SIMs tools and tactics for business intelligence

Security information management systems (SIMs) automate the process of looking through logs to help produce effective reports, issue alerts and do forensics. But organizations also need added visibility into their networks and applications.

This video explains the benefits of SIMs tools and how security professionals can leverage SIMS for business intelligence. It will also address:

  • Business analytics: compliance mapping, SLA support
  • Logging, audit and archive analysis
  • Real time risk posture plus network/application performance analysis

About the speaker:
Tom Bowers is managing director of consulting firm Security Constructs.

This video was originally recorded in February, 2007.

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact  

SIMs tools and tactics for business intelligence

Interviewer: Hello and welcome to our SEIM, Security Event and Incident
Management, with guest speaker Tom Bowers.

Tom Bowers: It's wonderful to be here. This is a very exciting space. There
are a lot of changes, a lot of growth happening here, and some really
interesting new abilities and capabilities of the security event and
incident management space. I always get confused, is it security event,
security incident, security information? We're just going to call it SEIM
today and make it easy on everybody. Having said that, let's go to our
first slide.

Some of the things we want to talk about today are why we care about this
space. What makes it so important? Why are we seeing growth here? And there
are some really interesting reasons for why we are seeing this type of
growth. We want to take a look at some of the business facets, not just
technology. There are certainly a lot of technology benefits. We're
certainly going to talk about those, but we also want to talk about the
business benefits. What do you gain from a business perspective when you
implement a SEIM system, and then what about those compliance issues?
Actually, we're going to talk quite a bit here about compliance because
compliance is playing a much larger role in the SEIM market.

Then we're going to talk about risk exposure mitigation. Where does the
SEIM market fit in, in either reporting, helping you to monitor, helping
you to alleviate your risk exposure, and how do we mitigate those things?
Then, what about audits? Everybody is talking about compliance audits. Of
course, all of our vendors out there are saying they can help you with
audits, but we're going to talk very specifically here.

My goal for this presentation is to be very pragmatic, give you a real-
world global enterprise view of this space and what's available to it.
Let's jump right in to the benefits of SEIM itself. There are a ton of
benefits from a technology perspective specifically for SEIMs, not the
least of which are the data feeds. We're going to get data feeds from a
very wide range of network components nowadays. Certainly, it started out
with simple things like routers, switches, firewalls, and IDSs. But now, it
can do anti-virus. It can do some identity stuff. Anything basically on
almost any type of network-based appliance can be captured using a SEIM
module, and as we go along here, we'll see why that's important.

Therefore, it covers a very wide range of data types, things like network
flows. In the Tech Tip coming out, we talk specifically about network
flows. Security events certainly, that's one of the big things that we're
looking for, are what type of security events, and what do we mean by a
security event? We're talking about everything from a malware attack, a
simple virus and worm attack from your anti-virus system to something from
your intrusion prevention, intrusion detection, potentially your firewall.
How about somebody tries to log in with inappropriate user credentials? All
of those are considered security events.

Now, for the very first time, we're just starting to see some application
layers events. Some of these vendors are bringing application layer
monitoring into the SEIM product suite some very exciting time. All of this
information is then brought into a correlation and an analysis engine. It
gets correlated. It gets prioritized. It gets put up in a risk-based
report, and so it's all drawn together, and this is really the heart. This
is, in my estimation, where the SEIM market really shines, is this
correlation and analysis engine.

It's also going to be the area of greatest tuning. It's going to be the
area of greatest customization because the correlation has to be done
across a wide range of different vendors. You may have, let's say, a Cisco
switch and a Juniper firewall, et cetera. You have different types of
equipment manufacturers out there all trying to talk to the SEIM market, so
this correlation analysis is going to take a lot of work to make it happen.

What it provides to us is drillable reports. By that, I mean it has a
dashboard like many of the other security appliances out there or security
solution, provides graphical drillable reports which, in and of itself, is
very, very good. Those reports give you the number of events, where those
events are happening, and it can give you typically red, green, blue,
yellow. It would give you color coding basically, of where those areas of
greatest risk are.

One of the biggest additions, and is to me, one of the greatest new
benefits that we're seeing, is most of the SEIM vendors are providing
visualization techniques. So now, not only do you have the text and graphic-
based reports that tell you how many incidences are happening, you have a
visualization that tells you where, or let's think of it in terms of a
malware attack. You got 15 machines out of 40,000 that are infected, and
they are all going after a particular host. While you can see that visually
with the visualization tools, this, to me, is a very, very exciting new
addition to the benefits matrix for the SEIM market, and we will talk about
this some more as we go along.

