Enterprises have been using security information and event management (SIEM) systems mainly forcompliance reporting to meet PCI DSS and other mandates, but infrastructure vendors are trying todevelop a new breed of more powerfulSIEM platforms that can enable IT teams to apply analytics to system data.
There is a fundamental change that is occurring in the security world where focus is moving fromindividual point products solving a particular job to something more expansive.
Brendan Hannigan, general manager, Security Systems Division, IBM
Growing networks have created a larger attack surface for cybercriminals, and while early SIEMdeployments could collect logs from a few appliances, they have grown to support a vast arrayof network devices, said John Kindervag, principal analyst at Cambridge, Mass.-based ForresterResearch Inc. While vendors are betting on more robust SIEMplatforms, whether or not enterprises have the money and expertise to do the kind of powerful eventcorrelation needed to understand the threats on the network is still anyones guess, Kindervagsaid.
According to a Forrester survey of IT decision makers at 157 organizations, the primary use casein more than 80% of SIEM deployments is for reporting capabilities for compliance mandates. Fewerthan 40% of respondents said their organizations use the technologys event correlationcapabilities.
SIM is a reporting tool driven by PCI compliance and it wouldnt exist if PCI hadnt come out,Kindervag said. People get enamored by event correlation, but thats just not how it works in realworld deployments.
The survey, conducted on behalf of San Jose, Calif.-based log management vendor LogLogic Inc.,found reports generated by the systems are currently serving IT auditors, the CIO and other C-levelexecutives. But the survey report concludes that SIM will become the foundation for comprehensiveIT data analytics.
Brendan Hannigan, CEO of Q1 Labs, is betting his firms customers will want to get more out oftheir SIEM deployment. Hannigan, whose firm was acquiredby IBM recently, is going to lead a new division that brings together all of IBMs securityofferings. With Q1s SIEM platform as the foundation, IBM plans to tie together its databasesecurity, endpoint management, network security and application security offerings and bolster themwith analytics capabilities to get more actionable data out of those systems.
There is a fundamental change that is occurring in the security world where focus is movingfrom individual point products solving a particular job to something more expansive, Hannigansaid.
Firewalls, IPS appliances and database and application servers generate heaps of data that canhelp organizations better understand the threats to their network and ultimately give CISOs theability to make wiser security decisions. Its the need for a more powerful analytical engine toget value out of all that data that is driving large infrastructure vendors such as IBM and HP toacquire SIEM systems, according to analysts.
HP is so bullish on the technology that it shelled out $1.5 billion for ArcSight in 2010,arguably the leader in the space. RSA, the security division of EMC Corp., is merging its EnVisionSIEM system with its newly acquired NetWitness network monitoring platform, which adds networkcontext and analytics to SIEM data.
Analysts agree that many of the early SIM vendors may not be able to handle the processing powerneeded to apply analytics to different data sources. Scalability is turning out to be the one ofthe most important capabilities of SIEM systems, said Mark Nicolett, vice president anddistinguished analyst at Gartner Inc. SIEMplatforms that can support heterogeneous event sources on a broad scale have a betterlikelihood of maintaining a strong market presence, Nicolette said.
Gartner believes SIEM systems should be able to efficiently collect logs andhave real-time monitoring capabilities. If a vendor doesnt have both theyll end up onlybeing marginal in the market, he said.
I dont think the possibility of a singular data repository that collects all relevantinformation critical to security analysis is ever going to exist.
Amit Yoran, senior vice president and general manager, Security Management and ComplianceBusiness, RSA, The Security Division of EMC.
SIEM systems are good at collecting data, but they need tools that help analysts manipulate thedata to uncover various aspects of an incident or find anomalies that raise concern said AmitYoran, senior vice president and general manager of security management and compliance business atRSA, The Security Division of EMC.
With complex attacks and advanced threat actors, your current assessment cant be limited tojust the traffic you are seeing at this moment, Yoran said. An action may not set off alarm bellswhen it is isolated on its own, but when you have it in context, it gets a lot moreinteresting.
The former NetWitness CEO is overseeing the integration of the technology into the RSA EnVisionSIEM platform. EnVision, Yoran said, really shined in efficiently retaining large amounts of dataand also from understanding diverse logging formats and protocols. At the same time, Yoran said heis practical about how powerful a SIEM system can be to an organization.
I dont think the possibility of a singular data repository that collects all relevantinformation critical to security analysis is ever going to exist, Yoran said. Thisone-size-fits-all, build something large, doesnt seem to be a practical way for large enterprisesto operate.
Enterprises may start off with compliance mandates in mind, but if there is a choice betweenbuying a SIEM system only strong in log management or a system designed for log management andreal-time monitoring, most organizations will see value in the monitoring unless there is a hugepremium on the price. Nicollete said he is watching HP ArcSight closely, since HP has leftArcSights core development teams intact, enabling the SIEM vendor to quickly come to market withnew features. Under HP, ArcSighthas done a better job of supporting large deployments, he said.
Tom Reilly, vice president of HP enterprise security and the former CEO of ArcSight said SIEMshould be the integration platform of an enterprises security program. Like RSA and IBM, HP isalso developing tools that give enterprise a better look at network threats by ramping upanalytical capabilities in ArcSights SIEM platform. Its all about network awareness, he said.
If you believe in the tenet that every company has to move to gain security visibility, theyall need to invest in SIM, Reilly said. I hear those complaints around complexity and cost, but Ihear more about successful implementations; better time to value, prebuilt integration and ease ofuse.
HP is striving to make IPS and log collection an out-of-the-box experience, Reilly said. Thegoal is to target companies with limited IT staff and expertise by providing prebuilt interfacesfor integration, he said.
Having out-of-the-box capabilities drove McAfee to acquire NitroSecurity this month and beginmerging the NitroView family of products into the ePolicy Orchestrator suite. McAfee had a closerelationship with NitroSecurity and saw its proprietary database, which provides correlation andprofiling capabilities, as a strong differentiator to other SIEM vendors, said Martin Ward, seniordirector of risk and compliance at McAfee.
Speed with NitroSecurity is over the top, Ward said. Reports that are being run by existingSIEM vendors can take hours and hours, whereas Nitro can do it in minutes.
The future of SIM appears to be data warehousing technology with powerful analytical tools thathelp IT teams crunch a massive amount of data, said Forresters Kindervag.
Its really about making better decisions based on facts, not conjecture, Kindervag said. IfIT departments can take actionable data out of their systems and put it to use, we could see moredecisions that align with the business side and address threats based on their risk impact.
