Security Information and Event Management (SIEM)

Transcription

1 Security Information and Event Management (SIEM) How Does Your Business Benefit? intigrow White Paper By Wes Lambert Security Consultant intigrow is a global enterprise security company delivering comprehensive security solutions and competitively priced security services to empower enterprises to achieve a business enabled security posture. intigrow helps you manage risk, improve compliance, and attain proactive detection and prevention of security threats to- and from- your clients and users, computing infrastructure including mobile, data, and applications. intigrow provides consulting services and solution components for IT security requirements.

2 Contents Executive Summary... 3 Introduction... 4 SIEM... 4 How Can Your Business Benefit?... 6 Conclusion [email protected]

3 Section 1 Executive Summary Nearly every device in your organization s IT infrastructure gives security alerts. The amount of data processed and archived by companies has continued to grow at a blistering pace. Such data is retrieved from a growing number of sources and platforms, all with an enormous amount of potential to improve operations within a company. In order to make effective use of security information, you need to be able to understand it in context. If you can separate the wheat from the chaff, you can make your current security investments accretive. With confidence in your ability to add services securely, and lowered operational costs, security information and event management (SIEM) will allow you to pursue new channels and markets at a faster pace. intigrow has developed an approach to IT security the integrates component security features, identity management, and access management. The approach begins with assessing the potential business values and risks, developing a security strategy, roadmap, and operational processes. Existing resources can be leveraged and tied together with SIEM. 3 [email protected]

4 Section 2 Introduction Nearly every device in your organization s IT infrastructure gives security alerts. The amount of data processed and archived by companies has continued to grow at a blistering pace. Such data is retrieved from a growing number of sources and platforms, all with an enormous amount of potential to improve operations within a company. Unfortunately, most organizations resources are underutilized or not quite effective enough to wade through the bulk of information pouring in from these numerous networked components and discern actual threats from the occasional tease. Doing this is the real value if SIEM. Delving into the sea of alerts and suspicious activity to verify indications of maliciousness are in fact valid, is in many cases a full-time job. It is due to this that optimum efficiency is rarely achieved in regard to security management, and the likelihood of an information-loss catastrophe increases. SIEM This is where SIEM comes into play. SIEM, or security information and event management, is a term used to describe the real-time monitoring of security events, in conjunction with historical log analysis. Together, these abilities comprise situational awareness. This technology developed out of two previous technologies: SEM (Security Event Management): Real-time monitoring, correlation, and processing of security events. SIM (Security Information Management): Historical log file analysis. Such analysis had previously been used in the case of forensic investigations. SIM provided excellent reporting functionality as well. SIEM fuses these two technologies to provide a single solution to the challenge inherited by a company s security professionals and business. At the same time, the technology allows for a greater range of compatibility with various devices and data sources an organization may possess within its technical infrastructure. Key capabilities of most SIEM solutions include data collection, data aggregation, data normalization, event correlation, alerting, reporting, use of forensics tools, and the ability to centrally manage and monitor the SIEM system. More detail on each capability is given below: Data Collection - can occur at any number of points, as in most cases, organizations possess different devices such as firewalls, IDSs, routers, and databases with different data formats and so on. A SIEM solution can interface 4 [email protected]

5 with many of these devices either through their standard device interfaces, APIs, or third-party applications to gather data for processing. Data Aggregation - combines the various types of data gathered from the numerous network devices, etc., into a single data store to be correlated and analyzed. Data Normalization - takes information presented by the various devices and converts the information from different data types into a single, consistent format to be analyzed and reported. Before converting the data, raw copies can be made and stored for forensic and compliance purposes. Event Correlation Event correlation refers to matching or linking several events within a specific timeframe across several systems to identify unusual or suspicious activity. Most SIEM solutions have predefined rule sets to do such work, but, in most cases, companies will likely have to tune these rules often to accommodate their environment, the type of activity that frequently occurs within the environment, and to keep up with present security concerns. Care should be given to realize that implementing too many rules, or by instilling rules that are too complex, will require increased computing resources that may not outweigh the benefits of the implementing a SIEM solution. Nonetheless, this is where the real payoff of SIEM lies. The ability to link seemingly unrelated events, often separated by relatively long time periods, can enable security operations to head off threats already in operation in your organization. Likewise it helps relate events occurring on relatively separated components. These are typically managed by people who have a narrow focus on their responsibilities, and not necessarily awareness of the situation in the aggregate. Alerting Alerting refers to the notification that a specific event has occurred, based on a certain set of conditions being met. Many, though not all SIEM solutions have the ability to alert via text message, , or via ticket generation, but possess the ability to at least alert an operator monitoring the SIEM management console. Having such functionality greatly assists in the rapid acknowledgement of an issue, and enables IT professionals to be more proactive, to make important decisions, and react quickly to prevent a possibly dangerous situation. Reporting Compliance calls for a robust reporting capability. Current SIEM solutions deliver accordingly, by providing custom and standard user-friendly reporting, adhering to PCI DSS, Sarbanes-Oxley, and other industry standards. Investigative Purposes - A SIEM solution supports investigative purposes by providing the ability to generate highly specialized, granular queries, as well as access raw log files and other data. This can be of great assistance to investigative experts and others when trying to locate and preserve sensitive data as evidence. Central Management - All SIEM solutions provide for a central management console to monitor real-time information and events. Analysis, reporting, and data manipulation can also be achieved through the console. 5 [email protected]

