28 Replies Latest reply on Sep 17, 2014 3:04 AM by tomelnik

    So Good They Can't Ignore SIEM

    mfmahler

      As of January 2014, Mosaic Security Research identified 86 SIEM products. -- Wikipedia

       

       

      We went through the Alpha (Log) and the Omega (Event) of Log & Event Management. This week let's talk about the "Management".

       

      There was a question in last week's discussion. Basically how do we monitor and alert 24 x 7 on our precious logs that contain pertinent information, rather than on demand after an incident? How?

       

      SIEM, the Security Information and Event Management, comes into the picture. We feed log data from security devices, network devices, and applications, etc. to SIEM and it provides real-time analysis of security alerts. Awesome, right? Yes! Does it do what is advertised? Yes! Many people were blown away by the things they discovered that happened in their network 24 hours after turning on SIEM. So, what's the catch?

       

      Interestingly 'S' and '$' are interchangeable in SIEM. Not only SIEM has high price tag, but also it requires much effort and manpower in implementation. A few years ago, one of my colleagues met a SIEM engineer of an enterprise in a security conference. This fellow told my colleague that there were six full-time engineers/analysts dedicated to writing SIEM rules and reviewing events in the fellow's company. My team had six persons and my colleague was the only one assigned to SIEM. Thinking about his only "full-time" job, my colleague wanted to jump off the roof.

       

      We need to know our enterprise or business well enough in order to define normality and construct proper threat detection rules. This is even more important when our SIEM has functions to prevent and automatically remediate malicious activities. It's great that we catch and prevent targeted attacks but somebody's job is at risk when our CEO's login from overseas is blocked.

       

      Does your organization deploy SIEM? If so, how many persons are managing/maintaining it? If not, why not?

      Do you use a commercial SIEM product or do you build your own SIEM due to budget constraint or any other reason?

      What functions do you think a good SIEM should have?

       

      P.S. My SIEM colleague didn't jump off the roof and we added more SIEM personnel.

        • Re: So Good They Can't Ignore SIEM
          supermon

          We have a commercial SIEM product managed by two people. I think the big requirement is to not only grab the data but allow for sorting/searching. Its all about the interface.

          • Re: So Good They Can't Ignore SIEM
            michael stump

            I've seen a few implementations of SIEM, from Snort with ACID to NitroSecurity (before McAfee ruined acquired them).

             

            For Snort/ACID, it was basically a pet project run by one of the few true computer scientists in a large federal organization. He was ahead of his time, though, in his concern for security logging and monitoring. So his work wasn't truly supported by management, and when he retired, it was most likely orphaned (though it was built on a series of FreeBSD boxes deployed throughout the network, so it's very likely still running).

             

            The NitroSecurity appliance had a team of 4 contractors who managed the hell outta that thing. One appliance became 3, the team grew to 5. But after a year, it was difficult to have them explain exactly why they needed so many staff to maintain appliance that didn't require much administration or tweaking. The team was reduced, without any detectable impact to security operations.

             

            Of the two, and the many SIEMs I've used since, I'll always go with Snort. Too many scars and bruises from learning how to roll it out to just walk away.

            • Re: So Good They Can't Ignore SIEM
              wbrown

              We use a commercial product. After some recent RIFs and other attrition I think we're down to 4 FTEs for reviewing SIEM data.

              The mindset here is generally that home-brewed apps are not desired.  It is very convenient to have someone else to hold accountable when an application malfunctions.  The outside vendor typically will have more resources available to throw at an issue, as opposed to an in-house department with budget constraints and a lack of software development/support personnel.

              • Re: So Good They Can't Ignore SIEM
                deverts

                I've been fortunate enough, and had the privilege, to tinker with several SIEMs over the last several years. NitroSecurity was great, but as explained above, it's a blackbox that really requires a vendor to maintain it. Tenable's SecurityCenter, TripWire, and LogRhythm are also nice. There are others, but the good ones all have the same issue, $. Your statement above about the "S" in SIEM equates to "$" is not highlighted enough, the "S" really equates to "$$$$$$." And the amount of personnel to maintain the data becomes exponential if you add more than a couple systems and network devices to it.

