10 Reasons Your Existing SIEM Isn t Good Enough

Transcription

1 Technical Whitepaper 10 Reasons Your Existing SIEM Isn t Good Enough eiqnetworks, Inc. World Headquarters 31 Nagog Park Acton, MA

2 TABLE OF CONTENTS SECTION PAGE Introduction New Security Management Problems with Current Generation SIEMs (Your SIEM Isn t Good Enough) Reason No. 1 - Scalability Reason No. 2 - Time to value Reason No. 3 - Cost Reason No. 4 - Does not streamline the audit preparation process Reason No. 5 - Fixed deployment form factor Reason No. 6 - Difficulty in detecting evasive attacks Reason No. 7 - Logging can be turned off Reason No. 8 - Blind to network flows Reason No. 9 - Doesn t analyze configuration changes Reason No Cannot see the relationship between the data points eiqnetworks Redefines Security and Compliance Management SecureVue Architecture Additional Info

3 Introduction The security industry has seen a lot of action in the past 15 years. Hackers have been busy discovering vulnerabilities and developing new threats to exploit them. Manufacturers have built point solutions to secure computer networks and applications from those threats. Enterprises have responded in turn, making significant investments in token-based authenticators, firewalls, intrusion prevention, identity and access management, security the list goes on. The result has been more and more hardware and software tools sitting on enterprise networks requiring additional management and generating reams of data. Sure, enterprises are doing more to secure their networks than they did 15 years ago. But are they more secure? As a result, these point products The answer is a resounding no based on the fact that we increase the cost and complexity are continuing to see new and innovative attacks. These of security management, limit attacks are also more dangerous as attackers are now end-to-end visibility, and financially motivated. The only significant difference between the enterprise network of today and that of 15 years generate false positives all ago is the complexity of the technology. We re dealing with while missing attacks. Web applications and service-oriented architecture (SOA) now instead of client server architectures. This complexity is creating significant challenges in how we protect our information and in our ability to answer the questions, Are we secure? Is our data protected? Enterprises have turned to security information and event management (SIEM) solutions to help them answer these questions as well as address forensics or security operations issues. But SIEMs have only solved a portion of those problems. For the most part, SIEMs have failed to do what they promised. To be blunt, the current generation of SIEM products don t measure up. But before we can fix them, we need to know how they re broken. New Security Management Let s take a closer look at the problems we want a SIEM to solve. As previously mentioned, enterprises are deploying multiple point products from antivirus to Web-content filters. Each of these point products generates data but store that data in it s own data silo. None of these systems share any of the data it collects. As a result, these point products increase the cost and complexity of security management, limit end-to-end visibility, and generate false positives all while missing attacks. This security management tool must help you focus on the areas of most significant risk to guide your investigative efforts and help you respond to incidents as quickly as possible. Look at it this way: Over a period of two years, the typical organization adds four new security products to its network, and each one requires a large portion of two peoples time to manage them. That means every two years your enterprise needs to increase its headcount by eight. When was the last time your organization hired two technicians to manage one piece of technology? Funds are hard enough to come by without adding new headcount. So if your organization is not going to populate, it needs to automate. And you need to find ways to be more effective and more efficient. 03