Additionally, there are some new integrations happening. I really like what
I'm seeing overall in the SEIM market. The reason I say that is because the
SEIM is centrally placed in your network. It's taking inputs from a wide
range of other technologies, so it's ideally placed to tell you if
something is going wrong or to provide an automatic change management
system into your network. So what we are seeing now is integration of SEIMs
with your help desk systems. It will automatically generate a help desk
ticket for you. It can also automatically generate a change management
ticket for you as well as a help desk so it will integrate with your change
management processes, and most recently, the SEIM market is integrating
into patch management.

Now we've got an automated system that says it's reading these attacks, the
attacks on, let's say, a particular server. It's clear that that particular
server is missing a patch, it can automatically send that information over
to your patch management system and says, "Yes, we need a patch on that
particular server." It puts in a help desk ticket. The help desk ticket
then tells your network people, your operations people, the network folks
that you have a help desk ticket out there, and then it puts it into a
formal change management process so we're making sure that we're doing this
in accordance with all the laws and regulations. This, to me, is a
critically important new area of benefit for the SEIM market, this
integration with help desk, change management, and patch management.

What I would like to see, what I'm hearing rumors of, and they are only
rumors at this point, is potentially having the SEIM system provide control
actions. Let's say you have an internal IDS or IPS that sees a particular
type of attack that's going outbound, or even easier, a malware attack. A
contractor's machine brings in an infected machine. It starts infecting
your network. It wants to communicate that traffic out through the Internet
to other vulnerable hosts. Well, instead, maybe the SEIM market can change
the firewall rule or the IPS rule dynamically. I know that some of the SEIM
systems are doing that but very, very few. Think of your network much more
holistically now. SEIM has the potential to integrate and become really a
central control mechanism for all of that.

One of the very, very newest, and I have only seen this over the last
probably six months, is now identity transaction processing. What this
means is, is that for the very first time, your SEIM system can integrate
with your identity and access management system. So now, not only are you
getting technical things, the packet, the ones and zeroes on the wire, not
only are you getting anti-virus events and IPS and firewall events. Now you
can get user events. So the user event logs get correlated with all the
network transactions to detect, become more and more accurate as to what is
anomalous behavior and what is not. This is a very exciting, I think, and
so far, underutilized but I think a great area for growth as far as
benefits go.

Lastly, of course, are the auditing capabilities. This is one of the strong
suits. It's one of the big drivers for the growth of the SEIM market, has
been the auditing capabilities to help you meet compliance requirements,
and we'll see this again very, very shortly.

I'd love to be able to sit here and tell you that the SEIM market is all
roses when in fact, it's not. There is some real heartache out there with
implementing SEIMs
. It's a big opportunity for the SEIM vendors, but right
now, it's a real heartache. And probably the first and foremost, is this
thing is very, very complex to install and manage. I've already briefly
mentioned it, but imagine a control system that has to talk to 15 different
types of security vendors with 15 slight different variations, let's say
XML or text files, flat file, relational database, whatever it may be,
there is a ton of customization that has to happen.

Some of the vendors are putting a lot of research and development dollars
into this particular problem. They're trying to make it easier and more
modular to plug these things into your network. The challenge is, is that
the security vendors don't agree all the time on the proper way to
communicate, the complexity here is huge. In a large global enterprise with
40,000 desktops and 100 offices globally, expect to take between two and
three years to deploy a system and get all the bugs worked out. This is not
an easy system. You're going to have to deploy on one section of your
network, make sure that works, and then add the other sections of your
networks, so you're going to have to bolt those on.

You have to make sure that when you do the initial bolt on, when you do the
initial installation, let's say you are doing one site with 5,000 people.
That one site, you want to build it so that it's scalable for the 40,000
people across 100 offices but it's only really dealing with 5,000 people.
It gives you the time you need to build this thing to get them customized,
to get those connectors built in because not all security appliances will
talk natively. Some of these things you have to build custom connectors to
do this with.

Having said all of that, we have a great system. It's complex to install.
There are a lot of good benefits. The reality is right now, this thing is
just used to store data. When you look at this thing objectively, that's
really all it's doing, is storing data. It then runs analytics against that
captured data, so there are some forensic capabilities here that you can
take care of, and then certainly, what is really needed is to generate
reports. The more time you spend on building those complex connectors and
getting them ironed out so that it's nice and smooth and then running the
right analytics, getting that algorithm tuned, the better reports you're
going to get. What you're going to end up with is a huge amount of
customization required to get the most out of this tool.

