SIEM Meets Business Intelligence

Getting the most out of security data makes shift to BI a natural one for some organizations, security experts say

Dark Reading Staff, Dark Reading

June 1, 2011

7 Min Read

While many organizations still may be collecting and analyzing logs only to comply with regulations, there's a groundswell of security-minded SIEM adopters that are beginning to also use these tools to help direct them in their business decisions.

But in order to make that a reality across the industry, many security vendors, analysts, and end users believe that the information security world must move security information and event management (SIEM) more towards a business intelligence (BI) mindset. While some security gurus do wonder how much true business intelligence-influenced SIEM can offer their organizations beyond technical decision metrics, many practitioners and vendors have already started leaning in that direction.

"[Security monitoring] is going toward the direction more of data mining," says Scott Crawford, an analyst for Enterprise Management Associates. "Security is beginning to have more in common with things like data management and business intelligence of the past; we're looking for specific things in the mass of data that we have. So we're beginning to see a similar sort of focus on our own big data problems in security that are directly analogous to what BI is to other aspects of the business. I think we'll probably see more people who are knowledgeable about BI apply themselves to security data--we've already seen indications in this direction."

According to many practitioners seeking to make the most out of their security data, the shift toward BI is a natural one for security experts. For example, before he started up his security and information gathering service and consulting firm, Tactical Intelligence, Shane MacDougall worked as a security executive for an identity theft company, responsible for monitoring logs across the infrastructure all by his lonesome. He says that to deal with the volume of data, he had to essentially turn his team into a BI unit.

"I quickly realized that the sheer amount of data I needed to review on a daily basis in near-realtime was unsustainable, so I decided to approach this from a BI point of view. The attackers were my competitors, so what techniques could I use to more efficiently profile them?" says MacDougall, who is principal partner at his current firm. "I've always had a foot in the BI world, having done many corporate information gathering projects, so making the jump was not difficult for me. But to be honest, it really shouldn't be that big of a leap for most infosec people."

His partner at Tactical Intelligence agrees that information security pros should find the business intelligence approach natural. "I would say that infosec trained personnel are uniquely positioned in the enterprise to be an invaluable resource because what they already do is directly applicable to mining data, and creating correlation from the seeming chaos of a multitude of information stores," says Jay James, principal partner at Tactical Intelligence.

Dr. Richard White, CISO for the U.S. Capitol Police, also concurs, stating that SIEM is already a form of BI in its own right.

"Business intelligence is really about deciding how to steer a company based on existing revenue analysis, cost projections and the like," says White, whose organization has been utilizing a centralized SIEM console from Q1 Labs for three years to deliver the same decision-making information for his security actions. "On the security side, with the plethora of security devices reporting, you need a process to decide what incidents or events you're going to respond to. If you took away the security component away from what I just said, you really are looking at business intelligence in another form."

But he believes that security could do well to brush up on their analysis skills and improve their SIEM utilization reaching out across organizational lines to ask help from data analysis experts outside of security.

"It is natural to involve those business intelligence proponents who have been working with processes and are held to a very high quantitative standard already," he says. "We should reach out to the BI folks who are HR specialists or finance specialists who have a good, solid understanding of what it means to manage large amounts of data, use it and have an immediate return on investment."

Not only could this help the typical organization make more swift security decisions, it could open their eyes up to other operational or line-of-business uses for the security data they collect.

"Security professionals could benefit from branching out and looking at how security impacts other areas of their organization," he says, explaining by point of example how security data could help some organizations project future bandwidth problems at a precise point in time given the data trends streaming through their security feeds. "Those are the types of things we can provide from a security perspective back into the business."

This is ultimately the goal organizations should aspire to bring to bear with their SIEM data, says Dan Ritari of the financial services firm Deluxe Corporation, who has lofty goals for his two-year-old SIEM deployment utilizing SenSage's platform.

"We're trying to take the SIEM information to expand it to not just be SIEM information," says Ritari, vice president of enterprise risk management for Deluxe. "So, when it is in a data warehouse, it is just another group in the warehouse so that we can have business information and we can have ongoing operational information and the correlation between all of them. That's where you're going to get into the real value."

At Deluxe, he has been utilizing the open communications standards SenSage gives customers that allows them to feed their SIEM data understandably into data warehousing products to take the BI approach a step further than simply consulting in-house BI and data analysts for pointers. He's leveraging their expertise to crunch the numbers as well.

"Why would I try to train security analysts on how to be business intelligence analysts when i have got a room full of business intelligence analysts to look at this stuff 17 different ways?" he says. "From our perspective, it has made it easier for us to repurpose data, build reoccurring reports and pull that data on a reoccurring basis. I can take a good data analyst or business analyst and have them research the data where in the past using proprietary tools and proprietary reporting tools tied to a SIEM product required a whole different set of skills and talents."

He believes says that until more vendors open up their repositories to work with data warehousing, it is going to be too costly for most organizations to truly embrace BI analysis using SIEM.

"I think it's going to go there but a lot of companies are going to be slow adopters because their vendors are going to be less about an open platform," he says. "Everybody likes to have their own proprietary little APIs and what-not. That way they can sell you the reporting tools and the reporting server and the clients."

Whether it is due to proprietary issues among SIEM vendors or not, there's still a lot of work to go. "I really don't see infosec teams applying BI principles to IT monitoring to the degree they should," MacDougall says. "Most teams seem to be having problems keeping their heads above water as they defend against attacks, deal with users and management, meet compliance metrics, and respond to audits."

While it may be fun to blame the vendors for a lack of progress, it isn't really all their fault, either . A lot of organizations are simply not mature enough to realize the dream of SIEM as another form of BI.

"The issue is that information security is just now starting to track who is making changes to which files. From this tracking process, the BI system correlates the various changes and thoughts to synthesize revelations," says John Caughell, marketing manager for Argentstratus, a security services and consulting firm. "The vast majority of enterprises are not even able to track access to system data, let alone track changes to documents. Even large companies, which are looking for data trends, have difficulty putting the right information together."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights