cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 12

So Good They Can't Ignore SIEM

As of January 2014, Mosaic Security Research identified 86 SIEM products. -- Wikipedia

We went through the Alpha (Log) and the Omega (Event) of Log & Event Management. This week let's talk about the "Management".

There was a question in last week's discussion. Basically how do we monitor and alert 24 x 7 on our precious logs that contain pertinent information, rather than on demand after an incident? How?

SIEM, the Security Information and Event Management, comes into the picture. We feed log data from security devices, network devices, and applications, etc. to SIEM and it provides real-time analysis of security alerts. Awesome, right? Yes! Does it do what is advertised? Yes! Many people were blown away by the things they discovered that happened in their network 24 hours after turning on SIEM. So, what's the catch?

Interestingly 'S' and '$' are interchangeable in SIEM. Not only SIEM has high price tag, but also it requires much effort and manpower in implementation. A few years ago, one of my colleagues met a SIEM engineer of an enterprise in a security conference. This fellow told my colleague that there were six full-time engineers/analysts dedicated to writing SIEM rules and reviewing events in the fellow's company. My team had six persons and my colleague was the only one assigned to SIEM. Thinking about his only "full-time" job, my colleague wanted to jump off the roof.

We need to know our enterprise or business well enough in order to define normality and construct proper threat detection rules. This is even more important when our SIEM has functions to prevent and automatically remediate malicious activities. It's great that we catch and prevent targeted attacks but somebody's job is at risk when our CEO's login from overseas is blocked.

Does your organization deploy SIEM? If so, how many persons are managing/maintaining it? If not, why not?

Do you use a commercial SIEM product or do you build your own SIEM due to budget constraint or any other reason?

What functions do you think a good SIEM should have?

P.S. My SIEM colleague didn't jump off the roof and we added more SIEM personnel.

28 Replies
Level 8

The problem with SIEM systems they not provide enough automation and integration.

Our clients use HP ArcSight and RSA Security Analytics but most of them integrate with automation tools like Ayehu eyeShare to perform complicated tasks after the detection of suspicious events.

They understood that to get the most out of security incident and event management products, integration with automation is essential. This will help to not only manage incoming alerts more effectively, but also streamline incident response and investigation workflows after the fact. The result is an increased level of intelligence for security personnel, and a much safer IT environment for the entire organization. Doing this successfully can also dramatically improve operational efficiency.

0 Kudos
Level 12

We currently have nothing in terms of SIEM, SIM or SEM... it's all on demand.

I'll be working on that project later this year, but due to budget limitation it will be an in-house contraption most likely.

0 Kudos

Needing capabilities but not having the budget is a difficult situation to be in.  Be aware of the hidden costs associated with the "in-house contraption"

Level 9

We haven't really implemented any sort of SIEM. We do occasionally look through the firewall logs to see if there's anything blatantly suspicious, but other than that we're not really a big enough shop to justify the manpower and/or money required to get that much in detail.

0 Kudos

We have two people that use LEM but it is just a part of their overall job function.

0 Kudos
MVP
MVP

Does your organization deploy SIEM? If so, how many persons are managing/maintaining it? If not, why not? THere is a SIEM installed, but only for certain servers, not sure how many people manage it because that is outside of or work area

Do you use a commercial SIEM product or do you build your own SIEM due to budget constraint or any other reason? Commercial SIEM Product

What functions do you think a good SIEM should have? Notifications, automatic security log scanning for key words.

0 Kudos

Kurt H

automatic security log scanning for key words.

This is an interesting one, like a function of DLP. Need to understand the organization's business and then come up with a list of keywords to scan.

0 Kudos
Level 11

Thankfully, I'm not responsible for maintaining or operating our SIEM devices... except when they break.

We have a dedicated information protection department with one person who spends the vast majority of her time working with our Nitro Security boxes.  Most of the work that we do in relation to her SIEM is getting our end devices to talk to it and give the information she wants. 

0 Kudos

matt.matheus thankfully you missed all the excitement.

Wait, isn't it a vendor supported system? What do you need to do when the devices break?

0 Kudos

They are vendor supported, but the information protection department staff knows so little about the technical portion of how their devices work, that other teams are often called in to interface with the vendor's support engineers.

0 Kudos
Level 21

We manage SIEM solutions for a few of our customers and we are also in the beginning stages of implementing it internally as well.  We have a NOC staff that is responsible for the first level of management for the SIEM and I am responsible for the 2nd level or the escalation point.

I think the $ in SIEM really depends on what you are using the SIEM for.  If you are looking for real-time threat detection and response then there is certainly going to be a bit of $$$ involved.   If you only really need the application and not so much the trained people in a more passive implementation then you can certainly get away with a few less $$$.  The most important bit is that before you embark on the SIEM deployment make sure you identify and document the details of what you are implementing both from an application standpoint and from a process and procedure standpoint.

My challenge has been getting my management staff to understand that if you want a more active SIEM model then you need trained security personnel, you can't just use your help desk.

In my mind a good SIEM should provide the following...

