For big companies looking to spend big budgets, the Big Data pitch for security information and event management (SIEM) systems is a good fit. But other improvements are on the way

Dark Reading Staff, Dark Reading

February 22, 2013

4 Min Read

So let's get this out of the way: When vendors utter the phrase "security information and event management," or SIEM, at next week's RSA Conference, it's business beau "Big Data" will be no more than a sentence away.

With large enterprises seeking to gain situational awareness into what is happening on hundreds, if not thousands of network devices, using the business analytics model of Big Data makes sense. For that reason, the mantra of the "three Vs of data" -- velocity, volume, and variety -- will likely echo from booth to booth throughout the exposition hall.

"With SIEM, if you have the right set of tools, you can easily collect a lot of information, and you can store a lot of information for compliance reasons, and do fast analysis of the data coming from different sources," says Varun Kohli, director of product marketing for Hewlett-Packard's enterprise security products group. "So SIEM is one of the tools that is absolutely aligned with the problems of big data and the solutions that it can offer."

Yet Big Security is for the large enterprise, at least today. While analysts expect 40 percent of companies to start tapping their big security data by 2016, today only a small fraction -- about 3 percent of companies -- are doing it today, says Kohli.

But the SIEM story is not all about Big Data. Companies in the market for a more modest SIEM should expect a number of improvements this year.

1. Easier to use
Another big meme for the conference is the dire shortage in security manpower. Unfortunately, getting the most from a SIEM system typically requires good security analysts.

The tension between those two opposing factors means that vendors are constantly trying to deliver the basic abilities of managing and organizing event logs, normalizing the events and allowing the search and correlation of data without requiring a full-time security-analyst staff.

"Expecting me to spend 18 months to deploy this system, as if it was a niche technology, is no longer acceptable," says Nicole Pauls, director of product management for SolarWinds, a mid-market network-management software maker. Most of the mid-sized businesses do not have even a single person that manages security full time, so creating a simple system is key.

[Security products are featuring more analytics these days to help automate and speed the interpretation and response process, but any rules, algorithms, or interpretations of the data can also reflect the perspective and assumptions of whoever created them. See Rashōmonitoring.]

Managed services are currently a good way to bridge the expertise gap, says Roger Thornton, chief technical officer of unified-security management vendor AlienVault.

"There are a lot of companies out there that are offering their services to help deploy and manage, and -- more and more -- those guys are asking for a pretty reasonable price to give clients what they need," he says."

2. Adding security intelligence
More companies are also looking at using threat intelligence to allow their SIEM system to account for attacks that may target a company.

"There is a lot of threat intelligence feeds coming in: the bad URLs, the phishing addresses and bad IP addresses," says James B. O’Kane, managing principal of Vigilant, which helps clients focus their SIEM systems on risks. "And we see clients taking that feed and writing some use cases and marry other pieces of data to that feed."

IBM, which purchased SIEM vendor Q1 Labs in October 2011, is another company that is taking cues form their customers' use of additional sources of information, such as threat-intelligence feeds.

"More and more customers are asking what they can add to the platform and what can be added to the platform," says Michael Applebaum, program director at IBM Security Systems. "You can draw more insight with who is doing what with what systems and in what situations."

3. Changing response based on risk
Companies are also looking to gain more context from their SIEM systems. Augmenting SIEM analysis with knowledge about different IT assets inside a company and events, such as vulnerabilities and existing threats, could help companies gauge the their risk, says HP's Kohli.

"It might make sense to say, 'We know that this asset is very critical to the business, and it uses Java and a new vulnerability has been found, so lets increase the risk score,'" he says.

While such features are already seen in compliance and governance solutions, bringing that capability together with SIEM can give companies a better view of their current security, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights