4 Replies Latest reply on Jan 30, 2014 3:59 PM by byrona

    SIEM: More like Monitoring or Anti-Virus?

    byrona

      As I continue to work more and more with LEM and SIEM technology I found myself thinking that SIEM is generally treated (by users and vendors) more like a monitoring system and less like an anti-virus system; however, in reality it's much more like a hybrid between the two and I feel like it could be much more successful if treated as such.

       

      SIEM is like monitoring in that you can configure it to look for the things you care about them and then alert you when those things are detected.  This model works great when you know what it is you are looking for and if you also know how to configure the correlation rules just right to catch those things.  Unfortunately this is not always the case.  While some SIEM's do support anomaly detection (which I think is great), this only tells you that something "out of the ordinary" is happening and not what specifically is happening.

       

      SIEM is like Anti-Virus in that it's often used to detect threats to your environment and acts as one of the many layers of security looking at both end-points as well as the environment as a whole.

       

      Threats are constantly emerging and changing and SIEM systems need to be able to adapt to those changes.  Anti-virus systems will check for new virus definitions as frequently as every hour (or maybe even more); however, SIEM systems don't have their correlation rules and definitions updated nearly that frequently.  Also, with Anti-virus the vendor provides us a stream of definition updates created by their security experts to combat threats; however, with SIEM customers who often are not security experts are left to create their own correlations and rules.

       

      I think SIEM would be more successful for customers and vendors if the industry would embrace the anti-virus like characteristics.  SIEM vendors should have a set of security researchers on staff dedicated to understanding the new and changing threats and then creating correlations and rules to detect/combat those threats.  The SIEM product should have some form of threat feed where it can get updated with this information on a regular basis in the same way an anti-virus system does with virus definitions.

       

      I would love to hear other suggestions or thoughts on this topic!

        • Re: SIEM: More like Monitoring or Anti-Virus?
          nicole pauls

          This is definitely the vision of SIEM - to have some kind of real-time top of the moment detection of issues. Here's a couple of related thoughts....

           

          With LEM, and with some other products, we tried to take an approach like Snort did with their IDS - that is, instead of writing rules that expose very specific attacks/viruses, write rules that expose threats/patterns of attack. This means you don't have to constantly update your IDS/SIEM rules every time a new virus comes out because the vector of attack really didn't change. On the IDS side, that means you write your rule for "MS02-026" not "SQL Slammer" (I can't actually remember which MS vulnerability lines up to that, but you catch my drift). On the SIEM side, that means we provided rules for patterns of traffic and worm behaviors, not necessarily specific worms. That said, there are still times you need/want to detect very specific threats, and that's where flexibility is important.

           

          What we see most customers actually doing is focusing on the 80% of the problem that they aren't even doing right now, which falls more on the monitoring side of the spectrum - ensuring compliance, detecting insider abuse/issues, change monitoring/detection, that sort of thing. Customers spend their time applying business logic to these things rather than a more lofty goal of modern advanced threat detection - which is still something SIEM should have the visibility to provide given all the sources. I don't want to say that the kind of IDS-like rule update would be over any of our customers' heads, but I think it might be out of their reach from a daily practice perspective.

           

          What would work as another step in that direction is a kind of hybrid approach, where we can link you up to things like "the most threatening ports of the last 7 days according to dshield.org" and build a rule that monitors for excessive traffic for that - it puts you closer to the edge, more like AV, without being so far on the edge that you have to worry about constantly updating, choosing, monitoring, like a SOC in a large enterprise would.

            • Re: SIEM: More like Monitoring or Anti-Virus?
              byrona

              Awesome response colby!  I realy do like the approach that you guys have taken with the LEM product "instead of writing rules that expose very specific attacks/viruses, write rules that expose threats/patterns of attack". 


              While I have spent a fair amount of time working with the product I will openly admit to feeling that I have only scratched the surface of it's capabilities.  The purpose of my posting here was to sort of think out loud with the idea of inspiring some creative and forward thinking with regard to both SIEM and LEM specifically; considering the lack of replies I am not sure I was very successful at that. 

