Converting Security & Log Data into Business Intelligence: Art or Science? An IANS Interactive Phone Conference SUMMARY OF FINDINGS S e p t e m b e r 2010
Tom Chmielarski (Moderator) IANS Chris Poulin Q1 Labs Overview Log management and SIEM products provide data collection, normalization, and analysis. They enable compliance and provide enhanced network visibility. Most Context Tom Chmielarski described how SIEM and log management products can provide business intelligence and fielded numerous IANS POINT OF VIEW Log management and SIEM products are in the same general space but have important differences. The terms log management and SIEM (security information and event management) are often used interchangeably. While similar, these categories are not identical. Log management solutions tend to be narrowly focused on centralized log collection. They are simpler and less expensive. SIEM products also collect logs, but SIEMs usually have far more features. They have correlation rules, role-based access control, and analysis capabilities. They are able to assist information security teams in data normalization and incident tracking. Compared to log management products, they are more complex and more expensive. With either type of product, robust interactive search is important, as is scalability. There is a distinct difference between a product and a solution. Most vendors in the SIEM and log management space claim to be selling a solution. But are they really? When a true solution is configured and implemented, it is essentially complete and fully operational. In contrast, a product is not a complete solution. A product is just part of a solution that requires ongoing administration and effort. There are a lot of different ways you can use it, which make it, I believe, more of a tool to facilitate a business function than a solution. importantly, when business-driven use cases are used, these products can deliver business value. questions about SIEM and log management. Chris Poulin summarized Q1 Labs approach to SIEM. variable. They are not off-the-shelf, plugand-play solutions. They are products that require significant ongoing administration. Users should not view these as complete solutions but as tools that can be used to help solve important business problems. Before implementing a SIEM or log management product, organizations need to define their specific objectives. Tom has spoken with people in many organizations that have purchased a log management product or a full-featured (and expensive) SIEM and then asked, Now what? They had spent a lot of money but didn t really know what they wanted to do. Organizations must define up front what they want to get out of their SIEM or log management product. This does not mean defining the technical specs, such as encrypts traffic or a certain compression ratio. Defining objectives should be done in terms of the business value derived by the organization. Once the business value is defined, it should be clearly documented. For an organization to define its objectives for its SIEM or log management product, it should develop a business-driven use case. Use cases are essential to help an organization determine its needs. A poor 2 The reality is that the ways in which SIEM and log management are used are highly It s a tool you can use to do what you want, but you need to know what you want to do.
use case defines a very general need, such as become PCI compliant. This doesn t provide very specific direction about the type of product needed. An effective use case codifies an organization s needs in a clear, specific, detailed, actionable manner. Business-driven use cases are use cases driven by business needs. For example, an organization may have a business driver of: System logs need to be reliably available for compliance and incident response. Based on this business driver, an appropriate use case is: Centrally collect and archive operating system logs from high-risk systems. Archive the logs according to corporate data retention policy, and facilitate cross-log, plain text search. This defines a business need and then provides a level of specificity about the product/solution an organization needs. Also, once an organization has its log data, many ways for leveraging this data become possible which extend far beyond security. Organizations need to be prepared for the operational effort to make a SIEM or log management product successful. The operational effort to make a SIEM or log management product functional varies based on the product and the use cases. However, in most instances there are a few general activities required to become fully operational. They are: Data collection. This involves importing data from the key data sources. This can involve both customer and proprietary inputs. Collecting the data is both a technical issue and a political issue in the organization. Getting the necessary data requires having access to the appropriate logs, which are often controlled by different groups within an organization. While compelling the sharing of data may be possible, it is not desired. The preferred option is for groups to willingly share their data because they see benefits in doing so. Data normalization. The idea is that a SIEM pulls together data from multiple sources, uses a common taxonomy for event attributes, and enables searching across all data sets without having to change search language. A SIEM should take care of data normalization however, a common pitfall is that SIEM If you spend more time [creating your own rules], you will get even more value out of your SIEM product, even the better ones. products say they normalize data for all types of products, but in reality don t. Users should take the time to examine their SIEM to confirm that it is normalizing all data. Data analysis. Once data is collected and normalized, the true value of a SIEM is in the ability to analyze the data. This requires creating analysis rules based on specific use cases. SIEMs often come with some offthe-shelf rules, but in most cases