4 Central to being more effective is being able to react faster. Sooner or later, your organization WILL be attacked. That s just a fact. The security industry cannot get ahead of today s threats. Every time we try to predict where an attack will come from we re horribly wrong. Thus, it s a fool s errand to focus on trying to predict tomorrow s attack. What we can do is figure out what s happening in the environment, factor in the reality that we will be hit, and be prepared. You should know how you ll respond to an incident, how quickly you ll respond, how you ll contain damage, and how you ll remediate the issue. You should aim for the smallest window of time between acknowledging an issue and fixing it all with the help of a security management tool. This security management tool must help you focus on the areas of most significant risk to guide your investigative efforts and help you respond to incidents as quickly as possible. By the same token, you need a solution that supports forensic and analysis efforts. It should give you the data needed to determine what happened, allow you to store that data for a specified period of time, and do so in a manner that will stand up in court. Security management is also complicated by increasing regulatory compliance requirements and audit preparations. Smart enterprises know that if they take the correct approach to security, a lot of their compliance activities will be taken care of. So you do security first; protect your information. Then it comes down to proving compliance by documenting how your technical security controls achieve the spirit of the regulations. These same controls apply to multiple regulations. The firewall or scanning solution you implemented for PCI compliance is also relevant to SOX or HIPAA. In today s environment, which demands doing more with less, you must leverage the technical controls implemented to prove compliance with multiple regulations. And, you should be able to do so efficiently. Nobody has extra time to gather data from a whole raft of element management systems. You need a solution that will see every point solution, all the data generated by them, and compile the appropriate information for any given regulation. Automating audit reports frees you up to spend time on more strategic activities, making your team more effective. There s a theme here. Efficient security management demands data leverage. Your security management tool should leverage a unified data model to support security operations, compliance automation, and forensics/log management, to give you an understanding of your organization s security posture, both within business divisions and from an enterprise-wide perspective. In short, a security management tool should provide you with a situational awareness of your technology assets and organization s security posture at any given time. Can you say that your existing SIEM does that? The Problem with Current Generation SIEMs If the market is any indication, your answer is a resounding No. SIEM is not the security and compliance management answer organizations have been seeking. The proof is in the numbers. If SIEM was solving problems, it would be a much bigger market. After eight years, SIEM is barely a $300M market. Compare it to anti-spam, which grew from nothing to over a billion and a half dollars. Money follows the problem, and if a technology category is solving the problem, there are a lot of winning companies in that space. That just isn t the case with SIEM. Here s why: 04

5 Reason No. 1 - Your SIEM Isn t Good Enough: Scalability Many existing SIEM products are built on relational databases, which severely limit their scalability in an enterprise environment. A relational database is wonderful if you re building a transaction engine, but if you re trying to capture a hundred million or a billion events per day as you are with a security management tool, it s not going to work. First of all, a relational database requires expensive equipment for a distributed architecture. They also use complicated rule sets, requiring a dedicated database administrator to manage them. How likely are you to scale your SIEM if you need to hire a dedicated administrator and purchase additional equipment before you can get anything out of it? Reason No. 2 - Your SIEM Isn t Good Enough: Time to value How often are you given months to get a project done, especially when it comes along with writing a big check? It s absolutely critical you get a quick win for big-check purchases, because time is money. And nowadays money is tight. If it takes months to deploy a new SIEM, plus an army of consultants to assist with heavy integration requirements, someone s going to be breathing down your neck. Complexity and time-to-value issues are very hard to overcome and get a reasonable pay back from your investment. You need a security management tool that will quickly prove its worth with pre-built rules, out-of-the-box reports, and flexible data inputs. These features will help you accelerate the time to value, and improve your worth as you become more efficient and effective at more strategic tasks. How long did it take to deploy your existing SIEM? Reason No. 3 - Your SIEM Isn t Good Enough: Cost The higher the cost of a product, the more time it takes to realize a return on investment. A sevenor eight-figure investment requires a huge value for payback. It is also a challenge to realize a return when the investment itself continues to grow. You ve signed the check for a SIEM, but to run the thing you need a DBA. Your organization has acquired a competitor, so now you ve got an additional set of locations to support, with additional systems adding additional complexity. You need a solution that you can deploy in phases. You re not going to monitor all the devices in all of your locations right off the bat. Your product should allow you to start small and deploy in phases. How flexible is your existing SIEM to support a phased deployment? Reason No. 4 - Your SIEM Isn t Good Enough: Does not streamline the audit preparation process Are you assembling audit reports manually? There s no reason you should be. Preparing for an audit will never be completely automatic, but we can certainly make it more automated than it has been in the past. And it s more important than ever that we do with the increasing number of regulations with which enterprises need to prove compliance. Gathering and analyzing data can and should be part of your security management tool s audit preparation engine. We re not just talking log data. The SIEM should include ALL relevant data, including performance and configuration data to help prove technical controls. Furthermore, your security management tool should map controls to multiple regulations. If you re a big company that must comply with PCI, OSHA, and HIPAA because you offer self-insurance, you shouldn t have to gather the same technical information three different times. The security management tool should help you gather all the data once and customize it for each regulation requirement; again, making you more effective and efficient. Does your existing SIEM do that? 05

