Considering SIEM Implementation
Newsletter Front Page
Seccuris Home
Considering SIEM
SIEM is Security Information Event Management, powerful if implemented with care and precision

SIM: Security Information Management, a systems management framework facilitating the collection, retention and translation of security control data into relevant risk management information

SIEM: Security Information and Event Management, an information system providing consolidation, management and archival of security event data
 
The Value of SIEM:
 
Technical
  • Single repository for correlation, analysis and escalation
  • Enable Incident Response and Forensic Programs
  • Streamline troubleshooting and diagnosis of technical environment
Audit
  • Enable and monitor compliance
  • Manage risk from control breaches
  • Reduce risk from technical control failures
Business
  • Create efficiencies within asset protection
  • Facilitate Business Intelligence programs
  • Deter and identify Corporate Espionage
 

Author: Ann Vincent, Seccuris
Source: In-house

Security Information Event Management (SIEM) products come in many different flavors: appliance or software based, agent or agentless, signature or scenario based, built-in proprietary database or stand-alone industry database. Ideally, security event management solutions do three basic things: collect, analyze, and respond. The three core modules required to accomplish this are:

User Interface: This is the tool used to interact with the system. In addition to performance tuning and administration, the user interface is used for security monitoring and reporting. Ideally, the selected tool has the ability to interface with other management tools.

Core Engine: The core engine is used to process collected events and provide a response based on applied rules. Event processing includes the following three elements:

  • Aggregation: Gathering similar events and combining them into one.
  • Correlation: Linking sub-events generated during data mining to reconstruct a security event.
  • Prioritization: The order in which events are handled based on threat assessment.

Event Collection: The event collection module is responsible for interfacing with monitored elements through deployment of agents for the purpose of event collection. Agents have the ability to execute rules and filter before forwarding desired security events to the core engine. The standard types of agents used to collect events are:

  • Passive: Events are gathered from products without direct interaction.
  • Active: Agent interacts with the product to gather information.

Security Applications, Network Devices, Operating Systems, and Applications all log events but who or what monitors them? Compliance dictates in somewhat vague terms the minimal requirement to store and retain event logs for certain periods of time. However, analysis and correlation of these events is dependent on many factors. Capability, resources, storage capacity, knowledge, nonrepudiation, cost, and analysis of data that often spans already overly taxed lines of business can cast shadows across an organization's ability to conform to the need for compliance. After all, is an Auditor's need to preserve a compliant datastore in direct alignment with a Network Analyst's need to create available storage space when budgets are tight and performance is degrading?

I think that most Security Professionals agree that the threat of inside attack is becoming more and more prevalent. Low, slow, complicated attacks with increased sophistication enhance the need to readily bridge real-time events with historical data. Is your SIEM capable of creating a complex query spanning time and multiple source types? Do you fully understand the protocols used and the process by which data is parsed, filtered or normalized? Chain of custody and compliance depends on the ability to prove data source accuracy and integrity and by virtue should prove critical when considering a SIEM Solution.

In addition to retention, storage and extensibility requirements, one must consider the importance of data extraction. Effective and timely incident response is dependent on immediate access to data. Restoring data from archives or submitting requests for additional support or hardware does anything but speed the process of root cause analysis. Effective evaluation of data extraction rates can be accomplished through use of complex queries that access the entire data store. Be wary of products that boast significant query rates without qualifying data size or location. Another consideration for query speed is the method by which data is stored: if data is stored in a compressed format, consider whether or not this will impact query performance and select your chosen solution accordingly.

One of my favorite information sessions from the SANS Log Management Summit was presented by Tom Chmielarski of Motorola called “Lessons Learned Along the Way”. During the presentation, Tom shared his version of the “Top 5 Mistakes and Misconceptions” experienced during their implementation of SIM and I would like to share them with you now

  1. Expecting installation of Security Information Management (SIM) software to solve a problem.
  2. No definition of the problem to solve with SIM implementation.
  3. Failure to define usage (use cases) before work begins.
  4. Failure to understand the data available.
  5. Failure to make SIM relevant to business.

There are several factors that influence the success of your SIEM implementation, with the foremost factor being comprehension of requirements for the environment you wish to monitor. Clearly define the problem(s) you wish to resolve, limit the initial scope, go for the quick wins, and set appropriate expectations for evaluation criteria.

Reference Material:

SANS Log Management 2006 Summit Reference Manual

 
Article Top | Newsletter Front Page | Seccuris Home