Recently I have had the privilege of being involved in the selection of a SIEM ( Security Information and Event Management ) system. It really was an eye opener.
Up to now I had mostly worked as a technical Engineer, and although security had been one of my main focus points in my work I had never insights at such a high level.
A SIEM basically takes the logs of all key devices (e.g: windows 2k3 servers, an IDS ( Intrusion Detection System), a firewall, etc. ) and shows the data that is security related. Detected rogue access points by company access points, mac flooding detected by switches and a port scan detected by an IDS are examples of log entries that could be picked up by a SIEM. Most SIEM systems can correlate this data too, and are especially powerfull when combined with an asset database. For example, if an IDS sees an exploit that is targed to a certain webserver, it sends the information to the SIEM. The SIEM is connected to an asset database, and looks up all information that it knows about the webserver. After it did, it generates an alert to notify the IT staff. But it can not only generate an alert for the one that is being attacked but can also lookup all webservers that are running the same software version, and generate a warning for these servers that are not yet under attack but could be next on the attackers list and thus form a risk.
Some systems can also generate an url to BUGTRAQ or securityfocus to inform the IT staff of the exact problem and perhaps even a fix that is already out!
Now I have seen these systems in action, I can’t imagine a (large) company can do without one!
Tags: linkedin
What about smaller organizations? I’m skeptical of the value a SIEM provides. I am the only guy doing security ops and have a million and one other things to do too!
Hackers and fraudsters target small businesses because they don’t have the resources and defenses. A recent article on Dark Reading talks about the rise of botnets among SMBs – this is just one example. http://www.darkreading.com/security/client/showArticle.jhtml;jsessionid=LBUDONOIXDTDQQSNDLRSKHSCJUNN2JVN?articleID=217300483
SIEM tools have so many capabilities that people don’t even realize to make your job as the security ops guy that much easier. I bet if you started to look at SIEM tools from the security ops perspective, you would realize the value many of these tools have to help you.
I know how you feel, I have had the same problem in my previous job. I was always patching and clearing up mess, in stead of pro-actively monitoring and anticipating on events. A SIEM would definitely take work out of your hands on the long run, but the cost of the SIEM can not be justified for small organizations. Not with the SIEM systems currently available anyway ( at least the ones I know of ).
I feel that in the future SIEMS are going to be more important because the internet is going to be even more and more integrated in to our business models and IT systems. Full (real-time) monitoring and taking actions accordingly will be necessary to keep the malicious users out, a task which a human can not be doing any more as networks and systems get to complex to correlate.
This means smaller organizations ( although their networks are not as complex) will need a SIEM ( or at least some sort of log analyses) too.
So, I think there are going to be only two options for smaller organizations in the future:
- Hope that some company will develop a SIEM system which is not as costly as the ones there are right now, and therefore justifies the cost of purchasing and maintaining it,
- Outsource their security(log) analyses ( or complete IT ) to a company that provides this service.