Though a relatively new idea, Security Information and Event Management (SIEM) has evolved to become an important tool used on networks to centralize the storage of logged events. SIEM works a little like this: computer networks generate events that are kept in event logs. These logs are, more or less, a list of activities that occurred on the networked computers. SIEM is software that organizes and stores these records.
SIEMs are often used to help satisfy U.S. regulatory requirements such as Sarbanes-Oxley and PCI-DSS. Wanting to know more about SIEM, I contacted Alison Andrews, CEO of Vigilant LLC.
Can you further explain SIEM for those who are unfamiliar?
Alison Andrews: SIEM stands for Security Information and Event Management. These products centralize log information and other security data, and correlate information from multiple sources in real time. When well-implemented, this enables centralization of many security management functions through a single console, makes incident response and forensics much more efficient, and delivers comprehensive reporting for audit and other purposes.
The most flexible SIEM products also enable integration of business context data for fraud detection, loss prevention, and monitoring of other transactional events that are critical to business risk management.
What should a company expect from SIEM?
Andrews: SIEM buyers should expect to achieve measurable efficiencies in daily security operations, and greater business-oriented security intelligence. By reducing the number of analysts needed to respond to security alerts, headcount can be reassigned to more proactive functions. A solid SIEM implementation should generate reports and dashboards for role-based visibility into the state of the entire enterprise from a security perspective.
This visibility should certainly be designed to support real-time monitoring workflow. But it should also support business decision-making by IT managers and executives concerned with overall IT and business risk – the people who make budget decisions, and need assurance that critical assets are protected and that security, overall, is improving over time.
What are the best management processes for SIEM?
Andrews: First, it’s very important to deploy methodically, and in phases. Second, you need clearly defined roles for how the SIEM filters, correlation rules, and other components, will be refined and updated over time. Third, companies that are most successful with SIEM have high-level executive sponsorship and see it as a tool that serves more than the immediate needs of IT security teams.
Over time, a mature SIEM deployment can provide increasingly sophisticated functions across the whole IT organization, and can directly support the risk management needs of many departments and business units.
What are the risks associated with SIEM?
Andrews: A haphazard process of deploying SIEM, without regard for the specific information you need to see, causes many problems. You can end up collecting more data than is reasonable to store, or bog down system performance. Worst case, without the right configurations, you can end up falsely assuming that the environment is more secure than it really is, leaving you open to preventable security incidents and audit deficiencies.
Are there risks that require custom management?
Andrews: SIEM is a powerful tool, but you can’t rely only on what comes out of the box. Every SIEM requires at least some measure of customization, and will return value proportionate to what you put into it. These days, no one can afford cost-consuming products that can’t be justified. So in making a SIEM investment you need to consider not only the cost of the product and initial installation, but how you will develop it over time.
The good news is that as the SIEM market has matured, the products provide more out-of-the-box value than ever before, and there are well-established options and best practices for making optimal use of the technology that can fit various budget levels, whether you decide to do it in-house or get outside help.