Reach Adrian via email at firstname.lastname@example.org.
Making the case for extending SIEM product capabilities
Learn how one university secured its open network with SIEM