6 Reason No. 5 - Your SIEM Isn t Good Enough: Fixed deployment form factor It s likely you need different form factors -- appliance, software, collectors -- for different use cases, but you won t get it your way. Current generation SIEMs come in a fixed form factor. You get an appliance or software. Chances are you re not going to ship an appliance to each of your 100 locations. You need to be able to mix and match form factors based on the requirements of your environment; not the vendor s supply chain. You should be able to run software on an existing server or deploy an appliance based on your specific problem. Does your existing SIEM lock you into a specific deployment model? Reason No. 6 - Your SIEM Isn t Good Enough: Difficulty in detecting evasive attacks Today s attackers want to stay below the radar, compromising your private data and intellectual property repeatedly without your knowledge. Otherwise, you ll fix the issue and they ll no longer be able to rob you blind. Most existing SIEM products only collect log data, which is generated during the first three steps of an attack: probing the network, executing an attack and gaining system access. Evasive attacks go undetected because you re looking backwards, after the attack happened. In order to detect a low and slow attack while it s in progress, you need to analyze more than just log data. An integrated platform that collects, correlates, and analyzes log data plus configuration, system, asset, and flow data can help reduce the millions of events into single-digit real incidents, and also provide complete context around any event. As a result, end-to-end correlation reduces false positives and optimizes the system s ability to detect breaches while reducing cost and management complexity. A single unified console eliminates multiple data silos and enables efficient root-cause analysis. Because everything is interlinked, you can get to the bottom of an issue in minutes or seconds. Your existing SIEM just relies on log data, doesn t it? 06

7 Reason No. 7 - Your SIEM Isn t Good Enough: Logging can be turned off The first thing an attacker does is turn off logging to remove evidence of his tracks. What will you do when logging is turned off on your SIEM? How soon will you know? This is an inherent limitation to today s SIEMs, which are driven by log data. If the log data isn t there, you re blind. This is not a good way to manage a security environment. However, if your SIEM is also looking at configuration data, you ll know that logging has been turned off because it s a configuration change. You d also see different performance metrics from the device, since it s doing the attacker s evil tidings. The attackers leave a trail; the problem is that it s usually not in the logs. Do you see that log data is not enough? Reason No. 8 - Your SIEM Isn t Good Enough: Blind to network flows The network never lies. Attackers always leave a network trail, and flow data (if your system is collecting it!) can provide you with another clue that an attack is happening. By analyzing flow data you can develop a baseline for network traffic with which you can compare suspect behavior. Unfortunately, most of today s SIEMs don t pay attention to network flows. Does your existing SIEM analyze flow data? Reason No. 9 - Your SIEM Isn t Good Enough: Doesn t analyze configuration changes These tools are not built to replace you. But they should make you more efficient and Any attack includes configuration changes, including turning on or off services, installing malware, and initiating connections. All of these provide more clues to help you effectively little easier. help make your job a corroborate the data you already have. No product will be able to tell you, Hey, you ve got an issue here! These tools are not built to replace you. But they should make you more efficient and help make your job a little easier. Configuration data does that. It gives you more corroborating evidence when you re investigating suspect network activity. Monitoring device configurations is also critical to ensure adherence to corporate policies. Many organizations have adopted secure configuration policies from organizations like the Center for Internet Security, and having the security management tool monitor adherence to these policies and pinpoint when a device is no longer configured correctly can alleviate many security issues. Does your existing SIEM monitor configuration changes? Reason No Your SIEM Isn t Good Enough: Can t see the relationship between the data points Today s solutions use simple correlation techniques. Unfortunately, the world is no longer simple. As we discussed at the beginning of this paper, technology is complex and getting more complex with each passing day. Simply having additional data types within the security management tool is not going to help you if the relationships between the data aren t apparent. You should be able to get a complete picture of how the data fits together; for example, I know this is an issue because I got a log alert, and that is corroborated with a configuration change, and further corroborated by analyzing network flows. 07

8 A flashing red dot doesn t cut it in today s environment. Your security management tool should provide a visualization of the data to enhance your user experience and provide a complete picture of your security posture. Does your existing SIEM connect the dots? eiqnetworks Redefines Security and Compliance Management As an industry, we tend to expect what we can get. To use a metaphor, since all we have is a set of hammers, we ve convinced ourselves that everything we see is a nail. Up until now, the only options have been a very broken SIEM system that solved a few of our problems, and the industry accepted that. This doesn t have to be the case any longer. Thanks to eiqnetworks, it s time to rethink SIEMs. After years spent grappling with the issues prevalent in SIEM systems, eiqnetworks has redefined the technology as we know it. Now we can expect to have our security and compliance management issues solved with a single solution SecureVue. SecureVue Architecture eiqnetworks delivers security automation, compliance automation, forensics, and configuration audit in one consolidated console. This provides enterprises and government agencies with an enhanced ability to detect attacks and contain the costs of securing the infrastructure. 08