                 

                So, I guess the real question is, how much $ can you afford for a false sense of security? You can collect the data, but if you don't act on it immediately, it's too late. You can automate, but the second you prevent a C-Level from accessing data, you are shutting it down. And no matter what, a hacker is going to find his/her way around the system.

                 

                Security is not 1 layer of protection and you are secure. Security is multiple layers, and a SIEM is just the component that provides visibility. A SIEM is nothing more than the NPM of the security solution.

                 

                D

                  • Re: So Good They Can't Ignore SIEM
                    mfmahler

                    deverts

                     

                    Your statement above about the "S" in SIEM equates to "$" is not highlighted enough, the "S" really equates to "$$$$$$." And the amount of personnel to maintain the data becomes exponential if you add more than a couple systems and network devices to it.

                     

                    I remember many years ago a SIEM vendor that you didn't mentioned came for a presentation. We were interested in the product, but it would cost us millions of dollars for everything we wanted to feed to the SIEM. A few years later that SIEM company was acquired and changed their licensing model. Finally we purchased the product, but it's still not cheap.

                     

                    So, I guess the real question is, how much $ can you afford for a false sense of security? You can collect the data, but if you don't act on it immediately, it's too late. You can automate, but the second you prevent a C-Level from accessing data, you are shutting it down. And no matter what, a hacker is going to find his/her way around the system.

                     

                    I wouldn't say SIEM contributes a false sense of security. Yes, it takes a lot of $$$ and resources to make it right and there is always something more to be desired. A properly set up SIEM has its vital function in an organization. See below.

                     

                    Security is not 1 layer of protection and you are secure. Security is multiple layers, and a SIEM is just the component that provides visibility.

                     

                    The multiple layers of security can also be known as defense in depth. Any organization got burnt before would add more layers of defense and this would require multiple disciplines within the organization. SIEM, being a component of the defense in depth, is absolutely necessary as visibility is critical.

                      • Re: So Good They Can't Ignore SIEM
                        deverts

                        Agreed on all counts! But why does it take a catastrophic event for the wallets to open up? (rhetorical) And even then we are required to find the "silver bullet" that does exist. All you hear from managers is:

                         

                        • We have Anti-virus!
                        • What does a web proxy do again?
                        • IDS? Isn't that March 15th? (a reference to William Shakespeare's "Beware of the ides of March" - it loses meaning when you have to explain it!)
                        • You need how much money to do it right? Isn't there 1 solution like Orion for this?

                         

                        So, I ask the masses that are reading this post...how do we get what we know we need, BEFORE we have that catastrophic event? How do we get "defense in depth" before the attack? Security solutions are some of the most expensive, and are therefore, the hardest to come by unless you have a security-minding VP/CIO. And that is compounded by Windows Sys Admins, who are notorious (generally speaking, now all) for not playing nice in the security world and make comments about not needing such things. I can't tell you how many times I've heard, "as long as we patch each month, our systems are secure."

                         

                        D

                    • Re: So Good They Can't Ignore SIEM
                      Charles Galler

                      Collecting logs and having a SIEM is great, but the tools cannot do everything themselves. You may be able to automate some portion, but you have to have the intelligence of a person to decipher logs and events to determine if it is relevant.

                       

                      Too many organizations, especially smaller ones, see a device (firewall, IPS, SIEM) as a checkbox. They buy it, have it setup, and then forget about it. Maybe it will send out an alert now and then, but it sits in the corner running and not managed. When you purchase something like a SIEM, you need to have at least one FTE dedicated to it and plan on growing from there.

                      • Re: So Good They Can't Ignore SIEM
                        russb

                        Thanks Gideon.  From what I gather monitoring 24x7 can be done, but costs lots of $ and time to implement and maintain.  I suppose that there is a market for a cheap and easily configurable and maintainable product that does this.  Pie in the sky?  Wishful thinking?  Perhaps; but we all need to have a dream that such a thing is 'doable'.

