Effective SIEM: Less Turtle - More Awareness

Thursday, January 12, 2012

John Linkous


Catching up on some reading this week, I came across this piece in Security Week, written by Chris Poulin, Chief Security Officer at Q1 Labs, talking about how a childhood experience can help the modern information security professional. 

Chris makes some good points, such as the need for continuous monitoring, and using all available tools to capture multiple data points in order to enable you to pinpoint the vector of advanced persistent threats (and slow moving box turtles).

This is certainly all good advice - although we contend that the average cyber or insider attack moves slightly quicker than the average box turtle. There are, however, some major problems with Chris' piece.

First, the assumption is made that SIEM tools – of which Q1 Labs makes a very good one – can capture all of the information required to find our good friend, the turtle.  Unfortunately, that simply isn’t the case. 

SIEM tools are highly focused on events. Even in cases where a SIEM can look outside of the world of events at one or two other pieces of data (say, at network traffic, which is something that Q1 Labs’ SIEM does), that’s still woefully inadequate.

If we’re going to find an errant turtle, we certainly need events and network traffic data, but we also need system asset and configuration state (from both hosts and devices, not just one or the other), system performance metrics, visibility into file integrity, and much, much more. 

A SIEM is great if our Turtle friend has left behind a trail of breadcrumbs (or whatever it is that turtles leave behind them when they travel), but otherwise, the SIEM is going to likely lead us to a cold trail due to lack of data.

Second, even if your SIEM can collect different types of data in search of our elusive turtle friend, it probably uses multiple, separate products to do so.

Q1 Labs has a great SIEM product – Qradar – but requires separate appliances to collect flow data and Q1’s proprietary pseudo-DPI information, as well as another, completely separate appliance to collect system asset data and configuration state (and even then, this data is limited to a small subset of network devices, and completely excludes hosts… which means we’re stuck in the world of limited data again). 

Of course, Q1 Labs is not the only SIEM vendor who runs into this issue: Tripwire, Nitro Security, NetIQ, Arcsight, and others all rely on multiple tools to try and collect more than just event-based data. 

Unfortunately, all this approach does is result in taking a bunch of smaller silos (from individual systems and point security tools), and turn them into a smaller number of bigger silos – certainly not useful as the clock ticks on finding our buddy, the turtle!

Finally, even if you can collect a multitude of data points from various point security tools, and your security analysts have fed them into a traditional SIEM, you still have a problem: the SIEM views everything as an event: a piece of system state data becomes an “event” (which it isn’t), performance metrics become “events” (which they aren’t), and so on. 

Much of the richness of the data is lost, and the only thing that most organizations are left with is a general idea that “’something’ has certainly happened…”, but they lose the critical context of exactly what that ‘something’ is. A manual hunt for the turtle then begins in earnest.

So yes, what Chris describes is absolutely valid -- we call it Unified Situational Awareness – but the fact is, traditional SIEM and “SIEM-plus” tools simply can't deliver it.

Cross posted from The Situational Room

Possibly Related Articles:
General Viruses & Malware Enterprise Security Security Awareness Breaches
SIEM Advanced Persistent Threats Network Security Monitoring Q1 Labs metrics TripWire ArcSight Unified Situational Awareness John Linkous Nitro Security NetIQ
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.