I don't want to belittle this point. This is a lot of work, folks. It's
going to take a lot of man-hours, so don't look at this project purely from
how much it costs you to purchase the solution. Look at this project from a
total cost of ownership, how much administrative time it's going to take,
how much training time it's going to take. Don't forget about not just your
training your administrators, but training your help desk folks, training
the network operations folks, training your data center folks because
they're all going to have to have some level of training here. All of that
adds to your total cost of ownership.

However, once you've done all of this, you get the benefits from the
previous slide, and a lot of large corporations are touting how important
this system is in meeting their business needs and compliance needs.

Let's talk about some of these business benefits. It breaks down here into
four major areas. Well, why am I even talking about this? Always remember
that you are a security professional. You are therefore a business risk
management professional. That's really what security is. We are a business

In my case, I used to work for a large pharmaceutical. We sold
pharmaceuticals for a living. We did not sell security for a living. We
always sold pharmaceuticals. That meant there was research and development.
There is sales and marketing. There is new discovery. That's what the
company did to generate revenue. We were there simply to enable the

Why do I have this slide here? This slide is here so you can go back to
your business unit folks and convince them of the business need, and, oh,
by the way, get the money that you need to implement a security solution
like this, operational improvements.

One of the biggest operational improvements you're going to see is
automatic processes. Once this system is in place, you can develop
automated response, automated control processes for normal everyday
business functions. This will ultimately lead to productivity efficiencies.
You'll need less effort required from your security administrator to do a
wider range of things.

Imagine, if you would, the way we're doing it now. You have a firewall
administrator, then you have an anti-virus administrator, then you have an
IPS administrator, then you have an identity access management
administrator. All of these are separate people, or if it's the same
person, doing four different jobs at four different times. Imagine now a
console that gives you a risk profile, the dashboards, that gives you a
hierarchy of the needs of incident management or event management that you
can go after and do in order based on business risk. You've just made your
security administrator a lot more effective, a lot more efficient in doing
their job. They get a lot more done in less time.

Well, one of the obvious ones here then is risk mitigation. We get an
improved reaction of breaches. Why? Because you can see across the
enterprise now, it's the classic salami attacks where you divide a piece of
ring bologna into small slices. That's exactly what a salami attack is all
about. You have small attacks going across different egress points across
your network. Well, because your SEIM solution can feed the entire network,
it's pulling down information from those disparate parts of a network and
can now correlate all the information and show you that there really is an
attack, so you can react faster to breaches that you couldn't even see
before. You get better user access visibility, especially with those
systems that are plugged into identity and access management systems. You
get integration into other technologies, such as change management and
patch management.

All of this lowers your business risk profile because now, think of it in
terms of you're doing outsourcing. You're doing work with a third party
vendor where you're transmitting your intellectual property back and forth
between this outsource partner or just a supplier out there. Your
intellectual property is going back and forth. Now, because your routers,
your switches, your user identity management, your IPS, your anti-virus,
all of these things are coming in to the SEIM, you can be an enabler of
that process, of that outsourcing process because you can monitor that,
respond to it quicker, so now you're lowering the risk profile for the
business to go do those things.

In the case of the pharmaceutical I worked for, they were saving hundreds
of millions of dollars by outsourcing non-core business functions, but we
had to provide a secure portal for them to be able to do those things and
be able to provide monitor for it.

Compliance and auditing, this is a big one. Because you got so many events
coming in, you find yourself have easier compliance at less cost, and we'll
talk specifically about compliance and some of those things. Basically, it
allows you improved auditability.

Business enablement, this is probably my favorite one here. You're enabling
the business, such as co-sourcing. It gives you a better security view of
the venture. Many, many times, the business units would come to us and say,
"We want to provide a Web portal, but we know that they are using
competitors' laptops to enter information onto our portal. How do we allow
that and still do things securely?" This is one of those technologies that
allows you, because of all the monitoring, because of all of the
information it's gathering, because of all the correlation and analytics,
it's giving you a very, very healthy view of that process, so the security
view is a big piece. It gives you an improved security with a lower

This is one of the things that the business folks love. Yes, they come to
you, yes, you're becoming a business enabler, but they don't want to know
about it. They don't want their users to be impacted. You and I have all
been there where, "Yes, we want it to be secure but don't affect how I do
business," and that's reality. The other reality is, nowadays, we can begin
to provide those. There are technologies like SEIM out there that has a
very, very small impact, if any, on the end user, the business people of
the business, so you can have improved monitoring. You're behind the scenes
here. The end user will never see any of this monitoring. They'll never see
the audits. They'll never see the incident response mechanisms that are
going on. It's all behind the scenes, and yet you've given them an improved
security posture. That's what the business people are looking for, and as a
consequence, you become a friend.

