Analytics // Security Monitoring
10/18/2013
08:03 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Next Generation Of SIEMs? Ease Of Use, Analyze More Data

Companies looking for better SIEM tools do not require more technology, but systems that can quickly become operational and useful

The next generation of security information and event management (SIEM) systems will inevitably include new features, but security companies are currently focused on solving their customers' problems in managing and operating the current crop of products.

While SIEM systems have been around for more than decade, companies continue to have trouble deploying and maintaining the systems. More than half of businesses need at least a pair of full-time analysts to operate the systems, while 44 percent required more than a few weeks to deploy their SIEM systems, according to a survey by security management firm EiQ Networks.

Those problems have made creating an easy-to-use SIEM system the most requested feature for the future, says Nicole Pauls, director of product management for IT management firm SolarWinds.

"We are trying to adapt to an evolving threat space, and it does not require that we cobble together new tools," she says. "What it really requires is that we make the tools better, so we can adapt to the threat space faster."

With security experts recommending that companies continuously monitor their networks to gain better visibility into potential threats, more businesses are considering SIEM systems or have already embarked on network-monitoring projects. No wonder: The deployment of security-intelligence systems continues to be the top strategy for reducing the costs of a breach, correlating with a $4 million reduction in breach costs, according to the Ponemon Institute's Cost of Cybercrime study released this month.

Yet SIEM deployments are difficult. The complexity of integrating a variety of different data feeds requires knowledgeable security analysts. Add to that the problems in getting all of the necessary stakeholders in a company to cooperate, and plenty of SIEM projects have stalled, says Mark Nicolett, managing vice president of network security for business intelligence firm Gartner. Unfortunately, vendors typically tow a marketing line of easy deployment, rather than frankly discuss the difficulties of deploying the analysis environment.

"I don't think it is possible to ask the vendor the right set of questions to determine how difficult the deployment is going to be," Nicolett says, adding that -- without easier deployments -- adding more features is a nonstarter. "It is all fun to talk about what is coming next, but if it is not operational useful, who cares?"

[A high rate of false positives is a problem that affects many types of security systems, but a few proactive steps can help cut them down to size. See 3 Steps To Keep Down Security's False-Positive Workload.]

While the marketing lines for most security intelligence product makers may not change, executives know they must tame the unruly learning curves of their SIEM products or risk falling behind in the market.

"There is still a lot of the vision of SIEM that has yet to be realized -- things like behavioral analysis and better correlation of events," SolarWinds' Paul says. "We need to give customers better analysis out of the box."

To deliver better analysis, SIEM vendors and service providers are aiming to allow companies to easily incorporate more data, threat-intelligence feeds, and other information into the SIEM systems. Yet the products also have to take into account the context of the data and the risks that a company faces, says Vijay Basani, president and CEO of EiQ Networks, a security management services provider.

"We can take gobs of data and spit out lots of information, but we don't know what is important for your company," he says. "I think that is going to change very dramatically. Approaches like focusing on best practices will help companies focus on the right questions."

A large part of the move to incorporating more data in future SIEM offerings is pairing the appliances and services with a threat-intelligence feed. A number of vendors have launched threat information sharing exchanges and forums where security experts can work together on the analysis. AlienVault has the Open Threat Exchange, CyberSquared has developed Threat Connect, and HP recently announced Threat Central. The services combine malware analysis and open-source intelligence tools with social networking and crowdsourced analysis to create a virtual space for learning about the latest threats.

Whether Balkanized analysis environments will deliver the features needed to fuel better SIEM products is another question. Eric Schou, director of product marketing for enterprise security products at HP, believes the crowdsourced model will work because it gives each participant more value than they typically put in.

"If there isn't that value, and if they don't feel like it improves their security posture, then they won't take part," Schou says.

Yet the crowdsourced model and a mountain of threat data may not improve the effectiveness of SIEMs, warns Gartner's Nicolett. More data is not necessarily a good thing when you cannot even properly analyze what you have, he says.

"We are not suffering from a lack of data," Nicolett says. "We are suffering from a lack of intelligence in analyzing it."

If next-generation products can deliver that combination of intelligence and usability, only then will companies benefit.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mharrison392
50%
50%
mharrison392,
User Rank: Apprentice
10/22/2013 | 8:42:50 PM
re: Next Generation Of SIEMs? Ease Of Use, Analyze More Data
I don't think I want a plug and play SIEM solution. The complexity of all the interconnected parts in unique environments is not something that I am comfortable with a SIEM understanding. It is important that someone in the organization understand how these pieces work together whether a SIEM is implemented or not.

A SIEM solution is a TOOL. It makes the job easier, but it's still a hard job. Knowledge is still required. They used computers in 1969 to put a man on the moon. The people designing the systems and working at mission control still had to know the pieces and parts. They still had to know what they were doing.

The problem is that most people want to purchase a solution that they can install and forget. A SIEM takes care and feeding on a regular basis. A properly installed and configured SIEM requires tuning regularly. However, most SIEM implementations I've seen have had the proverbial "kitchen sink" worth of logs thrown at them day one or week one. It takes time to do this properly. You have to add one feed at a time and spend some time getting to know it and tuning it, then move on to the next log feed.

I believe you could make the argument that anyone wanting a plug a play SIEM should outsource their security operations. The fact of the matter is that real, effective security requires knowledgeable, dedicated, warm bodies. Most organizations are unwilling to accept that.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
10/21/2013 | 11:09:31 PM
re: Next Generation Of SIEMs? Ease Of Use, Analyze More Data
You'd think after this long in the market, SIEMs would have become easier to use. Although, as the story notes, the marketing line with SIEMS has always been the opposite.
AccessServices
50%
50%
AccessServices,
User Rank: Apprentice
10/21/2013 | 12:28:10 PM
re: Next Generation Of SIEMs? Ease Of Use, Analyze More Data
From someone that has lived and worked in the trenches, I agree with Robert. SIEMs are complicated beasts. They capture data from multiple devices so the person setting up the rules needs to understand the relationship between databases, networks, web servers, load balancers, firewalls, AD, etc.... The biggest problem I've seen is training. Companies will purchase a nice vehicle to move a company forward and then won't pay to teach one of two employees how to drive it. Then when it crashes, blame the IT group.

Even if the SIEM is just capturing the data, a company has made progress. The forensic and troubleshooting capabilities are significant. There have been several times when I've solved issues by going to an "unused SIEM" or logging device. For what to correlate, the SANS Institute has written several papers on what to look for.

Jeff Jones
Abacus Solutions
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-0460
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993
Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180
Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089
Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192
Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web