White paper Security Check: 7 Things to Consider When Evaluating Vendor Solutions for SIEM
The goal of a SIEM solution is to make security people more productive. Solutions for security information and event management (SIEM) are becoming a must-have component of an organization s security infrastructure, playing an important role in threat detection, incident response, forensics and securityrelated compliance. Based on experience with more than 1,300 successful SIEM deployments in organizations of all sizes, RSA offers prospective buyers seven factors to consider when evaluating vendors offerings. However you abbreviate it SIEM, SEM or SIM security information and event management is top of mind in many organizations (for a brief overview, see SIEM for Security on page 2). According to Forrester Research 1, more than one-third of enterprises were on track to adopt SIM technology by mid-2008. Improving reporting and compliance was the most frequently cited reason for deploying a solution (32% of users in the Forrester survey of 259 security decision makers at North American and European Enterprises), with security incident identification being the runner-up (cited by 20% of participants). Because a SIEM solution reaches into every corner of your enterprise and touches so many pieces of your infrastructure, choosing a vendor solution is a long-term commitment with wide impact. Making your choice more difficult, solutions vary widely in their underlying technology, functionality and features, and total cost of ownership. Indeed many organizations have experienced buyer s remorse after choosing a solution that was not a good fit for their needs. When you re evaluating solutions side-by-side, don t focus too narrowly on particular features, the user interface or event correlation rules. Rather, as we propose in our seven recommendations below expand your evaluation to look at each vendor s offering in its totality, including the completeness of the event data captured and the degree of integration within the solution and with surrounding infrastructure. Consider how enterprise-friendly a product is in terms of ease of deployment, scalability and total cost of ownership. And, of course, assess the vendor s strengths including their overall security expertise, financial stability, support for R&D and vendor-and platform-independence. With a solution that matches your needs across many of these dimensions, you can greatly increase the likelihood of long-term success. Recommendation #1: Define Your Current Security Operations Model, and Let That Inform Your Immediate Solution Requirements Organizations have widely divergent security operations models, and in evaluating SIEM solutions, it is important to know where you fit on the continuum so you can choose a solution that matches your current needs (and budget) while giving you the flexibility to scale and evolve your operations over time. At the high end, some organizations maintain a large, centralized SOC facility, staffed by numerous security analysts, each with a focused area of responsibility (e.g. server events). In a more common scenario, a small group of analysts, typically with primary roles in IT or network operations, share a range of security operations responsibilities. Yet a third model is a virtual SOC whose members are geographically distributed. Whichever model you currently employ, the goal of a SIEM solution is not to replace people with technology but to make them more productive and effective in their jobs. Selecting an appropriate solution requires an understanding of their current responsibilities and workflow processes. How are responsibilities and tasks divided among staff members? How are alerts prioritized and do you require 24/7 response? How much staff bandwidth can be devoted to forensics? 1 Big Changes Are Ahead For The SIM Marketplace, Paul Stamp, Forrester Research, February 27, 2008
Understand What Isn t Working and Why It s equally important to understand shortcomings in the current environment that may be limiting your people s effectiveness. For example: If your staff is spending too much time chasing down false positives or low-priority alerts, it may be that correlation rules are written too broadly or do not take into account other data such as assets and vulnerabilities, resulting in inaccurate alerts. If forensics investigations are slow and cumbersome or inconclusive, the reason may be that historical event data cannot be easily and quickly retrieved from a single authoritative source. Or maybe it hasn t even been captured by the SIEM system and thus cannot be retrieved at all. If critical events are not being resolved in a timely way, it may be due to inadequate or fragmented workflow processes. Often, such issues arise from fundamental flaws in the SIEM solution itself or because built-in functionality is too costly to operationalize in your real-world setting. Recommendation 2: Consider These Critical Solution Elements for Security Operations Three solution attributes are essential to addressing some of the most common SIEM failings regarding security operations support. These are real-time data capture and analysis, capture of all security and operational event data and effective forensics tools. Strong Acquisition, Strong Analysis A SIEM solution should perform two core functions equally well: Real-time capture and analysis of incoming event-log data to support real-time threat detection and response. The goal of a SIEM solution is not to replace your people with technology but to make them more productive and effective in their jobs. Most solutions can be optimized to do one thing or the other well, but not both, forcing the vendor to favor one capability over another. In contrast, the RSA envision platform is purpose-built to balance these requirements, with collection, analysis and querying functionality all tightly integrated into object-oriented database technology that ensures flexibility and optimal performance. Access to All the Data Most solutions don