As security professionals know, log management alone isn’t a solid defense against spear phishing, inside attacks and other malicious acts. Security information and event management (SIEM) software vendors heard users’ frustration with tool limitations and expanded product functionality.
“Log management is not predictive. You’re just logging to manually find anomalies in access and security of data,” says Christopher Wilder, practice leader and senior analyst for cloud services and enterprise software at Moor Insights & Strategy. “The older SIEM solutions were incredibly difficult to use.”
Modern SIEM solutions from HPE, IBM, Intel Security (formerly McAfee), Splunk and others provide real-time monitoring, user behavior analytics, reporting tools and updated application programming interfaces to better integrate with existing security devices such as firewalls. “Now you have broader, more complete SIEM platforms that centrally aggregate security information, validation and management of users, and understand where security risks are coming from,” Wilder says. “You can identify problems before they hit the firewalls and enact policies.”
Increased threat management and stricter compliance needs are driving SIEM deployments. Gartner’s 2015 Magic Quadrant reported market growth of 14 percent, from $1.5 billion in 2014 to $1.69 billion last year.
Doug Cahill, a senior analyst at Enterprise Strategy Group, says SIEM’s automation capabilities appeal to organizations. “There is a fundamental shortage of individuals who have the skill to operate sophisticated security tools, so if you can automate the mundane and repeatable in security, then you gain operational efficiency,” he says. The rise of managed and cloud-based SIEM services also makes the security solutions attractive to small and medium-sized organizations with limited IT staffs that need an added layer of security, he notes.
Here are five real-world examples of how SIEM’s broadened feature sets result in a stronger security and compliance posture across industries.
SIEM’s expansion of functionality beyond log management has been a tremendous benefit for the SF Police Credit Union, a 120-employee, nonprofit financial institution serving first responders and their families in California.
“Before SIEM, log management was a pain and expensive,” says Victor To, director of network security, explaining that logs from core network devices — such as firewalls, intrusion detection and prevention systems, and switches — would have to be backed up and stored individually for seven years. “SIEM takes all that information, de-dupes it, and compiles it into a nice, single database for indexing and searching,” he says.
A past user of McAfee’s Enterprise Security Manager (before it was acquired by Intel), SF Police Credit Union now uses Splunk Enterprise to monitor and correlate incident and event data from core network devices, including servers. Using an established baseline, the SIEM alerts to suspicious activity, such as user access to desktops outside of normal business hours or unauthorized access of ATMs and teller machines.
Splunk Enterprise also satisfies regulations for legal inquiries because it is “write once,” and the data can’t be altered. Individual device logs don’t provide that same assurance, To says.
While he applauds the advances in SIEM tools, he would still like to see more built-in functionality. “I wish SIEM would provide more reporting systems out of the box without needing heavy customization,” he says.
The U.S. Geological Survey has security tools that cover a broad range of needs, including asset management, vulnerability management, patch management, intrusion detection and more. Yet more can be done to protect the science and data produced by the agency, according to Joey Mouton, IT security operations team chief at the U.S. Geological Survey.
“A negative reputation due to a huge security incident could result in a negative impact on funding for scientific projects and research,” Mouton says. “A SIEM solution in USGS should provide the missing piece we need to ensure something like that does not happen.”
While existing security tools work well independently, the agency relies on manpower to correlate information between the tools to determine patterns and perform trend analysis. “Having a SIEM perform these functions should seriously cut down our reaction time to problems that can and typically do turn into security incidents,” Mouton says. “Quicker problem identification tends to mean shorter resolution time frames and fewer resources expended to recover a known good state.”
The biggest challenge Mouton anticipates in deploying SIEM is training. Many vendors profess ease of use with their product, but Mouton says it’s hard to find highly skilled people to operate enterprise tools. For example, skilled staff will be needed when the tool generates alerts about events that haven’t been addressed yet because IT was unaware they were happening.
“You can tune the tool to ignore some things,” Mouton says, but points out that most security professionals want to address all identified problems. “What remains to be seen is whether or not we have the staff needed to handle the workload that a SIEM might create for us,” he says.
When Michael Dent first considered SIEM tools a few years ago, the Fairfax County (Va.) CISO found them to be management-intensive and weak in reporting.
All that has changed with recent SIEM solutions. Dent is deploying Splunk Enterprise to aggregate and analyze data from the county’s firewalls, intrusion detection system, domain controllers, core routers and switches, load balancers and endpoint protection systems. “We are trying to cover as much as we can from a reporting perspective,” he says.
Before, if Dent wanted to comprehend threats coming from across all those points in the network, he had to dedicate staff. Any time there was a security event, a team member sifted through logs and tried to correlate what he found. The manual process took days, but automation will reduce that to hours, he says.
“SIEM allows us to pinpoint the source of an internal or external attack, classify it, and determine a mitigation response such as blocking or quarantining,” Dent says.
The CISO also rolled out a portal so county officials could easily see the cost justification for SIEM in terms of IT time and increased protection.
User education and awareness are no match for the relentless spear phishing attacks targeting employees of the Iron County School District in Utah. As a result, it’s critical to increase network defenses, says Ken Munford, network administrator and systems analyst for the district.
As part of a holistic approach to combatting threats, Munford is evaluating SIEM products. He’s already tested a handful of tools and likes the functionality of Splunk Enterprise.
Munford plans to seek budget approval for the purchase because he sees the benefits of SIEM. In addition to ease of use, SIEM is the logical next step after deploying next-generation firewalls and endpoint protection software. “Bad guys have all the time in the world on their hands, but network administrators do not,” he says. “We need an automated approach to security.”
Post-purchase, Munford anticipates having to do some upfront work to properly define threats and avoid false positives, but says the efforts will be worth it. “We have personal information we have to protect, and I’m never going to know as much as the experts at the vendors,” he notes.
At Seton Hill University, all 3,000 students are given an Apple MacBook and iPad, and many bring other devices, such as smartphones and gaming consoles, with them to campus. To combat the inherent threats in so many connected devices, the information security team at the Greensburg, Pa, institution uses SIEM as an important layer of defense and a critical investigation tool.
A longtime user of IBM’s QRadar SIEM software, Information Security Officer Stacy Moore appreciates the technology’s evolution. “What’s coming into the tool now is different than it was eight or nine years ago,” she says. “It’s not just a log aggregator anymore.”
Brian Dawson, director of systems and networks, says the information security team tries to send as much data as possible to the SIEM tool. The centralization, he says, is essential for hunting down problems. For instance, SIEM gives Dawson real-time network visibility when a server is being attacked, which helps with mitigation.
Moore acknowledges that SIEM requires upfront work, including setting rules and event identifiers, to achieve maximum effectiveness. “Every minute hundreds of alerts go into this tool, so you need to allocate staff to fully focus on and manage SIEM to avoid false positives,” she says.