the rules will need to be customized based on an organization s use cases. Other Important Points Log data retention. As a general rule, organizations want to have their data online and quickly searchable for at least 90 days. Having it readily searchable for one year is also common. It is rare to look back at data that is more than a year old. Whether longerterm data storage is separated from the data in the SIEM being used for correlation is a specific product question. Separation of duties. The separation of duties, which is prescribed in many security frameworks and contracts, is simply a good operational practice. Having separation of duties and role-based access control applies to SIEM administration. The data in a SIEM should be compartmentalized, which the SIEM should support. In the future: geographic correlation. An anticipated future functionality of SIEMs is geographic correlation that takes into account where a particular user is coming from. Also in the future will be creative use cases to identify leakage of trade secrets. 3
Q1 Labs Perspective 4 Q1 Labs views itself as a next-generation SIEM Q1 Labs, which has been around for about 10 years, looked at first-generation SIEMs, took a step back, and designed a next-generation SIEM from scratch. Some of what makes Q1 Labs unique is: Technical perspective. The company s products are based on a technical perspective. For example, Q1 Labs built its own database to have faster insertion rates. The result is an appliance-sized product that can capture 20,000 events per second. It has enough on-board storage to capture six months of data. Scalability. Q1 Labs SIEM product is highly scalable; it is just a matter of adding more appliances. However, while adding more appliances and power, a user still has a single pane of glass. Q1 Labs can also scale horizontally across multiple data centers. Easy to implement. SIEM products have a reputation for being extremely difficult to implement, but that is not the case with Q1 Labs. Q1 Labs product is extremely easy to implement, yet no capabilities are sacrificed. It is scalable and highly customizable, with distributed correlation (the events are stored where they are collected to minimize bandwidth). More context. One feature that distinguishes next-generation SIEMs from first-generation products is that they provide much greater context. First-generation products focused on normalization and identifying suspected incidents. By having more context, such as the ability to import vulnerability assessment data as well as other external data, a user has more context. This can result in fewer false positives. Also, having more context makes it easier to investigate potential incidents. Greater context is one major difference in the next-generation SIEM that QRadar provides. - Chris Poulin Q1 Labs is designed to create business value. Out of the box, Q1 Labs has many use cases that are valuable to the business. Examples include ways to protect the network from external threats as well as ways to look for insider fraud. Within the first day of implementation, infected systems and fraud can be detected and new log sources found. Based on looking at network traffic, the assets on a network are automatically profiled. These activities bring immediate value and ROI to customers. Q1 Labs customers often purchase a SIEM for compliance reasons (such as PCI or HIPAA), but then use it for much more, as it provides network-wide visibility.
The QRadar Security Intelligence Platform has multiple components. These elements include: Log management. This is table stakes for a SIEM. QRadar s compliance capabilities are the same for log management as for its SIEM, and it is possible to upgrade from log management to SIEM with just a license key. A free version of the QRadar log management tool is available on Q1 Labs website. SIEM. This is a next-generation SIEM with integrated log, cyber, threat, risk, and compliance management. It is scalable and automated. Risk management. This component enables pulling the configuration data from firewalls, IPSs, and other network devices, and correlating this with vulnerability assessment data. When an attack occurs, this component can determine whether or not a host is susceptible to the attack. This component also provides impact analysis. Scale. QRadar can scale either within a data center or across data centers. Visibility. QRadar can see everything; it watches flows and collects data, providing unsurpassed visibility. The result of these capabilities is that QRadar is: Intelligent. It has complete visibility and doesn t miss anything. Automated. It deploys easily, operates efficiently, and provides value immediately. Integrated. QRadar eliminates silos and integrates with numerous thirdparty products. It is scalable and future proof. QRadar is the most intelligent, most automated, and most integrated SIEM on the market. - Chris Poulin About Q1 LABS Q1 Labs is a global provider of high-value, cost-effective next-generation network security management products. The company s flagship product, QRadar SIEM, integrates previously disparate functions including risk management, log management, network behavior analytics, and security event management into a total security intelligence solution, making it the most intelligent, integrated, and automated SIEM product available. QRadar SIEM provides users with crucial visibility into what is occurring with their networks, data centers, and applications to better protect IT assets and meet regulatory requirements. Q1Labs.com. About IANS IANS is a Boston-based research company that focuses exclusively on the fields of information security, regulatory compliance, and IT Risk Management. IANS mission is to deliver technical and business insights that assist our clients in solving their most pressing problems. IANS serves its clients through a unique bottom-up research methodology. The combination of our world-class Faculty and closed community of end users drives IANS insights, curriculum, and dialogues. www.iansresearch.com. 5