                        Something for more intelligent minds than mine...

                         

                        Russ

                          • Re: So Good They Can't Ignore SIEM
                            mfmahler

                            @russb I should say thank YOU! Even though SIEMs don't come inexpensive, I'm sure Solarwinds is happy to show you its Log & Event Manager. To get a feel of open source tools, I highly recommend that you check out Richard Bejtlich's latest book, Practice of Network Security Monitoring. In fact, I can't recommend enough any book by Richard Bejtlich.

                          • Re: So Good They Can't Ignore SIEM
                            byrona

                            We manage SIEM solutions for a few of our customers and we are also in the beginning stages of implementing it internally as well.  We have a NOC staff that is responsible for the first level of management for the SIEM and I am responsible for the 2nd level or the escalation point.

                             

                            I think the $ in SIEM really depends on what you are using the SIEM for.  If you are looking for real-time threat detection and response then there is certainly going to be a bit of $$$ involved.   If you only really need the application and not so much the trained people in a more passive implementation then you can certainly get away with a few less $$$.  The most important bit is that before you embark on the SIEM deployment make sure you identify and document the details of what you are implementing both from an application standpoint and from a process and procedure standpoint.

                             

                            My challenge has been getting my management staff to understand that if you want a more active SIEM model then you need trained security personnel, you can't just use your help desk.

                             

                            In my mind a good SIEM should provide the following...

                             

                            • Good visualizations
                              • Your data is no good if you can't take large quantities of it and make quick sense of it all
                            • Easy and intuitive UI navigation
                            • Signature based detection
                            • Anomaly based detection
                            • Integration options with other systems (NMS, ticketing, etc.)
                            • Re: So Good They Can't Ignore SIEM
                              matt.matheus

                              Thankfully, I'm not responsible for maintaining or operating our SIEM devices... except when they break.

                               

                              We have a dedicated information protection department with one person who spends the vast majority of her time working with our Nitro Security boxes.  Most of the work that we do in relation to her SIEM is getting our end devices to talk to it and give the information she wants. 

                              • Re: So Good They Can't Ignore SIEM
                                Kurt H

                                Does your organization deploy SIEM? If so, how many persons are managing/maintaining it? If not, why not? THere is a SIEM installed, but only for certain servers, not sure how many people manage it because that is outside of or work area

                                Do you use a commercial SIEM product or do you build your own SIEM due to budget constraint or any other reason? Commercial SIEM Product

                                What functions do you think a good SIEM should have? Notifications, automatic security log scanning for key words.

                                • Re: So Good They Can't Ignore SIEM
                                  Radioteacher

                                  We have two people that use LEM but it is just a part of their overall job function.

                                  • Re: So Good They Can't Ignore SIEM
                                    Kevin Rak

                                    We haven't really implemented any sort of SIEM. We do occasionally look through the firewall logs to see if there's anything blatantly suspicious, but other than that we're not really a big enough shop to justify the manpower and/or money required to get that much in detail.

                                    • Re: So Good They Can't Ignore SIEM
                                      syldra

                                      We currently have nothing in terms of SIEM, SIM or SEM... it's all on demand.

                                       

                                      I'll be working on that project later this year, but due to budget limitation it will be an in-house contraption most likely.

                                      • Re: So Good They Can't Ignore SIEM
                                        tomelnik

                                        The problem with SIEM systems they not provide enough automation and integration.

                                        Our clients use HP ArcSight and RSA Security Analytics but most of them integrate with automation tools like Ayehu eyeShare to perform complicated tasks after the detection of suspicious events.

                                         

                                        They understood that to get the most out of security incident and event management products, integration with automation is essential. This will help to not only manage incoming alerts more effectively, but also streamline incident response and investigation workflows after the fact. The result is an increased level of intelligence for security personnel, and a much safer IT environment for the entire organization. Doing this successfully can also dramatically improve operational efficiency.