Product white paper. ROI and SIEM. How the RSA envision platform delivers an Industry-leading ROI

Transcription

1 Product white paper ROI and SIEM How the RSA envision platform delivers an Industry-leading ROI

2 This paper examines the Return on Investment (ROI) that a quality security information & event management (SIEM) solution can deliver to an organization. SIEM ROI depends on several factors, including a user s compliance and security obligations, the size and complexity of the IT environment and any current log management processes. There are hard and soft costs associated with SIEM. If you do not currently have a SIEM solution in place, you ll incur costs like manual log review, manual report and audit preparation, fines (for noncompliance), and worst of all, increased risk exposure. If your SIEM solution is inadequate, you ll spend too much time trying to make it do what you expected it to do, and keeping it from ceasing to collect, aka falling over. Even under the best of circumstances with a high quality SIEM tool you ll need to invest a certain amount of time and money to derive the maximum benefit, or ROI, from the solution. One final comment before we dive into SIEM ROI. Too many ROI documents choose to base their arguments solely on catastrophic cost avoidance scenarios. In the case of SIEM and log management vendors, the ROI calculations are often based on massive data breaches like the ones at TJX (45 million records in ), Card Systems (40 million records in 2005), where the resulting costs incurred have reached into the hundreds of millions of dollars, or the U.S. Department of Defense, who reported last April that it had spent over $100M in the previous six months on staff time, technology and contractors to repair and respond to cyber attacks and other network incidents. There s no problem with that approach, since the risk of a large-scale data breach is real for any organization whose business depends on data that could be valuable to others, and if invoking such incidents helps you make the case for the purchase of a quality IT security tool, go for it. Nevertheless, we ve opted, in this paper, to stipulate the catastrophe justification, and focus our attention on the more common and immediate benefits such as the time and money you can save when working with a SIEM solution that: Includes meaningful automation capabilities, Minimizes the time and cost associated with log storage and archival, Allows users to work with the data collected quickly and easily, and Decreases the time spent managing the moving parts of common SIEM solutions. Most solutions carry acquisition costs, implementation costs, administration costs and ongoing maintenance costs. Costs vary significantly depending upon deployment size and solution. 2 RSA White Paper

3 The soft costs are harder to calculate but often most damaging in the long run. These costs relate to the value placed on critical data, the value of lost customers as a result of a public breach, and other risks not as easily quantifiable. Security Information & Event Management is the name of the approximately 20-year-old technology sector whose solutions collect and analyze event logs that come from all types of devices and applications in a given IT infrastructure. SIEM solutions have taken various forms and different tools specialize in different aspects of log management, monitoring security, proving compliance and/or maximizing IT operations. Most solutions carry acquisition costs (i.e., buying the hardware and/or software), implementation costs (installation, customization, training, etc), administration costs (i.e., resources needed to operate the tool) and ongoing maintenance costs. Costs vary significantly depending upon deployment size and solution. Determining the ROI or the value you derive from a SIEM solution is not easy. No one buys a SIEM solution to generate revenue. It isn t a cotton candy machine. That said, most buyers especially these days need to be able to quantify the value a SIEM solution will bring to their organization. The value a SIEM solution can provide depends on what your organization needs to get done monitoring threats and demonstrating compliance, for instance and even the penalties for not doing some things, such as failing to comply with an audit. Most experts who for years argued for or against a return on security investment (ROSI) agree that the value a SIEM solution brings is primarily in the realm of cost avoidance, not return as it s defined in the purest economic sense. So whether you re looking for a ROI, ROSI, total cost of ownership (TCO) or a break-even point, the goal is demonstrable value. To understand just how much value you can derive versus the cost of certain existing elements, or hard costs, such as: People and tools used to handle and investigate security incidents People and tools used to generate reports Infrastructure costs such as log storage platforms Audit requirements and methods; and Staff involved in the capture, transfer, storage and archiving of compliance-related information to and from multiple systems. Technologies that free up staff may not reduce costs, especially if you re already doing more with less. They will, however, allow you to get more done without increasing headcount. The soft costs are harder to calculate but often most damaging in the long run. These costs relate to the value placed on critical data, the value of lost customers as a result of a public breach, and other risks not as easily quantifiable in dollars, man hours or cleanup. They include: Mission-critical business or personally identifiable customer information; Data relating to Intellectual Property; Potential customer defection rates; and Brand equity. RSA White Paper 3

