SIEM Meets Business Intelligence

Getting the most out of security data makes shift to BI a natural one for some organizations, security experts say
"We're trying to take the SIEM information to expand it to not just be SIEM information," says Ritari, vice president of enterprise risk management for Deluxe. "So, when it is in a data warehouse, it is just another group in the warehouse so that we can have business information and we can have ongoing operational information and the correlation between all of them. That's where you're going to get into the real value."

At Deluxe, he has been utilizing the open communications standards SenSage gives customers that allows them to feed their SIEM data understandably into data warehousing products to take the BI approach a step further than simply consulting in-house BI and data analysts for pointers. He's leveraging their expertise to crunch the numbers as well.

"Why would I try to train security analysts on how to be business intelligence analysts when i have got a room full of business intelligence analysts to look at this stuff 17 different ways?" he says. "From our perspective, it has made it easier for us to repurpose data, build reoccurring reports and pull that data on a reoccurring basis. I can take a good data analyst or business analyst and have them research the data where in the past using proprietary tools and proprietary reporting tools tied to a SIEM product required a whole different set of skills and talents."

He believes says that until more vendors open up their repositories to work with data warehousing, it is going to be too costly for most organizations to truly embrace BI analysis using SIEM.

"I think it's going to go there but a lot of companies are going to be slow adopters because their vendors are going to be less about an open platform," he says. "Everybody likes to have their own proprietary little APIs and what-not. That way they can sell you the reporting tools and the reporting server and the clients."

Whether it is due to proprietary issues among SIEM vendors or not, there's still a lot of work to go. "I really don't see infosec teams applying BI principles to IT monitoring to the degree they should," MacDougall says. "Most teams seem to be having problems keeping their heads above water as they defend against attacks, deal with users and management, meet compliance metrics, and respond to audits."

While it may be fun to blame the vendors for a lack of progress, it isn't really all their fault, either . A lot of organizations are simply not mature enough to realize the dream of SIEM as another form of BI.

"The issue is that information security is just now starting to track who is making changes to which files. From this tracking process, the BI system correlates the various changes and thoughts to synthesize revelations," says John Caughell, marketing manager for Argentstratus, a security services and consulting firm. "The vast majority of enterprises are not even able to track access to system data, let alone track changes to documents. Even large companies, which are looking for data trends, have difficulty putting the right information together."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.