t analyze raw event activity on acquisition because doing so would slow performance to an unacceptable level. Instead, by normalizing and preprocessing the data, they reduce it down to a subset of exceptions that are then subjected to analysis. Some solutions discard the remaining data altogether, preventing its later use in forensic, audit or reporting activities. Yet other solutions retain the raw event data, but in a separate repository that is not well integrated with query and reporting functions. This can greatly hinder efforts to analyze and report on historical data. Ensure that the solution you select eliminates this problem by collecting and retaining all incoming event data and retaining it for later use. As you write new correlation rules to address new threats, reporting or audit requirements, those rules can readily act on all the relevant data, increasing the accuracy of alerts and allowing you to reanalyze past events. Rapid retrieval and reporting on previously captured data so it can be readily sliced and diced for purposes of forensics, network operations, compliance or legal discovery. RSA White Paper 1
SIEM For Security: A Quick Overview While SIEM solutions differ significantly in their architectures, functionality and features, they all serve a similar purpose. As Gartner has stated, End users need to analyze security event data in real time (for threat management, primarily focused on network events) and to analyze and report on log data (for security policy compliance monitoring, primarily focused on host and application events). 2 SIEM solutions automate and streamline the process of collecting event-log data including but not limited to security event data from diverse sources across the network. Using data aggregation and event correlation techniques, these products analyze the data to identify known security threats and recognize anomalous behavior that might indicate a problem. By triggering alerts, a SIEM solution can set in motion manual or automated processes for investigating and containing a suspected or known attack. Further, SIEM solutions facilitate forensic investigations and simplify the process of responding to audit requests. Increasingly, they also include capabilities for managing the storage and archiving of log data, which facilitates compliance with regulatory requirements for longterm data retention. Most SIEM solutions are either software-based or packaged on optimized appliances to simplify deployment; the RSA envision platform is based on this latter model. Products typically consist of server software, a centralized web-based management console and, in many cases, agent software that needs to be deployed on or near the devices to be monitored. Many solutions include added storage capacity and data repositories to store and manage event data. SIEM does not, on its own, prevent or mitigate attacks, and customers who expect it to function in that way are likely to be disappointed. However, when deployed as part of a larger security ecosystem that supports the work of security analysts, SIEM plays a critical role in threat detection, analysis, remediation, forensics and compliance reporting. Robust Forensics and Workflow Tools Forensic and workflow tools are a critical element in enhancing the productivity of security operations staff, successfully closing more incidents and reducing your average time-to-resolution for investigations. Robust, userfriendly forensic tools will give your analysts the visibility, flexibility and sheer processing power they need to play back events of interest, filter event data on many different variables and reconstruct security or operational events from end to end. Workflow tools should be sufficiently flexible that they can support and streamline your team s current processes for managing investigations while enabling unforeseen process changes that may be implemented in the future. Workflow capabilities should span the investigation lifecycle from identification and initial investigation, routing to the most appropriate team member(s), automatic escalation of highpriority or hard-to-resolve incidents, through to resolution, closure and archiving. Straightforward integration with leading ticketing systems such as Peregrine and Remedy helps enable incidents and all associated research to be seamlessly handed off to the corporate system of record for ticketing and event tracking. Recommendation #3: Incorporate Strategic Requirements Into Your Selection Process Increasingly, security professionals effectiveness is determined by their ability to make the transition from being protectors of information assets to being enablers of business innovation and success. In selecting a SIEM solution for security operations, you not only need to address immediate requirements but also align with the strategic needs of the business. For example, a product should provide sufficient functionality in all major deliverables of SIEM security, compliance and network operations so that one solution can serve all three purposes, reducing cost and complexity. Strategic considerations include: 2 Ibid. 2 RSA White Paper
