Systems we call SIEMs have never stopped evolving, and they’re at it again, with new capabilities essential to 21st-century security. So it’s time to get to know SIEMs again. Security information and event management products first appeared in the mid-2000s, a merging of SIM (security information management) and SEM (security event management) products. The impetus for SIEM products then was the ability to draw data winnowed from a large number of logs and unify it into a single pane view—to make it useful and usable. But once SIEM got its first kinks worked out, the world changed. Big data appeared, offering a seemingly endless mountain of data needing to be sifted and analyzed. And hackers and other security threats became even more sophisticated. Fortunately, so did SIEM technology. Some large-scale shifts in tthe product category are underway—or already here. That’s the focus of this guide by security tech expert Karen Scarfone. To start, Scarfone reviews the basic analytics that current SIEM products can provide and offers invaluable tips for getting the most out of your existing SIEM system. Next, she considers the “human side” of SIEM tools. Like people, they’re not infallible, but there are features Scarfone says to look for specifically in a SIEM product’s interface that can ease the interpretive work of a security professional. To close, Scarfone delves further into analytics, focusing on the variety of real-time capabilities that current SIEM technology offers. Whether you’re wondering if you’re using your current SIEM tool to its fullest, or if your enterprise is looking for a brand-new system, here’s a look at the new shape of SIEM.
Security information and event management systems are tools and services dedicated to improving enterprise security log monitoring, analysis and reporting. SIEM platforms brings together security-event log data from numerous enterprise security applications, as well as device operating systems and IT and business applications that are prone to attack. Organizations use SIEM systems for different reasons, including centralized security compliance reporting, identification of historical trends and patterns in security events, and detection of recent or current attacks and compromises. All of these SIEM systems uses rely on data analytics. Most devices and applications that generate security log data don’t have the ability to analyze the information for compliance violations, long-term changes or current attacks. SIEM platforms offer data analytics and can consider all the logs together to identify issues with different parts that were observed in multiple places. By piecing these together, SIEM platforms candiscover attacks not identifiable by other means. All SIEM products provide basic data analytics capabilities, but you may be able to improve the effectiveness and efficiency of these capabilities through some relatively small changes. Here are some tips for getting the most out of your existing SIEM system: n Reconfigure logging for other enterprise security controls. All enterprise security controls, such as firewalls, intrusion prevention systems, antivirus servers, endpoint security suites and mobile device management (MDM) technologies, are capable of logging security events. However, these security controls often use default logging configurations. Adjusting enterprise security controls to log more details about and a wider range of security events can lead to significantly better results from SIEM data analytics. Be careful, however, to test logging reconfigurations before implementing them in production. This will help you understand how they may affect performance and storage, both locally and within the SIEM platform. n Configure SIEM agents to log additional data. The quality and level of detail of security-event log data that operating systems and applications generate can vary greatly. An easy but often overlooked solution to this is to use SIEM agents to perform additional logging. SIEM agents can supplement standard logging in two ways. One is to log more details about observed events, thus providing a much richer picture of security-related activities. The other is to configure SIEM agents to automatically log additional information once a suspicious event is detected. Both of these enable the SIEM system’s data analytics capabilities to draw more accurate conclusions about the security events much more quickly. n Optimize SIEM platform’s understanding of data from security logs. A single SIEM system may need to parse log data from dozens or hundreds of types of log sources. Most SIEM systems have built-in knowledge of the significance of each log entry field for common sources, but the same can’t be said for others, such as an organization’s custom business applications. In these cases, the organization must invest the necessary resources to ensure that the original log data is transformed into a format that the SIEM product will understand completely. Providing the available context for each piece of log data may involve customizing the SIEM platform or even developing custom code to help retain the original context when converting the log data to a SIEM-readable format.
Security information and event management technologies provide businesses with security-event log management capabilities, including log monitoring, analysis, reporting and centralized storage. SIEM analysis is conducted for a variety of reasons, including review of long-term historical security trends, short-term review of incidents in support of investigations and real-time analysis of current attack attempts. SIEM platforms monitor and analyze enormous volumes of security event data on a continuous basis. This removes a huge burden from human security analysts, freeing them to focus on those analysis-related tasks that are most improved through human involvement. For example, SIEM platforms are not infallible, and they may make decisions based on an incomplete or inaccurate understanding of the data they receive and analyze. Some of the data that SIEM products receive may even be erroneous. People who review the results of SIEM analysis may be able to quickly identify errors—both false positives and false negatives—and ensure that the right actions are taken. It’s important that any SIEM system have an analysis interface for security professionals. This interface should allow users to quickly verify the conclusions by making all the supporting information conveniently available. It should also enable them to use SIEM to find patterns in the security data that the SIEM tool could not find on its own. And, of course, it should also allow them to perform their own investigations. The heart of SIEM interfaces for human analysis is search capabilities. All SIEM tools have basic search capabilities, such as allowing a person to enter an IP address and then displaying a list of recent security events involving that address. Although this is certainly useful, search can be a much more powerful tool. Here are search features to look for that will aid SIEM analysis: n Flexibility in simple searches. Although it’s usually more common to be searching within a particular data field—such as IP address, username or application—there are times when an analyst wants to search for a particular value in any data field. Robust SIEM will support both types of searches. n Usable and powerful complex search capabilities. Ideally, SIEM should provide both a GUI that makes it easy for analysts to perform complex searches and a search or query language such as SQL that enables analysts to write and run complex searches. This combination allows analysts of all skill levels to do searches. n Choices in the search output format. A list of results is the typical default format, but there are many other possibilities, including a variety of charts, graphs, network flow diagrams, gauges, and even maps. These graphical output options are generally known as data visualization capabilities. Under different circumstances, one or more of these data visualization forms may be valuable to users for identifying anomalous activity. n Search scheduling. An analyst may want to write a search and schedule it to run automatically on a regular basis to identify specific activity. For example, an analyst may write a search designed to find servers that show the same signs of attack that a previously compromised server had. If a SIEM product does not offer sufficiently usable and robust search capabilities, it may be prudent to acquire a separate tool that can perform the necessary searches on the SIEM data or a copy of the data. In some cases, using a separate tool may even be preferable because the searches can be performed on a separate server, reducing the load on the SIEM system itself.
0 Comments