Security information and event management (SIEM) technology performs two main functions, according to Gartner:
1. Security event management (SEM): Analyzes log and event data in real time to provide threat monitoring, event correlation and incident response. Data can be collected from security and network devices, systems and applications.
2. Security information management (SIM): Collects, analyzes and reports on log data (primarily from host systems and applications, but also from network and security devices) to support regulatory compliance initiatives, internal threat management and security policy compliance management.
SIEM: A Growing Market
Worldwide revenue for SIEM was $663.3 million in 2008 and is expected to grow to $1.4 billion in 2013, which is a compound annual growth rate of 16 percent, according to IDC. Meanwhile, Gartner estimates that SIEM was a $1 billion market in 2008, with growth of 30 percent that year.
Historically, event management—or SEM—has driven this market, but today's growth is mainly related to regulatory compliance, with secondary requirements for effective threat monitoring, according to Kelly Kavanaugh, an analyst at Gartner. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires log management, and the Sarbanes-Oxley Act requires privileged user reporting, he says.
Traditional SEM vendors have responded by orienting products previously geared toward real-time event alerting and management toward log management functionality. For instance, ArcSight added its Logger appliance and additional deployment options to address compliance. Meanwhile, SIM players such as SenSage and LogLogic are adding real-time capabilities.
Jon Oltsik, an analyst at Enterprise Strategy Group, sees the market differently. The main driver, he says, is the need to keep up with security complexity. "There is an acute awareness that security attacks are more sophisticated and that security at a system level is harder than at the device level," he says. Compliance is the second most important factor, he says, and the third is the need to replace early SIEM platforms that don't scale or provide the right level of analytics and reporting capabilities.
Forrester expects consolidation among the 20-plus SIEM vendors in the next 12 to 36 months, as well as more cloud-based SIEM services.
Core Capabilities of SIEM
According to Gartner, five critical capabilities differentiate SIEM products, whether you use them for SEM, SIM or both.
Log management. This includes functions that support the cost-effective collection, indexing, storage and analysis of a large amount of information, including log and event data, as well as the ability to search and report on it. Reporting capabilities should include predefined reports, ad hoc reports and the use of third-party reporting tools.
Compliance reporting. Key capabilities include user and resource access reporting.
SEM. This includes real-time data collection, a security event console, real-time event correlation and analysis, and incident management support.
Deployment and support simplicity. The need for compliance has encouraged smaller security staffs to adopt SIEM, and these buyers need predefined functions and ease of deployment and support over advanced functionality and extensive customization. Large volumes of event data will be collected, and a wide scope of analysis reporting will be deployed. This calls for an architecture that supports scalability and deployment flexibility.
User and resource access analysis. This capability defines access policies and discovers and reports on exceptions. It enables organizations to move from activity monitoring to exception analysis. This is important for compliance reporting, fraud detection and breach discovery.
SIEM DOs and DON'Ts
DO include multiple stakeholders. When developing requirements, be sure to collect them from the range of groups that may benefit from collected log data. This includes internal auditors, compliance, IT security and IT operations.
There are certainly customers just looking for log management because of a compliance requirement, and they may not have the internal resources to do anything but collect and document logs, Kavanaugh says. "But many buyers realize the capabilities inherent in log management software—the ability to collect, search and run reports—are valuable to security operations." Once the security group gets involved, he says, they look at including network security devices, routers and other areas of the network environment where they don't have great insight, as well as the real-time component.
When selecting a SIEM product at Liz Claiborne, Mike Mahoney, manager of IT security and compliance, involved architecture leaders from eight groups, asking them to respond to an in-depth questionnaire regarding what would help them improve their jobs. It ultimately took six months to complete the evaluation. "I wanted this to be a tool they would benefit from beyond log collection," Mahoney says.
"Ultimately, the point of intersection is log management, but analytics might be done by two different platforms," Oltsik says. "Whether you need security or compliance, you're using the same log data."
DO emphasize correlation capabilities. Correlation is a key aspect of SIEM systems, says Larry Whiteside, associate director of information security at the Visiting Nurse Service of New York (VNSNY). SIEM systems normalize logs from various systems, which helps you see the most important data you need out of those logs in a readable format.
They also help you correlate events that the human eye could never perceive but that correlation rules can detect. "If you use correlation rules, you can run a report, and two events that are 10 minutes apart will be right on top of each other because they're directly related to each other," Whiteside says. "If somebody does something once every 30 minutes, there's no way of looking at the log in the traditional sense and finding that."
Mahoney concurs that this is beyond human capability. One of the PCI DSS requirements, he says, is to review log events on a daily basis, which can involve millions of events per day. "The strength of SIEM is the ability to normalize the data and present it in a standard format," he says. At Liz Claiborne, it takes one person two hours a day to review log events, and that's thanks to rules built for specific occurrences.
DO look for usability. When Whiteside chose Symantec's SIEM product, he was ultimately sold on the usability of the interface, as well as how easy it was to set up policies and rules, create manual reports and schedule automated reports. This, he says, really helped weed out numerous players.
Symantec's DeepSight Threat Management System feature, for example, provides updates on threats going on in the world and correlates that information with alerts coming from your own devices. "I might get an alert from the intrusion detection system or firewall that is rated as low, but when it's correlated with the threat management information, which says it's seen a spike in this activity, it will raise the criticality of the alert," Whiteside says. "I get a real-world-type scenario." He can also put controls in place so that if the activity spikes, he's already protected.
DO look for ease of building correlation rules. In addition to basic usability, it's also important to look more deeply into how easily the system replicates what you normally ask humans to do, says Brian Cincera, senior director of worldwide technology infrastructure at Pfizer. An example is creating correlation rules that help his staff focus on the areas of highest risk.
"We've found that creating a rule and having one that reliably replicates what a human can do are two different things," Cincera says. "You can get any one of these systems and it will generate a lot of red flashing lights. But the point is, I have limited resources of really smart people who can focus on a few important events around the most significant areas of data and risk, so I have to keep the steadily growing noise level down, and the machine is the only way I can do that."
Ease-of-use features in ArcSight include the interface itself, the sophistication of the rule sets provided, drop-down boxes and the ability to construct expressions that are English-like rather than complex formulas, Cincera says. "You don't want it to take a Ph.D. to create rules that replicate human behavior," he adds.
DO consider investigative capabilities. One of the most favorable features of Q1 Labs' QRadar, Mahoney says, is its ability to manage Layer 7 data. This provides him with a view into not just network behavior, but also user and application behavior. "It identifies activity at a higher level and gets more specific on application behavior," he says, even capturing data in the packets for internal investigations. "I can view what activity users have done on the network—the applications they've touched, the Web sites they've visited." He can also look at specific databases on specific servers and see who's touching them. Or he can get log events to see what applications are talking to other applications and what database tables they're hitting. "That's above and beyond simple log collections," Mahoney says.
For instance, if Server A is talking to Server B, and activity peaks on Sunday night at 10 p.m., he can drill in further to see what desktops are involved. "It's very in-depth from an investigative perspective," he says.
DO weigh deployment options. SIEM buyers have a wide range of deployment options from which to choose. While software is the traditional form factor, Kavanaugh says, vendors have increasingly come out with all-in-one appliances, which do the data collection, analysis and correlation and use their own built-in databases to store copies of logs. There are also many blended offerings, in which a server performs the real-time analysis, correlation and monitoring, and an appliance covers log collection.
The decision depends on factors such as your business requirements, availability of support personnel, maintenance windows, network architecture and bandwidth restrictions. For instance, a retailer might have a thin pipe for transporting data back to corporate headquarters and therefore might want an appliance at the branch location as well as the ability to send logs back to a central location during nonbusiness hours for compliance work, Kavanaugh says.
Whiteside says storage considerations are another factor when choosing a deployment option. Some appliances offer only local storage, with no ability to send data to a secondary database, he says. This would be a problem if you collected log data in multiple regions but wanted to conduct queries remotely. "If someone needed to run a query for Europe but was in the U.S., he wouldn't want the query to go all the way to a database sitting on an appliance in Europe," he says. "It's not efficient."
At the VNSNY, Whiteside uses a multi-tiered architecture. A Symantec SIEM box collects network-based logs for the firewalls, routers, switches and intrusion detection system, and a log management system from LogLogic collects and reports on application and system logs. It forwards these logs to the Symantec SIEM, which applies correlation rules to all the log data.