New business initiatives, such as an acquisition, a major e-commerce initiative or the expansion of a partner ecosystem, place new capacity and operational demands on the network and create new areas of security risk. A SIEM solution should support planning in all these areas, with existing event data providing insight to guide your security and network operations strategies. And, of course, once those initiatives are in place, the solution should easily interface with new event sources to capture the security and network operations event data they generate. Compliance. You need the flexibility to respond to new and unforeseen compliance requirements. This requires an ability to look back on previously captured events including those that are currently of no interest to regulators, but which may become critical to meet audit requirements in the future. Collecting and retaining all security event data, not just the data that is relevant to current threats and compliance mandates, is a mandatory step in meeting future audit requirements. Information risk management. Increasingly, organizations are developing approaches for identifying and measuring where their greatest information risks exist e.g., where their most valuable data resides and where it is most vulnerable and using that information to prioritize security investments. Your SIEM vendor should have a vision for supporting information risk management and a clearly articulated road map for how a SIEM solution and other elements of the security infrastructure will interoperate to form a security ecosystem that systematically reduces information risk. Taking these broader requirements into account provides a strategic framework for assessing competing solutions. This helps ensure that both security operations functionality and corporate priorities receive appropriate consideration in your selection process. Forensic and workflow tools are a critical element in enhancing the productivity of security operations staff. Recommendation #4: SIEM Should Easily Integrate With Everything Around You As many industry watchers have observed, there is a clear trend away from multiple stovepipe solutions for information security and compliance, which are costly and cumbersome to manage and provide poor visibility across complex environments. Customers are opting for SIEM solutions that are part of a broader offering delivered by major technology vendors. Gartner notes that, The SIEM market has been impacted significantly by consolidation, with larger vendors acquiring best-of-breed players to expand their product portfolios in security. This market evolution has been influencing purchasing trends, with end users increasingly buying SIEM as an addition to broader security products. 3 Gartner sees ease of deployment and good integration with clients existing infrastructures as increasingly important factors behind product selection. Ensure Broad Visibility Into Sources of Event Data As one component of the RSA security portfolio, the RSA envision solution aligns squarely with these trends and excels in an area that is especially vital: providing visibility into event sources. Many SIEM solutions only provide visibility into a subset of the environment. Some are network-centric; others are operating system or servercentric. In either case, you re forced either to live with blind spots or undertake costly integrations to sufficiently broaden your view of security and network operations events. 3 Gartner, Dataquest Insight: Forecast Analysis for Security Information and Event Management, Worldwide, 2007-2012 by Ruggero Contu and Mark Nicolett, March 5, 2008 RSA White Paper 3
The RSA envision platform supports one of the broadest range of event sources out of the box, including: Perimeter security (e.g. firewalls and intrusion detection systems) Other security tools (e.g. identity and access management) Network elements (e.g. routers and switches) Network operations tools (e.g. configuration management) Mainframes and servers Storage Business applications (e.g. SAP) Databases and operating systems Additionally, via Universal Event Source Support, envision technology lets you add new event sources, including proprietary applications and devices, without requiring programming. With the broadest possible view of your environment, a SIEM solution is better positioned to detect the full range of events requiring investigation or remedial action. Recommendation #5: Complement Event Correlation With Other Sources of Intelligence In choosing a solution, it is critical that all logs be collected and that the correlation engine can handle processing of all incoming event data, across all locations, in real time. Backlogs and delays will undermine your ability to immediately recognize and respond to threats. Even worse, if only a subset of data is correlated, you may completely miss a critical security alert. The RSA envision platform has a powerful correlation engine that, combined with the ability to collect vast amounts of event data across all locations, enables processing in real-time to alert customers of high-priority events as they occur. Be Prepared To Tailor Correlation Rules To Match Your Environment It is important to have a realistic understanding of the effort required to optimize event correlation. Correlation rules which pre-define patterns, scenarios and relationships among events that may indicate further attention is warranted are a key mechanism in event correlation. Builtin templates and default correlation rules streamline the rule-writing process for your security analysts, but they only take you so far. As Network World 3 has written, You have to be willing to look deep into what you really care about and either write or activate rules that will make the product work...users must be willing to fine-tune a product before rolling it out and on an ongoing basis to keep it working effectively at reducing the noise of non-events and identify events critical to securing the environment. Event correlation is an important aspect of any SIEM solution, addressing the information overload caused by an unceasing torrent of event-log data. Through the application of correlation rules, a correlation engine filters out extraneous information, recognizes patterns that suggest anomalous or suspicious activity and consolidates related data into actionable events for handling by security analysts or network administrators. When optimized for the customer s unique environment, the combination of event correlation rules and a correlation engine greatly reduces the total number of events and alarms, suppresses false positives and reliably elevates the highest-priority events for action. In selecting a SIEM solution, you not only need to address your immediate requirements but also align with the strategic needs of the business. 3 NetworkWorld IT Buyer s Guide http://www.networkworld.com/buyersguides/guide.php?cat=865479 4 RSA White Paper