Centralized functions, this is probably another one of the big business
enablements. It's security enforcement especially for things like identity
and access management. You can provide controls that go back and forth, so
you can enforce policies based on a SEIM market.

Entitlement management, when combined with our identity and access
management, again, based on where they're going, on what part of the
network they're accessing, what their credentials are, what attacks may be
going on, et cetera, you can provide policy management through the SEIM
space back to the identity and access management. The SEIM space or the
SEIM system does not in and of itself provide control. It simply sends a
report back to the identity and access management system and says, "This is
what's going on. This is what needs to happen." The identity access
management actually provides that. Obviously, security event monitoring,
that's the name of this particular venture here, so that's one of those
centralized functions that it's providing.

Lastly, it's providing enhanced business credibility. What I'm talking
about here is you, your company. Let's say you're company "X". You're
outsourced to company Y or you're trying to partner with company "Z".
Because you got a better security posture, the relationship you can have
with company Y and Z is much stronger. Your credibility is higher because
they realize that you're monitoring everything that's going on. They feel
more comfortable doing business with you from a business perspective.
Therefore, your business partnership relationship can be more lucrative for
your company. The terms may be easier, et cetera.

If you're a retail company, you end up with more consumer or partner
confidence. We see this in the banking industry. Think about the FFIEC
guidelines, the PCI guidelines. What were they really put in there for?
They were put in there to raise customer confidence in the infrastructure
so people would do business online. The SEIM is no different when talking
about doing partnerships or doing outsources.

Compliance mapping, regulations, I don't want to beat the regulations to
death, but certainly, the regulations, things like Basel II, the FFIEC. One
that most people tend to forgot, FERPA, it's almost identical to FFIEC
which is for the financial institutions. FERPA is for education. Most
people don't even realize that there are the same regulations for
educational institutions mainly because, as a certified ethical hacker,
I've certainly seen schools, universities that are wide open. Well, now,
there is federal regulation that they have to be as stringent as FFIEC. PGI
guidelines certainly, GOBA, HIPAA, Sarbanes-Oxley, those are all common

So what are the requirements? Well, typically, and I want to just kind of
touch on these, typically, what all of these regulations require are the
following: some type of policy-driven security management program. Gee, it
looks like we're putting that into place. How about validation of security
controls? Well, if I have a SEIM appliance that's providing you with
automated processes as an incident response, automated auditing, I'm
already providing a validation that my security controls are working a risk
management approach to information security. This, in my mind, is really
coming up on the landscape.

You've probably seen by now that companies, especially large companies, but
I've seen a number of midsized companies now not only have chief security
officers, CSOs, and chief information security officers, CISOs. What I've
really seen a growth in is chief risk officers or directors of risk
management that either work with information security or become the people
for information security. The reason being is that, if you look at all the
data breaches out there, stock prices are getting hit.

When you had Dupont last month announce a $400 million data breach, their
stock price took a hit for a few days. Now it's recovered because they are
very smart about their public relations, but the reality is if you lose 10%
of your stock value on a company the size of Dupont, you're talking tens of
billions of dollars. So there is a real cost to the business. And the
business is saying, "Look, we are a risk function. Therefore, we need to
have somebody in charge of business risk." Security event management and
compliance really mandates that you have a risk infrastructure.

One of the compliance requirements is a demonstration of due diligence in
the application of internal controls. What you're going to find is that
this due diligence means you have to do, go back in the U.S., to what's
called the reasonable man rule, what a reasonable man would do to verify
that their security controls are in place, what a reasonable man would do,
or a reasonable person nowadays, what a reasonable person would do to
protect intellectual property. What you find that even though the
compliance guidelines are driving you here, this due diligence or
reasonable person rule applies to trade secret protection, so it really
provides dual benefits here.

One of the compliance requirements is an effective security incidence
management process. Well, that's the whole idea here of the SEIM market, is
that effective security, and more importantly, it's repeatable, it's
controllable, it's refinable. That's very important. Reporting is huge.
When you look across any of the compliance guidelines, reporting is a huge
piece. You have to be able to prove what you're doing. You have to be able
to show the auditors what's happening.