               

              We are a service provider and LEM/SIEM combined with our NOC is one of the sets of services that we offer.  What I have found difficult with executives, technical peers, customers and just about everybody is connecting SIEM with reality in a way to show it's value.  Unlike other things I have done, SIEM remains too conceptual; when I try and sell people on the idea of SIEM they always agree that it sounds great conceptually but it never seems to make a solid connection to something real for them.  On the flip side, centralized Log Management hits home with just about everybody I talk to, they can directly correlate that to value in the time it saves them to dig through logs.

               

              One thought I had was to have a section of thwack called something like (The Weekly Threat) where each week SolarWinds could pick a real threat and show how LEM could help detect and defend against that threat; showing the actual LEM rules used, etc.  Other LEM users could also participate.  I know it may sound silly but it would help connect LEM to something real; showing the actual LEM rule in use to defend against a real known threat.  In addition this might show LEM users different ways of using LEM that they may not have already thought of.

               

              Again, this is all just me thinking out loud so take it for what it's worth.  Thanks again for humoring me!

                • Re: SIEM: More like Monitoring or Anti-Virus?
                  nicole pauls

                  You know, we're really hoping to create the same kind of engagement, where folks on Thwack can learn from each other with a little bit more real world examples (just talked to another frequent Thwack user who had the same wish for more participation here). I'm sure I can chime in with some ways to solve problems with LEM, and customers of LEM have been solving problems with LEM that others can benefit from - either via content, or theoretical discussion. If it was a problem du jour type thing, we could probably seed it with something new we discovered this week, like "hey, this week we heard the Target breach was because someone had infiltrated their POS network and was copying data off - how would you have detected this?" And maybe we'd get some rule examples or source data out of that, or just spirited discussion about why that really sucks and how hard it would be to detect.

                   

                  Part of the uphill battle historically in the security world tends to be confidentiality, where people don't really want to talk about how they have solved problems, though they might be interested in talking about how they WOULD solve a problem.

                   

                  Regarding moving from log management to SIEM, we see this hump in customer implementations too. A lot of people approach the problem very historically/forensically, but when you make that leap to proactive/real-time monitoring, you feel like it's hard to go back - at least for the 80% of problems you're solving on a daily basis. You don't have a magic 8 ball so you can't predict everything to get alerted on, which is where search/historical analysis are pretty useful. One of the reasons we chose to name the product Log & Event Manager was to try to soften the message of SIEM as an achievable goal for IT in general, not just a SIEM product, even if that's really what the featureset dictates.

                   

                  More food for thought.

                    • Re: SIEM: More like Monitoring or Anti-Virus?
                      byrona

                      If it was a problem du jour type thing, we could probably seed it with something new we discovered this week, like "hey, this week we heard the Target breach was because someone had infiltrated their POS network and was copying data off - how would you have detected this?" And maybe we'd get some rule examples or source data out of that, or just spirited discussion about why that really sucks and how hard it would be to detect.

                      I think that would be an awesome start!  I think it would really help make the connection between theory and reality and provide a good discussion forum to help people get more value out of LEM.

                      Part of the uphill battle historically in the security world tends to be confidentiality, where people don't really want to talk about how they have solved problems, though they might be interested in talking about how they WOULD solve a problem.

                      Yeah, this isn't surprising.  With that being said, I think you are absolutely correct in that folks don't need to admit to anything specific that has happened to them while still being able to talk about real world examples of how they have used the tool to identify and/or protect against threats or solve operational problems.

                       

                      I have found that it only takes a few real-world examples that touch people at a personal level to have them look at the capabilities and say "I need that!"  Many SIEM products can be very complicated and unapproachable by a large percentage of the technical community which is also why I think studies have shown many SIEM deployments fail.  I think LEM  could easily be positioned in such a way to pull away from the rest of the pack as a very approachable solution if it could just make that connection between theory and reality.