Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

10/18/2013
08:03 PM
50%
50%

Next Generation Of SIEMs? Ease Of Use, Analyze More Data

Companies looking for better SIEM tools do not require more technology, but systems that can quickly become operational and useful

The next generation of security information and event management (SIEM) systems will inevitably include new features, but security companies are currently focused on solving their customers' problems in managing and operating the current crop of products.

While SIEM systems have been around for more than decade, companies continue to have trouble deploying and maintaining the systems. More than half of businesses need at least a pair of full-time analysts to operate the systems, while 44 percent required more than a few weeks to deploy their SIEM systems, according to a survey by security management firm EiQ Networks.

Those problems have made creating an easy-to-use SIEM system the most requested feature for the future, says Nicole Pauls, director of product management for IT management firm SolarWinds.

"We are trying to adapt to an evolving threat space, and it does not require that we cobble together new tools," she says. "What it really requires is that we make the tools better, so we can adapt to the threat space faster."

With security experts recommending that companies continuously monitor their networks to gain better visibility into potential threats, more businesses are considering SIEM systems or have already embarked on network-monitoring projects. No wonder: The deployment of security-intelligence systems continues to be the top strategy for reducing the costs of a breach, correlating with a $4 million reduction in breach costs, according to the Ponemon Institute's Cost of Cybercrime study released this month.

Yet SIEM deployments are difficult. The complexity of integrating a variety of different data feeds requires knowledgeable security analysts. Add to that the problems in getting all of the necessary stakeholders in a company to cooperate, and plenty of SIEM projects have stalled, says Mark Nicolett, managing vice president of network security for business intelligence firm Gartner. Unfortunately, vendors typically tow a marketing line of easy deployment, rather than frankly discuss the difficulties of deploying the analysis environment.

"I don't think it is possible to ask the vendor the right set of questions to determine how difficult the deployment is going to be," Nicolett says, adding that -- without easier deployments -- adding more features is a nonstarter. "It is all fun to talk about what is coming next, but if it is not operational useful, who cares?"

[A high rate of false positives is a problem that affects many types of security systems, but a few proactive steps can help cut them down to size. See 3 Steps To Keep Down Security's False-Positive Workload.]

While the marketing lines for most security intelligence product makers may not change, executives know they must tame the unruly learning curves of their SIEM products or risk falling behind in the market.

"There is still a lot of the vision of SIEM that has yet to be realized -- things like behavioral analysis and better correlation of events," SolarWinds' Paul says. "We need to give customers better analysis out of the box."

To deliver better analysis, SIEM vendors and service providers are aiming to allow companies to easily incorporate more data, threat-intelligence feeds, and other information into the SIEM systems. Yet the products also have to take into account the context of the data and the risks that a company faces, says Vijay Basani, president and CEO of EiQ Networks, a security management services provider.

"We can take gobs of data and spit out lots of information, but we don't know what is important for your company," he says. "I think that is going to change very dramatically. Approaches like focusing on best practices will help companies focus on the right questions."

A large part of the move to incorporating more data in future SIEM offerings is pairing the appliances and services with a threat-intelligence feed. A number of vendors have launched threat information sharing exchanges and forums where security experts can work together on the analysis. AlienVault has the Open Threat Exchange, CyberSquared has developed Threat Connect, and HP recently announced Threat Central. The services combine malware analysis and open-source intelligence tools with social networking and crowdsourced analysis to create a virtual space for learning about the latest threats.

Whether Balkanized analysis environments will deliver the features needed to fuel better SIEM products is another question. Eric Schou, director of product marketing for enterprise security products at HP, believes the crowdsourced model will work because it gives each participant more value than they typically put in.

"If there isn't that value, and if they don't feel like it improves their security posture, then they won't take part," Schou says.

Yet the crowdsourced model and a mountain of threat data may not improve the effectiveness of SIEMs, warns Gartner's Nicolett. More data is not necessarily a good thing when you cannot even properly analyze what you have, he says.

"We are not suffering from a lack of data," Nicolett says. "We are suffering from a lack of intelligence in analyzing it."

If next-generation products can deliver that combination of intelligence and usability, only then will companies benefit.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mharrison392
50%
50%
mharrison392,
User Rank: Apprentice
10/22/2013 | 8:42:50 PM
re: Next Generation Of SIEMs? Ease Of Use, Analyze More Data
I don't think I want a plug and play SIEM solution. The complexity of all the interconnected parts in unique environments is not something that I am comfortable with a SIEM understanding. It is important that someone in the organization understand how these pieces work together whether a SIEM is implemented or not.

A SIEM solution is a TOOL. It makes the job easier, but it's still a hard job. Knowledge is still required. They used computers in 1969 to put a man on the moon. The people designing the systems and working at mission control still had to know the pieces and parts. They still had to know what they were doing.

The problem is that most people want to purchase a solution that they can install and forget. A SIEM takes care and feeding on a regular basis. A properly installed and configured SIEM requires tuning regularly. However, most SIEM implementations I've seen have had the proverbial "kitchen sink" worth of logs thrown at them day one or week one. It takes time to do this properly. You have to add one feed at a time and spend some time getting to know it and tuning it, then move on to the next log feed.

I believe you could make the argument that anyone wanting a plug a play SIEM should outsource their security operations. The fact of the matter is that real, effective security requires knowledgeable, dedicated, warm bodies. Most organizations are unwilling to accept that.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
10/21/2013 | 11:09:31 PM
re: Next Generation Of SIEMs? Ease Of Use, Analyze More Data
You'd think after this long in the market, SIEMs would have become easier to use. Although, as the story notes, the marketing line with SIEMS has always been the opposite.
AccessServices
50%
50%
AccessServices,
User Rank: Apprentice
10/21/2013 | 12:28:10 PM
re: Next Generation Of SIEMs? Ease Of Use, Analyze More Data
From someone that has lived and worked in the trenches, I agree with Robert. SIEMs are complicated beasts. They capture data from multiple devices so the person setting up the rules needs to understand the relationship between databases, networks, web servers, load balancers, firewalls, AD, etc.... The biggest problem I've seen is training. Companies will purchase a nice vehicle to move a company forward and then won't pay to teach one of two employees how to drive it. Then when it crashes, blame the IT group.

Even if the SIEM is just capturing the data, a company has made progress. The forensic and troubleshooting capabilities are significant. There have been several times when I've solved issues by going to an "unused SIEM" or logging device. For what to correlate, the SANS Institute has written several papers on what to look for.

Jeff Jones
Abacus Solutions
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...