Stopping The Insider Threat: The Case for SIEM in Government IT (Part 1)

   I’ve decide to try something that I’ve never done before in one of my security blogs. I’ve invited one of my senior security staff to write a 3-part series as a guest blogger. Scott Larsen has been working on Security Information and Event Management (SIEM) for several years as a contractor and a state employee. He is an expert on several top industry products in this SIEM space.

No, this is not an interview, but rather Scott’s own words. In case you’re wondering, I’m not going away. I’ll be back in January 2012 with new security blog topics in this same space. Meanwhile, enjoy (and tweet on) Scott’s Larson’s 3-part blog on SIEM in government:

Don’t let the title fool you…this isn’t a new Hollywood spy thriller movie or latest NY Times best-selling novel. Not by a long shot! But some of the concepts in this subject area could make for some interesting plot lines.

It has been said that outsider threats will destroy your networks and compromise/steal data. In the news recently we have seen the increase in external attacks and theft of data by organizations such as Anonymous and LulzSec. But as serious as those threats are it’s your own system administrators and other privileged account holders that can really put you out of business…or at a minimum require you to defend your organization against various civil lawsuits for violation of privacy and loss of sensitive data, etc.

(Can anyone say “Breach Notification Act”?) Add to that the real possibility of significantly increased costs of investigations and the dollars can add up very quickly. In this era of shrinking budgets and limited promotional opportunities IT staff can become disillusioned and even somewhat antagonistic toward their own organizations’ assets and operations. This disillusionment can even lead to outright theft of data or possible sabotage of organizational assets.

So why should any organization care about monitoring its own IT staff? You may say “I trust my staff…they wouldn’t do anything like that!” Does anyone remember the system administrator from San Francisco that held the city at bay while not turning over the administrative password for the network? Or the Army private Bradley Manning that infiltrated classified information from Defense department computer systems and sent it to WikiLeaks? Think of SIEM as an insurance policy, one you hope to never have to make a claim against. This is exactly why each organization should consider implementing a SIEM solution…”To keep the bad guys out and keep the good guys good.”

It is the marriage of two existing concepts: Security Information Management (SIM) and Security Event Management (SEM). Together they become Security Information and Event Management (SIEM), another new acronym to learn.

So what is SIEM and why should anyone care? SIEM is a relatively new subject area. Its two components: Security Information (SIM) and Event Management (SEM) individually have been around for quite some time and are established concepts. Wikipedia defines SIEM in this way:

Security Information and Event Management (SIEM) solutions are a combination of the formerly disparate product categories of SIM (security information management) and SEM (security event management). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. SIEM solutions come as software, appliances or managed services, and are also used to log security data and generate reports for compliance purposes.^[1]

The acronyms SEM, SIM and SIEM have been used interchangeably, though there are differences in meaning and product capabilities. The segment of security management that deals with real-time monitoring, correlation of events, notifications and console views is commonly known as Security Event Management (SEM). The second area provides long-term storage, analysis and reporting of log data and is known as Security Information Management (SIM).^[2]

The term Security Information Event Management (SIEM), coined by Mark Nicolett and Amrit Williams of Gartner in 2005,^[3] describes the product capabilities of gathering, analyzing and presenting information from network and security devices; identity and access management applications; vulnerability management and policy compliance tools; operating system, database and application logs; and external threat data. A key focus is to monitor and help manage user and service privileges, directory services and other system configuration changes; as well as providing log auditing and review and incident response.”

One of the challenges in establishing a SIEM solution is determining roles and responsibilities for the various stakeholders in the process. SIEM by its very nature can generate negative reactions by the staff that it is designed to monitor. An organization should never have the same system administrators that they wish to monitor manage the very assets that host the monitoring software. But sadly in many cases, due to staff reductions, etc. this is exactly the case. At the State of Michigan we follow the NIST guidance on log management, specifically NIST Special Publication 800-92. In the next installment for this blog we will discuss some of the role-based guidance provided by NIST.

Maybe you could share some of your SIEM experiences from your organization? What cautions can you share? What are some of the challenges that you have faced? What successes have you experienced? I look forward to reading your responses!