Practitioners Detail Evolution Of SIEM Deployments

SAN FRANCISCO -- RSA Conference 2011 -- As organizations embark on new installations of security information and event management (SIEM) systems, they'll need to remember that the use of SIEM is more of a growing process of evolution rather than a straight deployment, two experts told a crowded session at RSA this week.

Ben Murphy of Gladiator Technology, a government integrator, and Bradford Nelson of an unnamed but large federal agency each doled out advice based on their experience with years-long SIEM installations. Nelson explained to the audience that the typical deployment follows a three-stage time line that starts with infancy, then moves onto growth, and then, hopefully, blossoms into maturity.

The infancy stage starts with the compliance-focused checkbox mentality and is mainly concerned with the security information management elements of SIEM, primarily collecting logs for audit purposes. Nelson estimates that about 80 percent of the industry is stuck in this compliance-centric grind.

"Typically you see a lot of organizations stay in this stage, unfortunately, just due to manpower or loss of sponsorship," he said of the infancy stage.

He recommends that organizations ideally spend about six months in this stage of deployment. Any more and they don't get enough out of the tools they've spent so much to install, and any less and they risk a project disaster.

"Keep the bar low at the beginning; just get that information in there and get your baseline," he said. "If you try to blow it up all at once at the beginning with the threat and anomoly detection and threat analysis and response, you're going to fail."

Moving into the growth stage is when organizations begin to utilize the security event management aspect of SIEM, utilizing real-time monitoring.

"One of the core capabilities of SIEM and the whole point of having it is to add context to data and make it available and actionable," Nelson said, explaining that to get there organizations must work on identity and network modeling, which can take some time and be a manual process.

Organizations that truly evolve to the mature stage are those that are able to streamline SIEM analysis into IT operations processes so that security is part of the overall IT framework.

"This is where security is operationalized," Nelson said.

In this stage organizations are taking advantage of external security feeds, have tackled onboarding processes, are analyzing business behavior, and are truly utilizing business context to make decisions.

According to Murphy, to get from infancy to maturity it is critical that organizations remember that threat prioritization is key.

"You might have a lot more usable information coming at you than you initially expect; it could be hundreds of things per hour that need to be looked at and addressed in some fashion," he said. "So it is important that there's a really strong prioritization algorithm in place."

He explains that the high-medium-low severity prioritization doesn't scale well in large organizations. The method he uses takes into account not only severity, but also the age of the risk and the prioritization category it falls in as it relates to the application and the business.

"High-medium-low is not a really very scalable methodology for prioritizing severity," he said. "That doesn't really play well when you're trying to figure out if a high severity threat yesterday is more than a low severity one that happened a long time ago."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.