Analytics
12/16/2013
07:44 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%
Repost This

Moving Beyond SIEM For Strong Security Analytics

SIEM still a useful tool for infosec, but many argue it shouldn't be the main platform for analytics programs

While security information and event management (SIEM) tools have certainly helped many an enterprise IT organization get a better handle on aggregating and analyzing logs across disparate security tools, these organizations are starting to butt up against the limitations of SIEM. And as enterprises seek to gain more insight into business trends and user activity affecting security stances, they're finding that they shouldn't make the mistake of confusing the use of SIEM for the existence of security analytics practices.

"I think SIEM is a starting point for security analytics, but only a starting point," says Ed Bellis, CEO of Risk I/O.

SIEM gained steam as the tool of choice for teams seeking to sift through real-time event information to more quickly respond to security programs, says Geoff Webb, director of solution strategy for NetIQ, but he notes that during the past few years security teams have struggled to gain more value out of their SIEM deployments and that the reputation for these platforms have started to creak.

[Are you using your human sensors? See Using The Human Perimeter To Detect Outside Attacks.]

"Part of that is deserved -- vendors sold it as security nirvana, whereas the reality is very different: It's a good tool and, like all good tool, needs to be used appropriately and for the right job," he says.

Part of the difficulty with SIEM has been issues of increased security "noise" and complexity of systems feeding into the SIEM.

"The problem is that as more and more security and monitoring tools have been brought online, the amount of raw noise that must be dealt with by the SIEM tool has grown, too," he says. "Worse, the infrastructure has become more and more complex, especially as virtualized devices become the norm, which contributes to an increasingly chaotic and noisy environment -- perfect for attackers, [but] terrible for the security team trying to piece together what's going on."

More detrimentally to a fully featured analytics practice, though, is SIEM's lack of analysis range, Bellis says.

"SIEMs weren't originally designed to consume much more than syslog or netflow information with a few exceptions around configuration or vulnerability assessment," he says. "Security analytics is more than just big data -- it's also diverse data. This causes serious technical architectural limitations that aren't easy to overcome with just SIEM."

For example, SIEM can't account for data sources like financial data that could help with fraud detection, human resource information, metadata about the business, or sentiment data from sources like social media. These kinds of external sources to security can prove crucial in pinpointing business risks that require contextual clues to spot.

"Security analytics needs to include big-picture thinking -- integration of the meanings and interactions of signals, not just the raw reduction of streams of events," says Mike Lloyd, CTO of RedSeal Networks.

As a result, organizations must first recognize that security analytics requires more computational power and start budgeting accordingly. If acquiring additional funds is an issue, then the security organization can get started through creative collaboration with other departments, Bellis says.

"I think security analytics goes beyond SIEM and your SIEM budget," he says. "There are great ways to jump-start your security analytics program within a company by leveraging existing resources. Many organizations already have data analytics and business intelligence teams. These groups can be a CISO's friend when building out a security analytics capability by leveraging both talent and tools. "

In addition, they may also have the underlying big data infrastructure necessary for security analytics already up and running, including data warehouses or noSQL environments, which the organization may be able leverage for information security purposes. The point, says Bellis, is that repurposing existing investments made elsewhere can make it possible to kick analytics into gear without a huge additional budget.

"In the past I've repurposed ClickStream tools being used for Web analytics and customer service to identify security issues in near real-time," he says. "Making do with what you have can go a long ways before expanding to a more complete security analytics platform."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2012-0871
Published: 2014-04-18
The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/.

CVE-2012-6646
Published: 2014-04-18
F-Secure Anti-Virus, Safe Anywhere, and PSB Workstation Security before 11500 for Mac OS X allows local users to disable the Mac OS X firewall via unspecified vectors.

CVE-2013-4279
Published: 2014-04-18
imapsync 1.564 and earlier performs a release check by default, which sends sensitive information (imapsync, operating system, and Perl version) to the developer's site.

Best of the Web