And then archiving and document and preservation, this is a big one, and
what it's not saying here on the slide is the new e-discovery. I'm sure
many of you have seen the new federal guidelines for e-discovery. Well, all
of these archiving and document preservations can be a component of meeting
the new e-discovery rules. If you're not looking at it now, you need to be
looking at it. Whether you're big, little, or small, you need to be looking
at the new e-discovery requirements because SEIM and the compliance
requirements are going to push you in that direction.

How does SEIM really plug into compliance? We've mentioned some of these
already, but strong internal controls are built into the product. That's
huge and that's probably the number one on the hit parade for compliance,
and it's the reason that compliance is driving the SEIM market right now.
It's the number one market driver. It's not even trade secret protection
anymore. It's not network monitoring anymore.

It's compliance that's really pushing this space, and the reason being is
that it provides strong internal controls, so it meets two big areas. The
first and foremost is it validates your security controls because you can
physically see it. You can bring out reports to show that here is the
security control I put in place. Here is the automated policy I put into
place. Here is the process I've put in place. And you can validate if all
of that works and you can validate its effectiveness, and by this, I mean
the security program.

It's a repeatable process. To me, that's the beauty of this system, is that
it's highly repeatable. It makes this a very strong offering nowadays in
the security space, is the repeatability. And this is an area where I've
really seen the SEIM market grow over the last couple of years, is the
repeatability. It's built in a lot more policies, a lot more automation so
that it's actually trying to reduce the amount of time that a security
administrator has to take to do or to respond to incidences.

Another big one is the reason that it helps compliance is that this system
is enterprise-wide. Before, you had to put in, let's say you were just
manually monitoring network flows or you were manually doing content
monitoring or you were doing anti-virus or intrusion prevention and you had
12 different intrusion preventions across your enterprise of 100 offices,
so you had to monitor it to pool reports from all of that. The SEIM market
gives you an enterprise-wide view from one console or one set of reports so
you can pull reports by site or by enterprise. This is a very, very big
piece for helping you meet compliance requirements.

Real-time risk exposures, what is this thing really doing? What's the SEIM
space doing? How is it helping your service level agreement to the
businesses? Well, first of all, it provides drillable reports from a risk
exposure. One of the dashboards you are going to see on all of the vendors
is going to be risk exposure. That's probably the most common one. It's the
one that we tended to use at the pharmaceutical I was at, is the fact that
it was drillable.

Please note that I put Real-time Risk Exposure as the title of the slide
and yet the second bullet point says Near Real-time. Well, the reality is
it's near real-time. It's almost real-time. There is always some time lag.
You're based in the United States, let's say Connecticut. You've got
offices in Dubai. You got offices in India. You got offices in Pakistan and
Hong Kong. It's going to take time for those network events to go to the
collectors in those locations. Then those collectors are going to feed up
to your master security event monitor console. It's pretty close to near
real-time. It could be seconds of the way, it could be milliseconds. It all
depends on your infrastructure. It depends on your Internet links. It
depends on your capabilities. But just realize it is near real-time, not
actually real-time. Surely, if this stuff is happening locally, it will be
almost instantaneous. The vendors are doing a lot here with pre-staging,
pre-filtering to help move this information along.

Your risk exposure is also monitored by your threat activity across the
extended network or the extended enterprise, and most excitingly, to me,
across the physical network, as well. It's not just the virtual or logical
network. It can show you across the physical network, in other words, which
switch in which location. You got a switch in London, England that's
generating abnormal or adverse events, and it knows that across the
physical network, so it understands both the virtual layer, the logical
layer, and the physical layer. That's a relatively new offering in the
SEIMs space here, is that physical network capability for risk events.

It allows you to see the course of attack. This has always been one of the
strong points as far as risk is concerned and why SEIM even took off in the
first place. Because, imagine if you will, and we've all seen it through
the years, a hacker will create a malware. The malware drops a Trojan. The
Trojan shims the kernel, and part of that is also a key logger, and it
makes a remote connection so it gives the hacker a back door. Now, yes, I
will be the first one to admit that 99% of those don't work, but some
enterprises know that complex malware is going to work, especially as a
zero-day exploit.

Now you've got, the hacker has got a toehold inside of the enterprise, and
if they are monitoring at that time before signatures have been updated,
including anti-virus, the IDS, IPS, the firewall rules, before all those
things get updated, the hacker happens to get a toehold, finds some other
external drops of a Netcat tool, the Swiss Army knife of hacker tools,
drops a Netcat tool, creates a couple of back doors for himself, him or
herself, and now begins a systematic attack into the network. This allows
you to see that attack happening, again, in very near real-time. It's
virtually real-time but you can see the attack progressing, especially
with, you'll see it initially with the risk profile on the dashboard. The
dashboard will come up bright red. It will show you the risk profile.