9 Here s how: eiqnetworks SecureVue collects log, vulnerability, configuration, asset, performance, and network flow data in a unified data model. Core services correlation, reporting, data archival, workflow, visualization are layered on top of the unified data model with rules that trigger on all types of data. A reporting engine further leverages the unified data model to corroborate events and eliminate a lot of noise, while 3D visualization shows relationships to help you analyze data faster and smarter. With one product, you have a consolidated view of all your networked systems. You have situational awareness. Is that too much to chew in one bite? Okay, let s break it down. End-to-end data collection and correlation. SecureVue gathers and correlates more data types than the competition, including log, asset, configuration, performance, vulnerability, and flow data, enabling more intelligent analysis, broader correlation and faster detection of evasive attacks. Paired with an advanced policy management engine, the unified data model helps organizations react faster and respond to emerging threats. Single security and compliance console. SecureVue provides an enterprise-wide view of security and compliance status, providing true situational awareness at any given time. The integrated console also helps foster collaboration between NOC and SOC teams, which can now work off of the same data set to achieve efficient, coordinated mitigation decisions. At-a-glance dashboards with role-based access. SecureVue features over 50 dashboards that can be segregated and customized to support the needs of management or NOC, SOC, and audit analysts. Real-time monitoring and alerting. SecureVue features over 250 correlation policy templates and can be configured to alert on violations, non-standard processes, and more. 3D visualization and topology. SecureVue s 3D visualization shows relationships to help you analyze data faster and smarter. A topological representation of forensics data and incident playback allows you to quickly filter through thousands of events to graphically identify the root cause and patterns related to security incidents. Investigative forensics analysis. SecureVue s drilldown investigative forensics provide for fast root cause analysis and mitigation. Send data to any kind of storage environment and rest assured the data is signed and sequenced so it will stand up in court. Security and compliance metrics-based reporting. SecureVue s integrated ESM and IT GRC platform features streamlined, audit-friendly reports for fast compliance gap or security incident resolution. Flexible, wizard-based policy mapping allows security managers to easily add or modify compliance requirements, and automatic mapping of enterprise assets to regulatory, best practice and standard controls provides 24x7 compliance posture and policy assessment. High-performance, scalable processing. With the capacity to process over 15,000+ events per second in a standalone deployment and more than 100,000+ events per second across multiple hosts, SecureVue delivers optimal performance to meet the requirements of even the most demanding enterprise. 09

10 Flexible deployment options. SecureVue is available as both enterprise software and hardware, and can be deployed in distributed or standalone and distributed environments. Quick time to value. SecureVue offers best-in-class integration and quick time to value by providing a simple installation featuring agent-less node support, over 150 built-in correlation rules, and over 1,500 reports, to get customers up and running with minimal professional services -- in days, not months. By reducing separate point products (and their associated data silos), eliminating the need for additional database administrators, and removing dependencies on third-party reporting packages, SecureVue offers the lowest cost to operate. You need to see it to believe it! SecureVue is a security event and information management system like you ve never seen before. See for yourself how SecureVue can help you react faster to security incidents, more efficiently manage security and compliance tasks, and make more effective use of your time. Contact us at or sales@eiqnetworks.com to learn more. ADDITIONAL INFORMATION About eiqnetworks eiqnetworks, Inc., is redefining security and compliance management by fostering collaboration across security, network, data center and audit teams to more quickly isolate the root cause of security issues and ensure compliance mandates are being enforced. Global financial, media, healthcare, manufacturing, and government enterprises rely on eiqnetworks to make sense of formerly disparate data sources to react faster to emerging threats, automate their compliance efforts, and more effectively monitor security policies. Headquartered in Acton, Mass., eiqnetworks is located online at and can be reached at World Headquarters 31 Nagog Park Acton, MA (978) eiqnetworks, Inc. eiqnetworks and SecureVue are registered trademarks of eiqnetworks, Inc. All other trademarks, servicemarks, registered trademarks and servicemarks are the property of their respective owners. 10