Security information and event management becoming less about compliance, more about forensics and incident response, studies say

4 Min Read

For years now, compliance has been the primary reason why small and midsize businesses (SMBs) buy security information and event management (SIEM) tools. Has this trend changed? No, according to a new study -- but the way businesses are using those SIEM tools is changing rapidly.

According to a study published today by the SANS Institute, SIEM and log management tools are becoming increasingly popular as a method for tracking down and diagnosing security problems, rather than serving primarily as tools for proving security compliance.

That premise is supported by a separate study published simultaneously by security tool vendor RSA, which offers SIEM software.

"The need for compliance really drove widespread deployment of log management -- SIEM tools went everywhere," says Sam Curry, technology chief marketing officer at RSA. "Now that they have these tools to fulfill the compliance requirement, companies are asking, 'What else can I do with this?'"

Joe Gottlieb, vice president of marketing and business development at SIEM tool vendor SenSage, agrees. "I think we're seeing a real shift here, and it may be happening first at small and medium-sized companies because their compliance process is less complex than those at larger enterprises. They're seeing [SIEM] less as a check-box item and more as a tool that can help them with actual security operations."

In the SANS study, more than half of the respondents rated log management tools as "very useful" for two primary functions: "forensics analysis and correlation" and "detecting/preventing unauthorized access and insider abuse." Only 40 percent ranked SIEM as very useful for meeting regulatory requirements or ensuring regulatory compliance.

"These are categories in which people are actually getting things done, not just marking a checkbox on a form to say they’re doing it," the SANS study says.

In the RSA study, 89 percent of respondents said the primary use for their SIEM tools is for security operations functions, compared with 54 percent who cited compliance. Moreover, the survey reported that as many as 66 percent of those surveyed ranked real-time monitoring as most important when evaluating a SIEM vendor. More than 75 percent of the respondents think real-time monitoring is an essential component of SIM tools.

Because of their size, SMBs might be quicker to take advantage of the automated operations capabilities of SIEM and log management tools, Gottlieb says. "In a large enterprise, there are a lot of different groups involved in the security management process -- security operations, network operations, compliance, risk management, security policy," he observes. "It takes time to get those groups together. A small company may have only one person -- or less than one person -- to do all of those functions. They're going to be quicker to ask for more automation."

SMBs are also using SIEM data to do risk management, Curry says. "These are people that need to do forensic investigations, who need to understand the likelihood of an event and the potential damage that could be done," he notes. "In a sense, these people are more connected to the business than the IT people in a large enterprise."

Companies both large and small are employing SIEM tools for tasks that go beyond simple compliance experts said. Some larger enterprises are using SIEM to collect data on ERP applications, such as SAP, which often carry critical data but are not always well-secured, Gottlieb says. Other companies are using SIEM tools to coordinate event information surrounding a single user or workstation in support of the insider threat protection effort, he notes.

SIEM technology still faces challenges of cost -- many of the tools are expensive -- and implementation obstacles, analysts observe. "Most SIEM products require months of tuning after the initial installation -- there is no such thing as a fully functional SIEM right after installation," said security consultant Eugene Schultz in a blog.

But companies that have already purchased and implemented SIEM and log management tools are finding them increasingly useful in the growing tasks of incident response and forensics, Curry says. "Logs are the indicators of what's going on in the security environment," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading

Contributor

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights