An eye on SIEM

Being a property owner can be a massive headache. You end up spending thousands to protect what's yours – securing doors, windows, and every other feasible point of entry. Yet all a criminal needs is one shot – a misplaced key, say – and he is in. That's why people turn to CCTV. The all-seeing mechanical eye won't stop the intruder, but at least it shows what he looks like, how he got in – and exactly what he's doing to that antique rug.

These days, threats to network security are no different and it is increasingly common to find endpoint security, such as firewalls, being beaten. Three cheers then for security information and event management (SIEM), sold as a kind of CCTV for your system. It is a technology that pulls together logs of information and events from across the network to provide users with a real-time analysis of all the dangers.

It is certainly easy to see why it should attract attention right now. In a world of WikiLeaks and Stuxnet, a platform that is built to battle both internal and external threats is not a hard sell.

Yet that's not all. SIEM also enables companies to collect, store and analyse a colossal amount of log data, helping to ensure compliance with the spread of increasingly stringent and far-reaching regulations.

SIEM is very much of the moment. According to Gartner it is the fastest-rising sub-section of the security sector, growing at a rate of 21 per cent a year. And when HP stumped up $1.5 billion for ArcSight in October 2010, SIEM had its first big-money buy-out.

Yet as even its vendors will tell you, SIEM is merely a small part of a bigger security puzzle.

The meaning of SIEM
The term SIEM was coined by two Gartner employees in 2005, and describes the point where IT meets surveillance: security products have traditionally focused on perimeter defence; but relying on firewalls, IDSs and virus detection won't cut it these days.

“Penetration is a given,” says Jay Huff, EMEA marketing director at ArcSight. “The problem with those endpoint solutions is that once someone's through, that solution is finished. And once that threat is inside, companies need to know what it's up to.

SIEM takes all the information gathered from events across the network – from system logs to who is swiping themselves into the building – and tailors it to inform the business about exactly what is happening and when.

Gartner lists 20 key players in the SIEM space, which suggests a market with a healthy dynamism and offering a raft of commercial products. Those companies include ArcSight, BlueSOC, Cisco Security MARS, LogLogic, Logica, NitroSecurity and RSA enVision.

These platforms are tasked not just with keeping those nasty elements on the far side of your firewall. When the technology first emerged for gathering the huge stores of data that networks were spitting out, security was simply the first logical use, but that data can also be mined for other things.

An intelligent view
Recently, the focus of SIEM has moved away from the S and toward the I and the E – the information and events. It can help provide operational intelligence and proactive hardware management, as well as monitoring of mobile users, laptops and access to applications.

“I liken all this to digital detective work,” says Bill Roth, chief marketing officer at LogLogic. “Every action leaves footprints in the sand. Our job is to say who left them and when, and where that trail is leading.”

Pre-Stuxnet, major utilities operations may have only used such data to improve their processes. Now they can see how vulnerable they are to security breaches too. But security is only half the picture. The biggest driver for SIEM is in fact the increasingly treacherous minefield that is regulatory compliance. According to Gartner, more than 80 per cent of SIEM take-up in the US comes from the need for organisations to show they are on top of regulation.

This trend is also starting to apply to Europe. Retailers handling credit cards need to comply with the Payment Card Industry Data Security Standard, proving their responsible handling of customer credit card data. Rule ten says you have to log all access to cardholders' data and store it for regular review. “We like that rule,” says Roth.

Retailers can align SIEM to their policy, creating, say, alerts when any credit card data is accessed on the system outside of business hours.

Its use spreads far further than retail: to telco companies, financial organisations sensitive to the regulations coming out of Basel, and those organisations working with the Government, which have to comply with GPG13 and CESG Memo 22, covering connections to the secure government intranet.

There are similarly tight standards for dealing with patient details in the UK and the US healthcare systems, and the more general ISO 27002 information security standard.

Beware the cons
While the downside to not complying with regulations is abundantly clear –“There are now huge fines or even imprisonment as a punishment for the misuse of data,” explains Roth – that's not to say the proposed solution comes without its criticisms.

SIEM products have been written off by some as expensive, hard to implement and lacking sufficient standardisation. Setup requires a fair amount of planning, installation, systems integration and training. What's more, running it requires constant monitoring.

Some critics also highlight the danger of being overwhelmed by data. Customers plump for the well-marketed ‘next big thing', splash out on a SIEM package, and watch in awe as the records of billions of events come flashing across their screen. Then they realise that they do not have the first clue what to do with it all.

Vendors acknowledge that this is a risk, yet argue that it is simply a case of knowing where your priorities lie. Receiving all this data for the first time can be daunting – for many it will be an eye-opener as to how much information they didn't previously have access to – yet rare is the company that isn't grateful for the visibility.

Next: Too much information?