An eye on SIEM

Too much information?

Big customers such as banks could be getting 20,000-30,000 logs a second through a single firewall. Imagine the numbers at eBay or Amazon. It is a huge data challenge. “There's no point in spitting out pages and pages of the stuff,” says Gary Nation, head of SIEM at RSA. “Even a big IT team can't handle too much. Think of it like a funnel. There's all this stuff on top, and you want the stuff coming out from the bottom to be actionable, relevant information.”

It is a matter of thinking about the critical business assets so that the customer can tell the provider which data to collect. A bank may look to prioritise customer-facing applications; a retailer looking to comply with PCI will need to focus on events relating to credit card transactions. Instead of being daunting, the data soon becomes a useful capability. SOC operatives, meanwhile, become far more efficient.

Vendors can provide out-of-the-box solutions, training on the technology, advice on best practice and consultation on compliance. The hard part is knowing your policies and matching it all up. Hence they are moving towards easy-to-use interfaces that integrate SIEM with other solutions, such as log management, database management and application layer tools, and developing real-time monitoring so that a company can stay on top of compliance year-round.

This scenario, says Mehlam Shakir, CTO at NitroSecurity, is the alternative to “running around like headless chickens for a month preparing for the audit, then forgetting about it for another year”.

HP's big-money punt on ArcSight shows just how seriously the industry is taking SIEM. But even ArcSight's Huff is quick to caution against any shouts of ‘the next big thing', pointing out that this is not the solution to end all others; he sees it more as an “additive technology”.

It won't stop malicious attacks – you will still need endpoint solutions for that; rather, SIEM is about collecting as much information as possible and making sense of it in order to better arm users in the fight against threats.

The other key bonus of SIEM, Huff says, is that it frames the security issue in a way the average business leader can understand. Suddenly able to see the malicious threats to the network, they are more likely to do something about them. As such, it could be a real boon to security intelligence.

“Endpoint tools don't work when it comes to boardroom discussions,” says Huff. “They don't give you any visibility. SIEM lets people look at their organisation's security from a technical perspective and create a dialogue: ‘Here are the bad things going on across your network, and here's how to shore up your defences.'”

So what can we expect from the SIEM space in the future? For one, consolidation – the current glut of smaller vendors may soon go the way of ArcSight, as more of the big boys plant their flag in the security patch.

Second, there will need to be a move toward standardisation. “In five years' time, you will see a common profile for security technology,” explains Roth. “It could well be a case of saying ‘do these 12 things and you shouldn't end up being sued'.”

Yet SIEM remains just one part – albeit a key part – of an organisation's wider security infrastructure. As the industry moves toward the adoption of security intelligence platforms, it will have to fight for its place alongside other solutions that help provide defence in-depth – think data filtering, IDS and encryption.

Regulation is hardly going to disappear overnight, and the future for organisations is certain to involve ever-more malicious attacks in the Stuxnet mould, as well as an increasing threat from within. So it seems that CCTV could well come in handy.

SIEM as a service

Given the obvious benefits of SIEM to businesses of all sizes – right down to the smallest retailer handling credit card payments – there are clear advantages to making its provision as cheap and uncomplicated as possible. Vendors are taking this fact very seriously, putting an outsourced solution at the centre of their plans: working with managed security service providers (MSSPs) and taking steps to move to the cloud. The latter presents hurdles, with some saying the migration will make the current model of SIEM provision redundant – yet vendors are bullish about the prospects. 

SIEM vendors already have a history of working with MSSPs – third parties that take the raw SIEM technology and spin it into tailored packages. Rather than having to bring solutions in-house, end-users can instead subscribe to specific remote services – to aid compliance, for example. This may be PCI-as-a-service, or a package to cater specifically for ISO 27002. It is not a huge leap to imagine the likes of Integralis developing a compliance package for GPG13, which applies to all organisations working with the Government.

Dell's purchase of MSSP SecureWorks earlier this year can be taken as vindication of the outsourcing model, and shows where the industry is heading. LogLogic has been offering its SIEM technology via third-party organisations such as Verizon for several years, and says the take-up of outsourced solutions is accelerating. NitroSecurity also reports an uptake in managed service activity, and says the provision of enabling technology for MSSPs to provide to customers is central to its strategy. Again, it has found this to be particularly popular in PCI compliance.

However, one cannot examine developments in SIEM without hearing mention of the cloud. That migration has happened in log management, and there are movements among SIEM vendors to provide managed SIEM services in the cloud, too. This provides real benefits for smaller organisations, easing the cost and burden of implementation even further. The cloud removes the need to deploy their own solutions, hardware and software; instead they simply subscribe to whatever services they need for a few pounds a month – and can drop and amend as required.

Yet a huge amount of uncertainty still exists around the cloud, and there are issues to overcome in SIEM as in any other technology. The question facing SIEM vendors in the future will be whether they can re-engineer their current solutions, designed to be the be-all and end-all security solution for the customer, to suit a model where security and incidence response increasingly passes to IaaS providers, with control increasingly distributed and shared. Here the end-user business becomes the consumer of information and an audit point – a huge shift from the in-house model.

Overall, though, the cost and labour benefits of SIEM as a service remain strong. End-users are demanding security as a utility – they simply want to plug it in and run it.