  • Good visualizations
    • Your data is no good if you can't take large quantities of it and make quick sense of it all
  • Easy and intuitive UI navigation
  • Signature based detection
  • Anomaly based detection
  • Integration options with other systems (NMS, ticketing, etc.)

byrona *Smile* You mentioned $$$$. Interesting that Ethan Banks on Twitter today that several engineers he talked to wouldn't use a commercial SIME not because it's not a good production, it is, but because it's astonishingly expensive.

0 Kudos

Well said, byrona. Also thank you for sharing your experience in detail.

Trained security persons can be hired if the budget permits or can be created within the organization by training potential stuff.

0 Kudos
Level 8

Thanks Gideon.  From what I gather monitoring 24x7 can be done, but costs lots of $ and time to implement and maintain.  I suppose that there is a market for a cheap and easily configurable and maintainable product that does this.  Pie in the sky?  Wishful thinking?  Perhaps; but we all need to have a dream that such a thing is 'doable'.

Something for more intelligent minds than mine...

Russ

0 Kudos

@russb I should say thank YOU! Even though SIEMs don't come inexpensive, I'm sure Solarwinds is happy to show you its Log & Event Manager. To get a feel of open source tools, I highly recommend that you check out Richard Bejtlich's latest book, Practice of Network Security Monitoring. In fact, I can't recommend enough any book by Richard Bejtlich.

Level 11

Collecting logs and having a SIEM is great, but the tools cannot do everything themselves. You may be able to automate some portion, but you have to have the intelligence of a person to decipher logs and events to determine if it is relevant.

Too many organizations, especially smaller ones, see a device (firewall, IPS, SIEM) as a checkbox. They buy it, have it setup, and then forget about it. Maybe it will send out an alert now and then, but it sits in the corner running and not managed. When you purchase something like a SIEM, you need to have at least one FTE dedicated to it and plan on growing from there.

Charles Galler Agreed. That's what the Security Analyst is for. To get the job done right, this position requires many skills (probably even needs multiple monitor screens ).

0 Kudos
Level 14

I've been fortunate enough, and had the privilege, to tinker with several SIEMs over the last several years. NitroSecurity was great, but as explained above, it's a blackbox that really requires a vendor to maintain it. Tenable's SecurityCenter, TripWire, and LogRhythm are also nice. There are others, but the good ones all have the same issue, $. Your statement above about the "S" in SIEM equates to "$" is not highlighted enough, the "S" really equates to "$$$$$$." And the amount of personnel to maintain the data becomes exponential if you add more than a couple systems and network devices to it.

So, I guess the real question is, how much $ can you afford for a false sense of security? You can collect the data, but if you don't act on it immediately, it's too late. You can automate, but the second you prevent a C-Level from accessing data, you are shutting it down. And no matter what, a hacker is going to find his/her way around the system.

Security is not 1 layer of protection and you are secure. Security is multiple layers, and a SIEM is just the component that provides visibility. A SIEM is nothing more than the NPM of the security solution.

D

deverts

Your statement above about the "S" in SIEM equates to "$" is not highlighted enough, the "S" really equates to "$$$$$$." And the amount of personnel to maintain the data becomes exponential if you add more than a couple systems and network devices to it.

I remember many years ago a SIEM vendor that you didn't mentioned came for a presentation. We were interested in the product, but it would cost us millions of dollars for everything we wanted to feed to the SIEM. A few years later that SIEM company was acquired and changed their licensing model. Finally we purchased the product, but it's still not cheap.

So, I guess the real question is, how much $ can you afford for a false sense of security? You can collect the data, but if you don't act on it immediately, it's too late. You can automate, but the second you prevent a C-Level from accessing data, you are shutting it down. And no matter what, a hacker is going to find his/her way around the system.

I wouldn't say SIEM contributes a false sense of security. Yes, it takes a lot of $$$ and resources to make it right and there is always something more to be desired. A properly set up SIEM has its vital function in an organization. See below.

Security is not 1 layer of protection and you are secure. Security is multiple layers, and a SIEM is just the component that provides visibility.

The multiple layers of security can also be known as defense in depth. Any organization got burnt before would add more layers of defense and this would require multiple disciplines within the organization. SIEM, being a component of the defense in depth, is absolutely necessary as visibility is critical.

0 Kudos

Agreed on all counts! But why does it take a catastrophic event for the wallets to open up? (rhetorical) And even then we are required to find the "silver bullet" that does exist. All you hear from managers is:

  • We have Anti-virus!
  • What does a web proxy do again?
  • IDS? Isn't that March 15th? (a reference to William Shakespeare's "Beware of the ides of March" - it loses meaning when you have to explain it!)
  • You need how much money to do it right? Isn't there 1 solution like Orion for this?

So, I ask the masses that are reading this post...how do we get what we know we need, BEFORE we have that catastrophic event? How do we get "defense in depth" before the attack? Security solutions are some of the most expensive, and are therefore, the hardest to come by unless you have a security-minding VP/CIO. And that is compounded by Windows Sys Admins, who are notorious (generally speaking, now all) for not playing nice in the security world and make comments about not needing such things. I can't tell you how many times I've heard, "as long as we patch each month, our systems are secure."

D