6 How Can Your Business Benefit? Greater Value More effective use of organizational resources means lower costs of important functions the ultimate goal of any company. With the use of a SIEM solution, IT security professionals can greatly increase their effectiveness. The power of such a system allows the entire IT organization to focus on more valuable tasks. Additionally, by increasing the effectiveness of existing security investments, there is less risk of slowed IT systems performance and outages due to security breaches and malware, possibly reducing the need for additional spend for computing resources. This is a key business value SIEM delivers. Reduced Operational Costs By implementing a single SIEM solution, a company can reduce the number of independent log management and analysis systems already in place, thus reducing purchase and maintenance costs associated with each. Associated labor and data storage-which can become considerable, are also reduced. Increased Likelihood of Compliance The advanced reporting available within a SIEM solution provides organizations with the ability to prove compliance in a particular area when audited. A key value delivered by this is reduced labor to meet compliance audits, as relevant reports are more easily made. Early Detection Earlier detection of potentially serious threats greatly reduces the risk of a catastrophic event, and enables security professionals to be more prepared and more effective at intercepting malicious activity, preventing irreparable damage to the organization. This can be helpful in reaching top-line business goals. Broader Support A SIEM solution requires teams across an organization to evaluate alerts, exchange reports, and make appropriate decisions regarding incidents indicated by the SIEM system. This alludes to the fact that professionals from several different organizations need to cooperate with one another to achieve a final desired result, reducing the traditional silo ing of many organization s IT resources. Ultimately, this provides for a more knowledgeable, and more fluid overall IT service, with the ability to adapt and address potentially dangerous situations appropriately, and not just route a service ticket back and forth from one queue to another. Risks While there are many advantages to such a solution, there are risks to bear in mind when investigating the idea of a SIEM implementation: Initially, one must consider the rate and volume of log data to be processed by the solution, and plan to scale deployment accordingly. Failure to do so could result in inaccurate reports, and the failure to detect actual malicious activity. If a company has not defined appropriate processes to respond to detected events, or these processes are not carried out, compliance violations, inaccurate reporting, data loss, and the previously mentioned scenarios could occur. An ideal time to look at SIEM is in anticipation of an information 6 [email protected]

7 security audit, such as PCI, network security assessment, or when assessing your IT security roadmap. Events like these present an opportunity to examine security processes. Further, doing so before an audit reduces planning risks because typically, there is a calmer work atmosphere. Finally, all of this could also occur as a result of faulty configuration of the SIEM solution tuning, failing to provided adequate resources to manage the solution (IT professionals), as well as inconsistent time synchronization. It is important all of these aspects of SIEM deployment and maintenance are addressed to ensure for a successful implementation and life of the solution. Conclusion There are a few risks to consider. By taking the time to plan and structure the deployment appropriately, and developing an effective maintenance plan, the implementation of a SIEM solution will prove to be a critical asset to a company. Our times demand this capability. Any organization that would like to enter new markets or channels more confidently would do well to take a closer look at SIEM. SIEM helps security operations to Pursue new initiatives Protect the business on-line brand Reduce the risk of non-compliance Reduce operational costs Enhance forensic reporting capabilities Most importantly, SIEM, or situational awareness, provides you the ability to detect actual malicious activity early on and over time, as most advanced persistent threats act slowly over time. SIEM will give you greater value from existing security investments, all while gaining broader organizational support in regard to risk and security operations. A SIEM platform is a wise addition to your existing security infrastructure. 7 [email protected]