Mahoney says he is happy to be using an all-in-one appliance for the 4,500 devices on Liz Claiborne's network that send log events. "I don't want to worry about driver patches and disk space requirements and database maintenance," he says. With other systems, data was stored in a SQL database, but with the appliance, it's built-in. "It's a hands-off approach," he says.
Pete Colley, security operations manager at CSC in the United Kingdom, says there are a couple of deployment options with the SIEM he uses, which is RSA enVision. Since a CSC customer had a very large distributed network, with 4,000 devices to collect logs from, he selected a distributed system that ran the application and database on a server, with network-attached storage. Data is pulled in from six or seven remote collectors, he says. "An all-in-one appliance wouldn't do it," Colley says. The largest appliance he looked at was limited, by license, to 1,000 end devices.
DON'T forget the managed service provider option. Historically, companies considered an MSP only for SEM functionality, Kavanaugh says, choosing to implement in-house systems for log collection and management. Now, however, more MSPs are offering log management capabilities, taking logs from the customer premises to a security operations center and doing the archiving and reporting from there. While this would not work for companies with a large volume of logs or a wide diversity of devices to collect from, it is a valid option for midsize and smaller firms, Kavanaugh says.
DON'T overplay the real-time console. When Whiteside first started using SIEM products, he felt the real-time console was the most important aspect of this technology. However, he eventually realized that only 5% of the team's time was spent looking at the console, and the rest was spent running queries. "Real-time alerting is extremely important, but the console is a nice-to-have," he says. "The importance of SIEM is its back-end intelligence and alerting."
A key thing people miss with SIEM and log management, Whiteside says, is that it's all reactive, based on whatever the incident is. "But you at least have a consolidated view of what has happened from disparate systems," he adds.
DON'T overlook vendor support. Vendor support was crucial to Mahoney, who emphasizes that SIEM technology is nowhere near "set and forget." SIEM is a core product for Q1 Labs, he says, compared with other companies that offer SIEM products that they got via acquisition. "When you get on the phone with some vendors, it can take days to get someone with the expertise to fix your problem," he says. Mahoney tested how long it took for the vendors on his short list to get back to him with a fix for a problem. The vendors knew he was conducting an evaluation and that they were in direct competition with other companies. Q1 got back to him with solutions in two days, whereas another vendor never got back to him at all.
DO look into storage capacity. Another consideration is how much data the system will store, especially when regulations may require data to be online for a particular length of time. With 4,500 devices sending log events, and peaks of 2 trillion events to evaluate per month, storage was a big consideration for Mahoney. "We have to retain that data for a year to comply with PCI/DSS," he says. Mahoney says he knows of another CIO who found that his SIEM system could store only four days' worth of data online. The key, he says, is compression. "I'm looking at a data reduction rate of 63,000-to-1, he says. "They compress it, and I can go back and look at every log event I've received in raw format."
Whiteside says his system can store a year's worth of live data online, although he chooses to store just 180 days' worth.
DO look at scalability. Oltsik emphasizes that a main requirement today is to collect more data from more devices more quickly. "Vendors measure this in events per second," which have grown from thousands to hundreds of thousands, he says.
DON'T overlook hidden costs. Cincera warns that hardware and software accounts for one-half or less of the total cost of ownership of a SIEM implementation. The rest, he says, is the labor involved with creating, building and deploying the technology. "You can't just put someone on the console and have them whip up 10 good correlation rules a day," he says. "They need to understand things like, 'These events need to be treated in this manner, or with this level of discretion.' " This requires the governance function to specify which events to care about and what actions to take. "There's a cost to the organization based on that function," Cincera says.
Another cost is maintenance, which includes keeping rules up to date, group management, permissions, alerting, monitoring and metrics. "You need to manage interfaces to upstream systems, things that feed information to the engine," Cincera says. "You need to stay constantly involved, making sure connections stay in sync with one another, and that can be a daunting effort." The work level grows dramatically based on the number of upstream systems you need to feed, he warns.
A third cost is labor. "Every event you choose not to ignore is one on which you must act, even if it's just to say, 'noted,' " Cincera says. "And every action has a cost." And fourth is decommissioning. At some point, Cincera says, the rules, alerts and actions you take lose value and should be decommissioned.
Total cost of ownership is something no vendor is good at communicating, he adds. "They don't want you to think of all those costs."