Analytics

12/16/2013
07:44 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Moving Beyond SIEM For Strong Security Analytics

SIEM still a useful tool for infosec, but many argue it shouldn't be the main platform for analytics programs

While security information and event management (SIEM) tools have certainly helped many an enterprise IT organization get a better handle on aggregating and analyzing logs across disparate security tools, these organizations are starting to butt up against the limitations of SIEM. And as enterprises seek to gain more insight into business trends and user activity affecting security stances, they're finding that they shouldn't make the mistake of confusing the use of SIEM for the existence of security analytics practices.

"I think SIEM is a starting point for security analytics, but only a starting point," says Ed Bellis, CEO of Risk I/O.

SIEM gained steam as the tool of choice for teams seeking to sift through real-time event information to more quickly respond to security programs, says Geoff Webb, director of solution strategy for NetIQ, but he notes that during the past few years security teams have struggled to gain more value out of their SIEM deployments and that the reputation for these platforms have started to creak.

[Are you using your human sensors? See Using The Human Perimeter To Detect Outside Attacks.]

"Part of that is deserved -- vendors sold it as security nirvana, whereas the reality is very different: It's a good tool and, like all good tool, needs to be used appropriately and for the right job," he says.

Part of the difficulty with SIEM has been issues of increased security "noise" and complexity of systems feeding into the SIEM.

"The problem is that as more and more security and monitoring tools have been brought online, the amount of raw noise that must be dealt with by the SIEM tool has grown, too," he says. "Worse, the infrastructure has become more and more complex, especially as virtualized devices become the norm, which contributes to an increasingly chaotic and noisy environment -- perfect for attackers, [but] terrible for the security team trying to piece together what's going on."

More detrimentally to a fully featured analytics practice, though, is SIEM's lack of analysis range, Bellis says.

"SIEMs weren't originally designed to consume much more than syslog or netflow information with a few exceptions around configuration or vulnerability assessment," he says. "Security analytics is more than just big data -- it's also diverse data. This causes serious technical architectural limitations that aren't easy to overcome with just SIEM."

For example, SIEM can't account for data sources like financial data that could help with fraud detection, human resource information, metadata about the business, or sentiment data from sources like social media. These kinds of external sources to security can prove crucial in pinpointing business risks that require contextual clues to spot.

"Security analytics needs to include big-picture thinking -- integration of the meanings and interactions of signals, not just the raw reduction of streams of events," says Mike Lloyd, CTO of RedSeal Networks.

As a result, organizations must first recognize that security analytics requires more computational power and start budgeting accordingly. If acquiring additional funds is an issue, then the security organization can get started through creative collaboration with other departments, Bellis says.

"I think security analytics goes beyond SIEM and your SIEM budget," he says. "There are great ways to jump-start your security analytics program within a company by leveraging existing resources. Many organizations already have data analytics and business intelligence teams. These groups can be a CISO's friend when building out a security analytics capability by leveraging both talent and tools. "

In addition, they may also have the underlying big data infrastructure necessary for security analytics already up and running, including data warehouses or noSQL environments, which the organization may be able leverage for information security purposes. The point, says Bellis, is that repurposing existing investments made elsewhere can make it possible to kick analytics into gear without a huge additional budget.

"In the past I've repurposed ClickStream tools being used for Web analytics and customer service to identify security issues in near real-time," he says. "Making do with what you have can go a long ways before expanding to a more complete security analytics platform."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
markgrogan
50%
50%
markgrogan,
User Rank: Apprentice
7/9/2018 | 4:20:33 AM
hi
The progress of the industry happens when a business or end user realises that they can do something better about something and does what he or she needs to do to make it happen! Honestly speaking, if we all just sat back and complained at how much limitations a certain software had for us while waiting for someone else to build a better product, we would be living in the stone ages still.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.