Analytics
12/16/2013
07:44 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%
Repost This

Moving Beyond SIEM For Strong Security Analytics

SIEM still a useful tool for infosec, but many argue it shouldn't be the main platform for analytics programs

While security information and event management (SIEM) tools have certainly helped many an enterprise IT organization get a better handle on aggregating and analyzing logs across disparate security tools, these organizations are starting to butt up against the limitations of SIEM. And as enterprises seek to gain more insight into business trends and user activity affecting security stances, they're finding that they shouldn't make the mistake of confusing the use of SIEM for the existence of security analytics practices.

"I think SIEM is a starting point for security analytics, but only a starting point," says Ed Bellis, CEO of Risk I/O.

SIEM gained steam as the tool of choice for teams seeking to sift through real-time event information to more quickly respond to security programs, says Geoff Webb, director of solution strategy for NetIQ, but he notes that during the past few years security teams have struggled to gain more value out of their SIEM deployments and that the reputation for these platforms have started to creak.

[Are you using your human sensors? See Using The Human Perimeter To Detect Outside Attacks.]

"Part of that is deserved -- vendors sold it as security nirvana, whereas the reality is very different: It's a good tool and, like all good tool, needs to be used appropriately and for the right job," he says.

Part of the difficulty with SIEM has been issues of increased security "noise" and complexity of systems feeding into the SIEM.

"The problem is that as more and more security and monitoring tools have been brought online, the amount of raw noise that must be dealt with by the SIEM tool has grown, too," he says. "Worse, the infrastructure has become more and more complex, especially as virtualized devices become the norm, which contributes to an increasingly chaotic and noisy environment -- perfect for attackers, [but] terrible for the security team trying to piece together what's going on."

More detrimentally to a fully featured analytics practice, though, is SIEM's lack of analysis range, Bellis says.

"SIEMs weren't originally designed to consume much more than syslog or netflow information with a few exceptions around configuration or vulnerability assessment," he says. "Security analytics is more than just big data -- it's also diverse data. This causes serious technical architectural limitations that aren't easy to overcome with just SIEM."

For example, SIEM can't account for data sources like financial data that could help with fraud detection, human resource information, metadata about the business, or sentiment data from sources like social media. These kinds of external sources to security can prove crucial in pinpointing business risks that require contextual clues to spot.

"Security analytics needs to include big-picture thinking -- integration of the meanings and interactions of signals, not just the raw reduction of streams of events," says Mike Lloyd, CTO of RedSeal Networks.

As a result, organizations must first recognize that security analytics requires more computational power and start budgeting accordingly. If acquiring additional funds is an issue, then the security organization can get started through creative collaboration with other departments, Bellis says.

"I think security analytics goes beyond SIEM and your SIEM budget," he says. "There are great ways to jump-start your security analytics program within a company by leveraging existing resources. Many organizations already have data analytics and business intelligence teams. These groups can be a CISO's friend when building out a security analytics capability by leveraging both talent and tools. "

In addition, they may also have the underlying big data infrastructure necessary for security analytics already up and running, including data warehouses or noSQL environments, which the organization may be able leverage for information security purposes. The point, says Bellis, is that repurposing existing investments made elsewhere can make it possible to kick analytics into gear without a huge additional budget.

"In the past I've repurposed ClickStream tools being used for Web analytics and customer service to identify security issues in near real-time," he says. "Making do with what you have can go a long ways before expanding to a more complete security analytics platform."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web