There is an old parable about the blind men and an elephant. In this story, each blind man touches a different part of the elephant; one the leg, one the tusks, one the trunk, and so on. Each man then tells the others their perspective of what this beast is. They soon discover that they each have a very different perspective on the elephant and none are in agreement on what it looks like; however, no man is wrong. This parable is the perfect metaphor for SIEM. A SIEM would be an outside party in this story, collecting details from each blind man and drawing a complete picture.
Security Information and Event Management (SIEM) combines two systems; security information management and security event management into one solution. In most organizations, relevant data about the company’s security is produced in multiple locations and a SIEM is able to take in all that information into one place and spot trends and patterns that are out of the ordinary.
How Does This Play Into Your Security Strategy?
A SIEM is designed to do a couple of things really well. It takes in data and understands what is “normal” for your specific environment. It then analyzes security data from all of your disparate security components, network traffic, and system logs to see if there is anomalous behavior. Where things get interesting is that these anomalies could be from malware, attempted breaches, or internal bad actors. It takes all the information from each blind man (silo’ed security/network component) and uses that information to build a larger picture of what is being seen. Since a SIEM can set a baseline for normal activity, it can even tell when a sales rep starts accessing numerous account records on a Friday at 4:30pm. In this scenario, they may have a new job on Monday and are looking to bring client data with them. The SIEM, based on configured policy, can then notify appropriate people and save the company from data loss. Another good example is when a known user, with valid credentials, log in from an anomalous location. If John Smith suddenly logs in from China, when he was in the office earlier that day, a notification can trigger, alerting the appropriate personnel. Once we have a picture of an elephant, it becomes easier to tell when one of those same men touch something other than an elephant.
Considerations When Deploying a SIEM
SIEMs can be very powerful tools when deployed and configured correctly. Since a SIEM must know what “normal” looks like in an environment, you have to first train it on what that is. A SIEM relies on alerts to convey critical information. If the SIEM isn’t properly tuned, the alerts will be numerous, less impactful, and often ignored. We saw this happen with the Target breach in 2014. Tuning the SIEM to reduce false positives while retaining a high accuracy of true threat alerts is an important and time-consuming process. Most SIEMs have improved the tuning process, but it can still take a month or more to have the SIEM configured to the admin’s liking. Additionally, a SIEM should be monitored continuously. In some organizations with significant complexity a dedicated security officer may be needed to monitor and tune the SIEM.
How the Market is Changing
Traditional SIEMs can be complex to deploy, tune, and manage. Newer SIEM manufacturers are coming to market with more approachable SIEMs. Alienvault is one of the leaders in this new market of SIEMs designed for a smaller generalist IT staff. Concurrently, we are seeing firewall and endpoint protection manufacturers bringing SIEM-like features to their ecosystem. Leaders such as Cisco, Sophos, and Palo Alto Networks are combining correlation data from the firewall, endpoint protection, and network to provide some of the same advantages of a traditional SIEM without having to leverage an outside product. Since you are getting this feature from a single manufacturer, not only does it work better out-of-the-box, but as you continue to purchase elements within their ecosystem you are gaining additional insight and correlation. These feature sets are not yet as robust as a dedicated SIEM, but the market is definitely moving towards a converged security model.
When you only have a small part of the picture, from each separate element of your security infrastructure, it becomes very hard to tell what you are looking at. Is it a tree branch, a pillar, or a rope? A SIEM can correlate all of those descriptions and information and help form a more complete picture and then alert you when it finds something that does not belong.