4 What You Need to Know Before You Buy a SIEM Tool Shopping for a SIEM solution is not easy. Most solutions are partial, doing one thing (log management, for example) well but failing to fulfill customers multiple needs. Others many of them small start-ups have failed to gain broad acceptance and now dedicate their efforts to niche markets in which their technologies are particularly well suited. Still others provide pretty graphics but few useful outputs, compensating for their collection and performance shortcomings by trying to convince customers that the subset of data their solution processes is all you need, that a sexy GUI is more valuable than reliable collection, or controlling product trials with hand-picked data and close supervision. Such SIEM solutions deliver poor ROI because they require users to dedicate numerous resources and countless dollars to simply manage and maintain the tool. Often times, the management and maintenance tasks have nothing to do with the goal of the solution, i.e., monitoring the real-time security of your IT infrastructure, and/or proving compliance with one or more government or industry regulations. Vendors requiring customers to buy additional hardware such as relational databases, software licenses, agents for every device and application collected from, and frequent storage for rapidlyfilling and slowing RDBMSs can very often force you to spend more time managing secondary elements of the SIEM solution, before they even derive any benefit from the SIEM solution itself. First Time User The return a comprehensive SIEM solution can deliver depends very much on your starting point. Your benefits will be immediate and quantifiable if you have no logging solution at all, or are monitoring logs in a siloed fashion, i.e., on each device, such as a firewall. In either case, you re getting zero event correlation, and are unlikely to be in a position to monitor your IT infrastructure or demonstrate compliance. For example, anyone manually collecting and reviewing firewall logs in an effort to comply with the Payment Card Industry (PCI) Data Security Standards would incur the following hard costs: The purchase and integration of multiple hardware and software platforms; Multiple teams to collect, store and retrieve for audit purposes the log data; and Storage hardware and the management of it. This example would also result in missed opportunities and soft costs such as: Zero event correlation and therefore none of the associated security benefit, Little to no log consolidation and therefore minimal forensic capability and The increased likelihood of committing errors in the audit prep process. Most solutions are partial, doing one thing well but failing to fulfill customers multiple needs. For those first-time SIEM buyers, the benefits of acquiring a quality SIEM solution are several: Automated collection, compression and storage of logs from all IT devices and applications; Real-time security monitoring and threat detection; Comprehensive forensic capabilities; Automated and customizable correlation rules and alerts; Canned compliance reports; and Full visibility into the IT infrastructure. 4 RSA White Paper

5 For those who currently have only a partial SIEM solution the transition to a complete SIEM can bear fruit immediately Upgrading a SIEM Solution For those who currently have only a partial SIEM solution little more than simple log collection, for example, or an inhouse built log management solution from several different tools the transition to a complete SIEM can bear fruit immediately. Some of the benefits include: Time saved: Migrating from multiple SIEM piece parts to a single SIEM solution immediately consolidates the work of collection and allows users to focus on the outputs; Money saved: Many SIEM solutions require the purchase of additional hardware or software, the maintenance for both, and/or the teaming with a second solution either strictly SIM or log collection to produce full log collection and security information management functions; More automated security monitoring, through correlated alerts based on events occurring in different parts of a network; Faster incident handling/threat management, through the out-of-the-box integration with other security information sources such as configuration management databases and vulnerability and asset management; Lower total overall costs via a single solution, as opposed to one that requires user s to manage a relational database for log storage and a separate platform for log archival; Fewer hours devoted to administration of the tool, due to reliable and agent-less log collection and out-of-thebox support for a broad array of devices and applications; Lower storage costs due to an industry-best data compression; and Greater security from an all-inclusive, collection-toretention solution and time-tested monitoring, reporting and correlation capabilities. The RSA envision Platform RSA envision technology has been a leader in the SIEM market for several years. As of this writing, the envision platform is the SIEM tool of choice for over 1700 customers of all sizes, in all verticals around the world. It leads the SIEM sector by combining: Best-of-breed collection A 3-in-1 compliance, security and IT operations optimization solution, Industry-best log compression rates, Utilization of event logs from all types of IT devices and applications, and A soup-to-nuts collection-to-retention SIEM solution. For many envision platform customers, whose deployments have expanded as their organizations and businesses have grown, RSA envision technology would not have continued as their SIEM solution had it not been able to scale as required, and if it had not been worth their initial investment. From those customers, the RSA envision platform continues to deliver the best ROI in the SIEM market. RSA White Paper 5