The visualization tools will connect all the dots. Quite literally, it will
connect the dots, it will show you that the hacker has gone from, let's
say, a Unix server, that it's compromised, and that the first thing it did
was load malware onto several printers in the enterprise, printers or
someplace nobody ever checks because they have hard drives, they have their
own Web servers. You drop tools onto the printers, onto the printer hard
drive, and then you go find a few video cards with video RAM available so
that you can load some tools into using Netcat, et cetera you use something
like a printer. Load Netcat onto the printer, create that outbound
connection. It's one of those things that most people don't think to look
at. You can see all of this happening in near real-time.

So, what happens? How is this risk exposure, how is it actually happening?
The way these things typically operate is, first of all, they tend to be
rule-based. In my mind, much like an IDS, IPS, they are very rule-based.
They use very complex statistical heuristic methods as part of an
analytical engine. It takes not only the real-time data but it takes the
historical data, what I'll call the baseline data in order to do all the
correlation and analytics. It puts all that together. It does its
correlation, which is really, as I've said before, is the meat and potatoes
here of this technology.

Then it provides you with a visualization and analytics, and it ultimately
comes out with some reports. That's really what this thing is doing. In a
nutshell, it records the data, puts it in a big database. It does some
analytics, some correlation across this, runs some statistical analysis,
and then provides you with some visualization of reporting. That's really
how these things are operating to give you a real-time risk exposure idea.

It does this nowadays for both the network and the application layers. It
used to be just the network. But now, it's the network and the application
layers. As I mentioned before, it's one of the most exciting additions in
the last 12 months. These are new capabilities, especially the correlation
across these, and we're going to talk about why that is in just a second

As the architectures become stronger, you can also do application
performance analysis. So now, what you're doing is you're leveraging.
Instead of having to do a specific application performance tool, you can
actually use your SEIM tool to do that with. Because it's measuring
application layer, as long as you build in those connectors, you've
customized, you've tuned the engines, you can now do application tuning
right through your SEIM system.

It's capable of doing those kinds of things, especially as these continue
to grow more powerful, the new dual core, quad core, Xenon processor with
multiple gigabytes of memory, highly tuned Linux cores, et cetera. As these
things become more powerful, their ability to do things like application
performance and scanning capabilities and reducing false positives become
more and more effective.

One of the most important, and I mentioned it already, is compliance as a
driver. This is the number one driver in the marketplace right now for
SEIM, is compliance issues, trying to meet the new compliance guidelines,
especially when you have things like the FFIEC. FFIEC went into effect
formally, December 2006. Oh, by the way, it started the new e-discovery
rules for federal U.S. courts' discovery requirements, they also went into
effect December 2006.

How do you do this? How do you comply with all these things with all these
disparate systems? A system like SEIM going into place helps you to meet
those compliance requirements. Again, based on my own professional
experience, what I've seen, what I read, my research shows that the U.S.
courts, as long as you're in the process of developing and deploying a SEIM
system, they see that as reasonable. Again, we go back to that reasonable
person rule. They are saying that's reasonable. As long as you're making
reasonable effort towards the implementation, then the compliance folks
will typically see that as reasonable. This is the major growth in this
particular area.

Canned auto reports, this is probably one of the biggest technical areas of
growth in the SEIM space, and that is, all of these vendors now will give
you canned reports per regulation. The FFIEC guidelines, you'll have a set
of canned reports for FFIEC, PCI, FERPA, HIPAA, GLBA or Sarbanes-Oxley, you
get the idea, the ability they offer you canned reports. You don't have to
have any fancy customization. You can, but out of the box, you'll be able
to have those things. They are repeatable and they give you a very easy way
to view compliance reports. So right out of the box, putting this system in
place, you have canned auto reports you can begin to show your auditors.

The ability to archive, this is one of the newer growth areas, and there
are two components here of the archiving capability. The first is and the
one that most people forget is the forensic analysis capability. This is a
big piece. I know at the pharmaceutical I worked at, we did our own
forensics in-house. We never lost a case that we did our forensics on.
We're always able to hand over our forensics results, whether it be network
or computer forensics, to the FBI or Secret Service. They certainly would
verify our results, but we never had one get back to us. Forensic analysis
is a big deal.

Make sure that when you set the archiving system up, you set it up so that
you can maintain that chain of evidence because that's really, if I were to
point to one thing, that's the key, is the chain of evidence. So set up
those processes, and now we're talking about external business processes.
Set up those processes and policies and then follow those processes and
policies, and this can become a very powerful forensics analysis tool. You
set it up as per your corporate policy, in other words, things like
archived time to live.

