SIEM Meets Business Intelligence

While many organizations still may be collecting and analyzing logs only to comply with regulations, there's a groundswell of security-minded SIEM adopters that are beginning to also use these tools to help direct them in their business decisions.

But in order to make that a reality across the industry, many security vendors, analysts, and end users believe that the information security world must move security information and event management (SIEM) more towards a business intelligence (BI) mindset. While some security gurus do wonder how much true business intelligence-influenced SIEM can offer their organizations beyond technical decision metrics, many practitioners and vendors have already started leaning in that direction.

"[Security monitoring] is going toward the direction more of data mining," says Scott Crawford, an analyst for Enterprise Management Associates. "Security is beginning to have more in common with things like data management and business intelligence of the past; we're looking for specific things in the mass of data that we have. So we're beginning to see a similar sort of focus on our own big data problems in security that are directly analogous to what BI is to other aspects of the business. I think we'll probably see more people who are knowledgeable about BI apply themselves to security data--we've already seen indications in this direction."

According to many practitioners seeking to make the most out of their security data, the shift toward BI is a natural one for security experts. For example, before he started up his security and information gathering service and consulting firm, Tactical Intelligence, Shane MacDougall worked as a security executive for an identity theft company, responsible for monitoring logs across the infrastructure all by his lonesome. He says that to deal with the volume of data, he had to essentially turn his team into a BI unit.

"I quickly realized that the sheer amount of data I needed to review on a daily basis in near-realtime was unsustainable, so I decided to approach this from a BI point of view. The attackers were my competitors, so what techniques could I use to more efficiently profile them?" says MacDougall, who is principal partner at his current firm. "I've always had a foot in the BI world, having done many corporate information gathering projects, so making the jump was not difficult for me. But to be honest, it really shouldn't be that big of a leap for most infosec people."

His partner at Tactical Intelligence agrees that information security pros should find the business intelligence approach natural. "I would say that infosec trained personnel are uniquely positioned in the enterprise to be an invaluable resource because what they already do is directly applicable to mining data, and creating correlation from the seeming chaos of a multitude of information stores," says Jay James, principal partner at Tactical Intelligence.

Dr. Richard White, CISO for the U.S. Capitol Police, also concurs, stating that SIEM is already a form of BI in its own right.

"Business intelligence is really about deciding how to steer a company based on existing revenue analysis, cost projections and the like," says White, whose organization has been utilizing a centralized SIEM console from Q1 Labs for three years to deliver the same decision-making information for his security actions. "On the security side, with the plethora of security devices reporting, you need a process to decide what incidents or events you're going to respond to. If you took away the security component away from what I just said, you really are looking at business intelligence in another form."

But he believes that security could do well to brush up on their analysis skills and improve their SIEM utilization reaching out across organizational lines to ask help from data analysis experts outside of security.

"It is natural to involve those business intelligence proponents who have been working with processes and are held to a very high quantitative standard already," he says. "We should reach out to the BI folks who are HR specialists or finance specialists who have a good, solid understanding of what it means to manage large amounts of data, use it and have an immediate return on investment."

Not only could this help the typical organization make more swift security decisions, it could open their eyes up to other operational or line-of-business uses for the security data they collect.

"Security professionals could benefit from branching out and looking at how security impacts other areas of their organization," he says, explaining by point of example how security data could help some organizations project future bandwidth problems at a precise point in time given the data trends streaming through their security feeds. "Those are the types of things we can provide from a security perspective back into the business."

This is ultimately the goal organizations should aspire to bring to bear with their SIEM data, says Dan Ritari of the financial services firm Deluxe Corporation, who has lofty goals for his two-year-old SIEM deployment utilizing SenSage's platform.