Successful cyber security environments are based upon several key strategic objectives, including:
1. Continuous improvement of the methods that determine what is being attacked and how to stop an attack, as quickly as possible.
2. Increased efficiencies to address the constant growth of IT environments, as well as the dramatic increase in the number of threats and attacks. The goals are to streamline security solutions while reducing operational costs and staffing requirements.
3. Audit reports that substantiate where and how security controls are implemented, generally for legal and corporate governance purposes, but also to provide assurances to security teams and executives.
SECURITY TEAMS IN NON-SIEM ENVIRONMENTS: ISSUES AND CHALLENGES
Cyber security teams (a) assess logs and events to determine if cyber threats exist, (b) identify the sources and nature of cyber threats and, (c) attempt to rectify problems as soon as possible. Security teams monitor firewalls, IP addresses, network traffic, operating systems, databases, system configurations, applications, user activity, and so forth. Whenever possible, automated alerts are programmed into monitoring systems. This enables security teams to reduce (potentially) millions of events into manageable sets of anomalies that require further investigation. Security analysts tend to discover threats based on their ability to recognize irregularities in what they perceive as the norm.
Successful security teams correlate alerts between several systems. Unfortunately, there are many challenges associated with this (non-SIEM) approach:
- Too much data but not enough actionable information... A security analyst will monitor anywhere between 10 - 2,000 devices which, in turn, could generate thousands of log entries and alerts per day. It is virtually impossible for one person to transform that amount of data into actionable information, especially while trying to keep an eye on everything else.
- Only the most obvious attacks are investigated... With so much unmanageable data, security analysts can only investigate what are perceived as easily recognizable attacks. But this results in too many false positives and does not allow security analysts to drill-down to find and react to REAL problems.
- Business implications are not considered...
- At an operational level, low-level details should be summarized and linked to an organization’s mission. Further, data correlations should highlight any potential impact on business operations. (E.g. What is the impact on order processing when 45 percent of an organization's web servers have been disrupted due to a malware invasion?)
- At the strategic level it is important to identify and monitor ongoing threats, (E.g. nation-states, organized cyber-criminals, cyber-spies, hacktivisits, etc.), for key patterns and activities that expose malicious intentions. This is essential to disrupting sophisticated cyber adversaries.
- Inability to isolate the root cause. Intrusions cannot be analyzed without consolidating data from multiple systems. In a decentralized, non-SIEM environment a security analyst would have to view and understand the nature of issues and alerts on several systems, in order to confirm an attack. This is a highly ineffective means of determining the root cause of an attack, as well as how to respond.
BENEFITS OF SIEM
SIEM solutions are more automated and intelligent. Therefore, they enable security analysts to discover and react to threats more efficiently:
- The data is consolidated. SIEM solutions consolidate data from multiple sources, including networks, servers, databases, applications, and so forth. This enables security practitioners to monitor everything from everywhere, in one central location.
- The data and logs can be correlated and more easily interpreted: Advanced SIEM systems search for commonalities in threat intelligence that tie events together. Automated analytics provide a more efficient means of evaluating and responding to security threats.
- Alerts are more accurate and pinpointed: Automated analysis of linked events results in more timely and effective alerts, which enable security teams to identify and prioritize incidents that require a response.
- Dashboards and correlations transform data into actionable information: SIEM tools convert event data into graphs and charts that enable security analysts to recognize patterns, and more importantly to spot activities that are not standard or recognizable log entries alone.
The bottom line is that SIEM solutions enable security practitioners to (a) see problems much more readily, (b) determine what requires immediate attention, and (c) act more quickly to resolve problems, more efficiently than non-SIEM environments.
- IT and security departments should evaluate SIEM solutions to determine which tools and operational requirements meet their specific technical, financial, and security requirements.
- SIEM systems are offered as outsourced managed services and as internally managed solutions. The cost/benefits of each should be reviewed accordingly.
In the next sequence of the SIEM Strategies Blog we will contrast variations in the technical characteristics and cost/benefits of SIEM systems as "managed services" versus "in-house" operational perspectives. We will measure these in terms of manpower requirements, costs, technical, and business considerations.