How long do you have to keep it in archive? How long until it rotates out
to tape? How long do you keep it overall? What's your chain of evidence
look like? And certainly, you can go to the NISC guidelines. You can go to
the U.S. courts, the Supreme Court, et cetera have, Secret Service. Secret
Service is probably the best one out there that has nice general
discussions on chain of evidence, chain of custody, and you can build your
program around it. You don't have to reinvent the wheel.

Then, the last thing here about archiving, which is a huge implication, is
e-discovery. This is one of those components that will help you meet your
new e-discovery requirements. You're going to have to read the e-discovery
requirements for yourself, figure out how they apply to your company, but
you're going to realize very quickly that the SEIM archiving capability is
a key component to meeting your e-discovery requirements. It can save you a
lot of money because buying e-discovery tools and e-discovery storage and
archiving tools can be very, very expensive, especially when you've already
got ...

If I look at e-discovery overall, if I back away just for a second, there
are a lot of tools in your enterprise that you've already got. You may be
doing content monitoring. You may be doing something like a SEIM. You may
be doing patch management or change management that have their own
reporting requirements, their own archiving requirements. Those may become
an integral part of your e-discovery, meeting your new e-discovery

We come to the very end here. This is a vastly maturing space, and by that,
I mean it's maturing very, very quickly mainly because as large enterprises
and medium-sized enterprises are implementing these technologies, they're
asking for new feature sets, new capabilities, and the vendors are
listening. The rate of maturity in this space is very, very fast. It's
increasing the capabilities here and that's a very, very good thing. This
is what I would call a mature technology. There are still some real
complexities in installing it, but it is still a very, very mature
technology. It works when done correctly.

There are many real measurable business benefits. We talked about a number
of business benefits for putting your SEIM in place. Use those business
benefits to sell your business units and thus, your chief financial officer
on the need to pull this into play, obviously going to the CFO and saying,
"Oh, by the way, it meets all these business requirements and it meets the
compliance requirements. It's going to make your job much, much easier." It
is a very, very powerful tool for compliance and auditing.

To me, this is a grand slam homerun as far as compliance and auditing
because it touches so many systems. You can give the auditor one report or
one set of reports that shows them a wide range of reports concerning the
validity and veracity of your security practice.

And lastly, it gives you the ability to provide real-time risk exposure. It
allows you to not only view attacks in real-time but respond in real-time.
Now this is a good system. Like I said, the SEIM market is plugging into
your change management, your patch management, your identity and access
management, your help desk. I see it plugging into other systems in the
future and potentially, becoming a controlling mechanism. I think it's a
very, very exciting time for the SEIM market. I think this very powerful
business tool deserves a lot closer scrutiny, and I wish you success in
your deployment.

Interviewer: All right. Great presentation, Tom. Thanks so much. I have a
few follow-up questions for you here. First, I would think that SEIM
systems would be able to reduce the risk profile of a corporation, but
obviously, it's never as simple as installing a system and reaping the
rewards. Is it fair to say that SEIMs help corporate risk profiles, and
what are the caveats there?

Tom Bowers: What a great question. Yes, overall, certainly, and I like the
way the question was raised because it's corporate risk profile. You're
talking about the business here holistically, and that's really what we're
all about. It reduces the risk profile from some very active standpoints
because it allows real-time view, which then improves your reaction time to
breaches. It gives you better user access visibility, especially with those
SEIM systems that are plugged into identity and access management. That's a
very real-time active dynamic. And because it's integrated into other
technologies, such as change in patch management, help desk, identity and
access management, it gives you a much more holistic control.

As I mentioned, there is some real heartache here with getting this thing
implemented into the enterprise. These things are highly, highly
customized. Yes, there are some blockable block modules you can bolt onto
the system, but it's mainly the connectors. If I were to point to one area
that's the biggest challenge, it's the connectors. What it might be, you
have a connector for some third-party router that most people have never
heard of, and you can talk to it, but it's going to take a particular
unique connector.

Or identity and access management, the SEIM vendor says, "Oh yes, we talk
identity access management." Then you find out, well, the connector is
only, sort of, kind of, built and it's really not built for your particular
one, so you have to customize those connectors. It can take a lot of time.
You have to realize upfront when you do your business analysis, when you do
your project analysis, and when you review vendors, specifically ask them
about what connectors do you provide out of the box? Who do those
connectors really talk to, flawlessly? Who are they seamless with, and then
what is their customization process? Is the process stated, written, or is
it ad hoc? Do they come back and say, "Oh yes, our development guys can do
that," or can they hand you procedures and say, "Here is our stated written
process for integrating any other third-party product into ours"? There
are some great ways to reduce the risk profile. Just realize it's not all
roses to get there on the path.