6 Customer ROI Experiences with RSA envision Example 1: A Publicly-traded, U.S.-based Company with PCI Compliance Needs This firm had, for years, used disparate tools to collect only logs from its intrusion detection systems and intrusion prevention systems and needed to beef up its SIEM capabilities if it wanted to meet its goals of (a), staying off the front page by avoiding a large data breach and (b), expanding the monitoring efforts across their entire network. After conducting a study of the 5-year TCO of a SIEM deployment, the company evaluated several SIEM vendors solutions and selected the RSA envision platform. The benefits included immediate savings on the considerable maintenance costs associated with the multiple databases and server hardware it had used to collect and store logs. In addition, the company went from needing 1.5 Full-time equivalents to collect and review just the IDS/IPS logs, to using just 1/4 of an FTE to collect, monitor and report on the 170 million daily logs the firm s devices, including over 400 Oracle databases, generate. Even with the manpower reduction, the company has maintained an SLA of five (5) minutes for Incident Response time, something that used to take them anywhere from 20 minutes to 3 hours. Example 2: A UK-based Service Provider Delivers Compliance, Streamlines Log Management At one UK government agency, it was estimated that in order to meet Memo 22 basic compliance (UK Government security auditing standard) it would take 6 man years each year to manually extract and review the event logs. With the RSA envision platform deployed, it is possible for a single member of the Operational Security team to spend around 4 man hours per week producing the reports required and conducting subsequent investigation. Example 3: A National Cooking Supply Company Cuts Incident Response by 75%, Audit by 50% A leading cooking supply chain has relied heavily on the envision platform to prepare for upcoming Sarbanes-Oxley (SOX) and Payment Card Industry audits. The security team there selected the RSA envision platform to help comply with PCI and other security requirements and to reduce the amount of time [the] staff spends on compliance audits. As a result, the company has been able to cut by 50% the time it takes to perform a security audit, and to reduce by 75% the security team s incident response time, according to the firm s information-security manager. Example 4: Healthcare firm uses the RSA envision platform to Reduce Risk, Speed Up Incident Response The operations team at a national healthcare firm in the U.S. needed to be able to prioritize incident management in order to repair its servers in order of the criticality of the data managed on each server. With the RSA envision platform, the team customized its dashboards to list the servers with the highest number of critical and warning errors, allowing the team to quickly and easily identify and repair its most important servers. Example 5: Healthcare Company Reduces Logging Workload, Improves Data Visualization This healthcare firm s virtualization team had been pulling logs onto a Linux virtual machine and then manually searching system events (asynchronous I/O storage events) and failed authentication events. With the RSA envision platform, the team was able to collect, compress and store the events centrally; and using the RSA envision Event Viewer, had a single interface into the data. At the same customer, event logs used to be archived locally on Windows servers and included in the daily backup. About 4 hours per day were spent resolving issues related to this backup process. The service provider saw a 70% reduction in the time it took to carry out the backup, thanks to the log compression rates generated by the RSA envision platform. The MSSP s customer also enjoyed the freeing up of local server disc space through the centralization of the collection and backup of security events. 6 RSA White Paper

7 Other RSA envision platform ROI Success Stories A large U.S.-based retailer realized a 60% savings in the time it spent satisfying SOX and PCI requirements, allowing it to increase its Cisco ACS log analysis by 500%, leading to better threat detection and an improved overall security posture. Thanks to high data compression rates in the envision platform, a large U.S. financial institution with strict log retention requirements was able to save 80% of their file share disk space and the man hours associated with log purging and maintenance issues. The firm was also able, for the first time, to store the logs in their raw format and in a tamper-proof manner. A financial institution realized significant manpower savings on incident handling and forensic analysis. In one example, a denial of access investigation that used to take the company s security analysts 4 days took 10 minutes with the RSA envision platform. Summary All of us, whether in making a case for the purchase of a technology or defending the purchase of one, need to be able to quantify the value a technology will bring to an organization. With security technologies, we need to be able to justify or defend a purchase in terms of ROI, TCO, breakeven or some other metric. In most cases, avoiding the consequences and costs of excessive risk exposure will form the primary basis of a purchase. What is important is that buyers of tech products and services are able to quantify the value the products and services deliver. While your SIEM tool will never deliver a return in the strict economic sense, the best ones deliver quantifiable value, helping you not only to minimize risk and avoid the costs associated with data compromise, but to gain process and workflow efficiencies. As with any significant investment, we should judge SIEM solutions ROI or value not on their performance over weeks or months but over a term of several years, which is most likely how long their day-to-day users expect to benefit from them. What is important is that buyers of tech products and services are able to quantify the value the products and services deliver. RSA White Paper 7

8 About RSA RSA, The Security Division of EMC, is the expert in information-centric security, enabling the protection of information throughout its lifecycle. RSA enables customers to cost-effectively secure critical information assets and online identities wherever they live and at every step of the way, and manage security information and events to ease the burden of compliance. RSA offers industry-leading solutions in identity assurance and access control, encryption and key management, compliance and security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit and RSA Security Inc. All rights reserved. RSA, envision and RSA Security are registered trademarks or trademarks of RSA Security Inc. in the United States and/or other countries. EMC is a registered trademark of EMC Corporation. All other products or services mentioned are trademarks of their respective owners. ENVROI WP RSA White Paper