In Writing Rules, Context Is Key Trying to anticipate and write correlation rules to address theoretical future attack scenarios has often resulted in failure, e.g. increased alarm volume, high false positives or low priority alerts; it is like trying to predict where, in the future, you should look for a needle in a haystack. Correlation rules are most effective and accurate when underpinned by real data about your environment, combined with contextual information delivered by other tools, such as emerging threat information, vulnerability data, asset data, application-level information and identity management information. For example, a security event such as a failed authentication on a Windows server may be deemed a high priority. However, that security event combined with asset data provides additional context. If the asset data reveals that this asset has low value, the failed authentication will result in a lower priority event. Recommendation 6: Manage the Information Lifecycle of Log Data Storage of log data is a critical element of a SIEM solution. Over time, log data will accumulate at an accelerating rate, driven by two key factors: Potentially adding to your storage burden, some solutions require extensive pre-processing, indexing and metadata to support event analysis. This can increase storage requirements up to ten-fold, adding dramatically to storage management costs over the life of your solution. Ensure that the solution you select has properly designed data lifecycle options. At least one major appliance provider offers only on-board storage for event data. A well designed solution should support storage area networks (SANs) or network-attached storage (NAS). This will provide you with a more flexible and cost-effective solution and one which is also more resilient from an availability and disaster recovery perspective. As the Security Division of EMC the world s leading developer and provider of information infrastructure technology and solutions RSA brings unparalleled storage expertise and innovation to SIEM solutions. For example, a tiered storage approach will allow you to efficiently move event data to less costly storage tiers over time, as access needs lessen, yet still ensure full visibility and easy retrieval for legal, discovery, regulatory and forensic needs. By enabling up to 70% compression of event data, without compromising performance, an EMC/RSA solution can further reduce your lifecycle storage costs. Growth in the number of devices and applications on your network Regulatory requirements for retaining security event data. It is important to have a realistic understanding of the effort required to optimize event correlation. Built-in templates and default correlation rules streamline the rule-writing process for your security analysts, but they only take you so far. RSA White Paper 5
Recommendation 7: Understand Your True Solution Costs Before you commit to a particular solution, you need to understand what the initial and ongoing costs will be. A solution should meet your initial needs at minimal cost to ensure you are not incurring up-front costs out of proportion to the benefits while allowing you to scale with reasonable investment to an enterprise-wide deployment. In addition to considering the cost of storage management, as discussed earlier, be sure you understand other cost elements: Some solutions require extensive pre-processing, indexing and metadata to support event analysis. This can increase storage requirements up to ten-fold. Server hardware. For software-only solutions, this is nearly always an additional cost. Software licensing fees. What are the initial and ongoing costs for the core solution platform, agent software and third-party products such as database software? Event source support. What sources are supported, and what is the cost of adding additional types and numbers of sources? Optional modules. What reporting, alerting and audit modules are included in the price being quoted, and what is the cost of any optional modules you require to meet your stated goals for the solution s functionality? Personnel costs. Especially when speaking with references provided by the vendor, frankly explore what specialized resources were required to deploy and support the solution. These may include security analysts, consultants involved in integration efforts, database and platform support resources, and ongoing support for thousands of software agents. Personnel costs represent a significant portion of a project and complex operations and integration needs can lead to unforeseen (and unbudgeted) costs. Capacity enhancements and software. What are the costs associated with expanding your capacity to handle a larger volume of event data or upgrading a software-only solution? To mitigate project risks, ask your vendor to provide a firm and all-inclusive quote that addresses these cost elements, along with strong assurance that the initial configuration being proposed will reliably support the volume of events you are anticipating. About RSA RSA, The Security Division of EMC, is the premier provider of security solutions for business acceleration, helping the world s leading organizations succeed by solving their most complex and sensitive security challenges. RSA s information-centric approach to security guards the integrity and confidentiality of information throughout its lifecycle no matter where it moves, who accesses it or how it is used. RSA, envision and RSA Security are registered trademarks or trademarks of RSA Security Inc. in the United States and/or other countries. EMC is a registered trademark of EMC Corporation. All other products or services mentioned are trademarks of their respective owners. 2008 RSA Security Inc. All rights reserved. 7SIEM WP 0708 RSA offers industry-leading solutions in identity assurance & access control, data loss prevention, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit www.rsa.com and www.emc.com. 6 RSA White Paper