Interviewer: Following up from one of the themes of today's webcast, it
seems like there is quite a bit happening right now as far as the
innovation of SEIMs market. Can you talk a little bit about what
enhancements specifically we could expect to see in the near term?

Tom Bowers: Sure. There are a lot of enhancements happening here. I
mentioned identity access management is really brand new. One of the other
big enhancements is this whole customization. The vendors are hearing the
end users loud and clear. A lot of SEIM vendors are losing sales because
they're just too difficult to implement, that yes, as long as you use all
of product access routers and switches, yes, we plug right in, but if
you're using product "Y's" routers and switches, there is a lot of
customization required. And so the end, the security vendors are listening
to that and being able to integrate into that.

We're certainly seeing a lot of growth, a lot of expansion into which
change management vendors, which patch management. That patch management is
a big one. And they don't necessarily talk. They talk to the big patch
management vendors. They don't talk to all the patch management vendors.

I know I did a feature article on patch management a year or so ago, and I
think we reviewed, like, seven or eight, and there is at least that many
out there. But the SEIM vendors don't talk to all seven or eight. They only
talk to maybe two or three, so the addition of how many other vendors.

Basically, what I'm talking about is this whole integration piece where
what I'm seeing as an industry, especially in this space, is I see a lot of
growth in the integration that security event manager system companies are
really putting a lot of development dollars into that, and that's probably
the biggest space.

Other things are compliance drivers and business drivers, being able to be
a lot more adaptable to business processes. The challenge with the first
generation SEIM market is that they had a business process but if your
business process didn't fit that, then you really had to change yours to
fit the SEIM vendor. Nowadays, they're becoming a lot more flexible, and so
the SEIM market gives you a lot more flexibility in how the business
processes work and be able to adapt the SEIM market to that.

Having said that, with flexibility comes complexity, and it takes more time
and energy. So there are a lot of really good positive things I see coming
down the pike in this market. Some of them are here today and they're just
growing. Some are not quite here yet but things like the control mechanisms
integrating to other, whether it's an anti-SPAM vendor, whether it's a
content monitoring vendor, whether it's a digital rights management vendor,
the SEIM market is not talking to those yet but they're ideally placed to
talk to those.

Because they can talk packets, eventually, they'll be able to talk content.
They're talking application layer now, have the content vendor, the content
monitoring vendor talk to the SEIM vendor and correlate all that data, and
if it sees a problem, sees content that shouldn't be going out, it should
be able to go to the digital rights management vendor and get encrypted,
get protected, or get classified. It's not quite there yet, but I see it
coming down the pike, and I think it's an exciting time.

Interviewer: I know you talked about the broad and powerful capabilities
that the SEIM systems have. I wonder if you could maybe tell me why more
corporations aren't selling them if you see that something is going to
start changing.

Tom Bowers: Yes. Certainly, I think the compliance issue is really pushing
this whole issue that even though the businesses don't want to install it,
they're being forced to anyway because compliance requirements are driving
them towards that. But more importantly, I see business drivers pushing
them as well. The biggest problem is complexity, it's time for deployment.
It's going to take two to three years, and so corporations just haven't
been willing to shell out that money. And the reality was it wasn't mature
enough yet. There were some early adopters, but the space just wasn't
mature enough yet for companies to really make the type of investment in
time, effort, and energy, as well as dollars that it's going to take.

But I think that the compliance issues are going to fundamentally change
that, as well as the business drivers, as this, as more things like content
monitoring, digital rights management, anti-SPAM vendors, as these SEIM
systems can see more of these different types of technologies and correlate
that information, it becomes much more of a business enabler. And I think
as we go on in the next 12 months, we're going to see a lot more SEIM

Interviewer: Very good, Tom. Thanks for your insight. We'd like to thank
Tom Bowers of "Information Security Magazine" and security industry analyst
group Security Construct, LLC for joining us today. For more information,
read Tom's exclusive tip on how to incorporate flow analysis from managed
router into a SEIM. View the link on your screen.

Be sure to check out more of our resources on security event management at, as well as the rest of our great learning concepts
in our Intrusion Defense School at Again, that's And thanks to all of our
listeners for joining us.

View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.