The Key to Selecting SIEM and Log Management

Tuesday, September 21, 2010

bitraptor bitraptor




Securing today's networks and meeting compliance requirements are dual challenges faced by every IT team. Bad things are happening much faster, as new exploits are discovered, ‘weaponized', and distributed to the world within hours.

Compliance audits take too long and security teams never look as good as they should, because they generally can't prove what they are doing.

SIEM & log management tools can address these needs. Ask any security practitioner about their holy grail and the answer is twofold: they want one alert specifying exactly what is broken, on just the relevant events, with the ability to learn the extent of the damage.

They need to pare down billions of events into actionable information.The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

This provides the opportunity to:

  • Simplify compliance monitoring/reporting
  • Vastly improve Incident Detection & Incident Response
  • Contextualize event information with other business relevant information (e.g., CMDB/Vulnerability data)

One key best practice for implementing a SIEM systems successfully is to understand that SIEM=Unique Data Warehouse. This may seem a little bit too simplistic but is also realistic. Many people often fail to understand that SIEM is ultimately a large, relatively complex database.

SIEM database requirements are very unique:

- Near continuous extremely high inbound TPM with simultaneous queries of same data:

  • Indexing - query performances insertion rate and data expansion
  • Partitioning - Improves insertion rates vs greater database administration overhead
  • Data segregation - Striping data across as many spindles as possible for improved insertion performance and improved query performance (e.g, re-do logs, indexes, raw data, and temporary space to separate spindles).
  • Another pinpoint to pay much attention is to commit resources required on a go-foward basis.

- SIEM'S need to evolve with your environment to stay valuable and viable:

  • software updated for devices you are monitoring
  • change in policies, laws and regulations
  • networks changes

- A real world support example (18 month run-rate analysis)

  • 12 days per month to run/operate SIEM
  • database administration (15%)
  • system administration (10%)
  • special investigations(15%)
  • repost creation and modification(30%)
  • agent development (15%)
  • change support (15%)

One should keep in mind that making device-centric conventional plans can result in data overload, delays and frustration. The best approach should be correlating two groups (A and B , 1 or 2, etc) where most needed, this is called 'pain-point centric'.

Realize that regardless of what the name suggests it will become painless by the end of project for the simple reason that we are implementing a full success cycle per objective (then iterate) methodology. Too many projects get lost in a "log consolidation".

The pain-point centric approach suggested is as follows:

  • Collect pain point -> normalize/taxonomize-> correlate-> report-> work flow, the big deal here is producing meaningful data quickly by correlating the 2 groups so that we can pick up relevant data and achieve a successful SIEM optimization. I've got to point out that we still have a long way to go in this subject matter. There are many promises and vendors out there claiming they do 'everything' and your company will have a definitive 100% successful SIEM solution. Not really... There's still a lot to be improved, but this is for another article. What i wanted to show you here was a clear picture of what SIEM is and an interesting and effective concept on how to implement it that will most likely show you the way to better understand how to think about SIEM. Obviously each company has its own characteristics and these solutions won't apply to all companies.

Conclusion - It may be possible to gather some other very consolidated approaches and concepts on how to make SIEM systems happen in a way that the enterprise will have a successful implementation and benefit from it on an ongoing basis, it will much depends on how the IT team and and c-level managers understand the big picture and obviously what scenario your company has today and will most likely have in the future.

This article is solely grounded in the fact that i want you to understand what SIEM really is and give some insights from a real-world point of view thus clarifying this very important concept in IT security to serve you as a guidance. It's a start point.

This article was written by Emerson Lima, Brazilian (living in Brazil nowadays), Lead security engineer , with 15 years of experience in the IT field and 5 years in IT security, having worked in 5 multi-national companies like IBM,HP and Unisys, etc. with high-level and top credentials such as CISSP, CCNP, LPI, SCSA and RHCE certifications. A really big technology enthusiast who has a great passion and love for what he does, and always thrives to learn and share knowledge.

Possibly Related Articles:
Information Security
Post Rating I Like this!
Nilesh Jivraj Hi Nilesh from South Africa here, And based on your notes I would like to add that in todays times of security and compliance management companies are trying very hard to consolodate these 2 aspects into a sigle solution. Although there are different scripts that can be written to pull log information to a compliance tool, these scripts become too many to manage and way to expensive to develop. I am not totally sure if I am allowed to mention names of products that does both security and compliance monitoring.If yes please let me know and I will gladly assist. In my view IT security and Compliance Management should be coupled as there are many fassets that interlink.
bitraptor bitraptor Hi Nilesh, thanks for your feedback and comments, they're most welcome! I'd like to see your comments on wich products may have these two functionalities that workt it out for real (in theory at least). I'm not sure also, but i'll ask the site directors about it. You could even make an article highlighting the products you know and making a comparison between them. It will definetly add up much to this subect matter.

Nilesh Jivraj Hi Emerson well there is only 1 product i know of currently and we use it in our organisation to provide our cusotmers with a managed security service. If at all possible I would like to provide the site with a PDF of the product which provides the detials of its capabilities.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.