Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

12/16/2013
07:44 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Moving Beyond SIEM For Strong Security Analytics

SIEM still a useful tool for infosec, but many argue it shouldn't be the main platform for analytics programs

While security information and event management (SIEM) tools have certainly helped many an enterprise IT organization get a better handle on aggregating and analyzing logs across disparate security tools, these organizations are starting to butt up against the limitations of SIEM. And as enterprises seek to gain more insight into business trends and user activity affecting security stances, they're finding that they shouldn't make the mistake of confusing the use of SIEM for the existence of security analytics practices.

"I think SIEM is a starting point for security analytics, but only a starting point," says Ed Bellis, CEO of Risk I/O.

SIEM gained steam as the tool of choice for teams seeking to sift through real-time event information to more quickly respond to security programs, says Geoff Webb, director of solution strategy for NetIQ, but he notes that during the past few years security teams have struggled to gain more value out of their SIEM deployments and that the reputation for these platforms have started to creak.

[Are you using your human sensors? See Using The Human Perimeter To Detect Outside Attacks.]

"Part of that is deserved -- vendors sold it as security nirvana, whereas the reality is very different: It's a good tool and, like all good tool, needs to be used appropriately and for the right job," he says.

Part of the difficulty with SIEM has been issues of increased security "noise" and complexity of systems feeding into the SIEM.

"The problem is that as more and more security and monitoring tools have been brought online, the amount of raw noise that must be dealt with by the SIEM tool has grown, too," he says. "Worse, the infrastructure has become more and more complex, especially as virtualized devices become the norm, which contributes to an increasingly chaotic and noisy environment -- perfect for attackers, [but] terrible for the security team trying to piece together what's going on."

More detrimentally to a fully featured analytics practice, though, is SIEM's lack of analysis range, Bellis says.

"SIEMs weren't originally designed to consume much more than syslog or netflow information with a few exceptions around configuration or vulnerability assessment," he says. "Security analytics is more than just big data -- it's also diverse data. This causes serious technical architectural limitations that aren't easy to overcome with just SIEM."

For example, SIEM can't account for data sources like financial data that could help with fraud detection, human resource information, metadata about the business, or sentiment data from sources like social media. These kinds of external sources to security can prove crucial in pinpointing business risks that require contextual clues to spot.

"Security analytics needs to include big-picture thinking -- integration of the meanings and interactions of signals, not just the raw reduction of streams of events," says Mike Lloyd, CTO of RedSeal Networks.

As a result, organizations must first recognize that security analytics requires more computational power and start budgeting accordingly. If acquiring additional funds is an issue, then the security organization can get started through creative collaboration with other departments, Bellis says.

"I think security analytics goes beyond SIEM and your SIEM budget," he says. "There are great ways to jump-start your security analytics program within a company by leveraging existing resources. Many organizations already have data analytics and business intelligence teams. These groups can be a CISO's friend when building out a security analytics capability by leveraging both talent and tools. "

In addition, they may also have the underlying big data infrastructure necessary for security analytics already up and running, including data warehouses or noSQL environments, which the organization may be able leverage for information security purposes. The point, says Bellis, is that repurposing existing investments made elsewhere can make it possible to kick analytics into gear without a huge additional budget.

"In the past I've repurposed ClickStream tools being used for Web analytics and customer service to identify security issues in near real-time," he says. "Making do with what you have can go a long ways before expanding to a more complete security analytics platform."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
markgrogan
50%
50%
markgrogan,
User Rank: Strategist
7/9/2018 | 4:20:33 AM
hi
The progress of the industry happens when a business or end user realises that they can do something better about something and does what he or she needs to do to make it happen! Honestly speaking, if we all just sat back and complained at how much limitations a certain software had for us while waiting for someone else to build a better product, we would be living in the stone ages still.
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20327
PUBLISHED: 2021-02-25
A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node....
CVE-2021-20328
PUBLISHED: 2021-02-25
Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in inte...
CVE-2020-27543
PUBLISHED: 2021-02-25
The restify-paginate package 0.0.5 for Node.js allows remote attackers to cause a Denial-of-Service by omitting the HTTP Host header. A Restify-based web service would crash with an uncaught exception.
CVE-2020-23534
PUBLISHED: 2021-02-25
A server-side request forgery (SSRF) vulnerability in Upgrade.php of gopeak masterlab 2.1.5, via the 'source' parameter.
CVE-2021-27330
PUBLISHED: 2021-02-25
Triconsole Datepicker Calendar <3.77 is affected by cross-site scripting (XSS) in calendar_form.php. Attackers can read authentication cookies that are still active, which can be used to perform further attacks such as reading browser history, directory listings, and file contents.