An ISACA Emerging Technology White Paper Security Information and Event Management: Business Benefits and Security, Governance and Assurance Perspectives Abstract In today s information-driven business environment, enterprise systems and processes capture an ever-increasing amount of data. To derive meaningful and actionable information from this data, businesses are compelled to commit significant resources to perform the necessary analysis. While all business areas are impacted to varying degrees, few face a greater challenge than the information security department. To support its mission to protect critical information assets, the information security department must maintain an ongoing process to capture, analyze and subsequently act on log and alert information collected from a wide array of systems across the enterprise. Typically, these data must be analyzed and actionable information extracted and acted on in near real time, placing even greater demands on departmental resources. Security information and event management (SIEM) is an emerging technology solution that has been developed with the goal of introducing greater intelligence and automation into the collection, correlation and analysis of log and alert data, which, in turn, should allow security analysts to focus on what is most important. This white paper provides an overview of SIEM technology, explores the benefits and risks associated with an enterprise s use of SIEM, and discusses key governance and assurance considerations when deploying an SIEM solution.
ISACA With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor (CISA ), Certified Information Security Manager (CISM ), Certified in the Governance of Enterprise IT (CGEIT ) and Certified in Risk and Information Systems Control TM (CRISC TM ) designations. ISACA continually updates COBIT, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business. Disclaimer ISACA has designed and created Security Information and Event Management: Business Benefits and Security, Governance and Assurance Perspectives (the Work ) primarily as an educational resource for security, governance and assurance professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, security, governance and assurance professionals should apply their own professional judgment to the specific control circumstances presented by the particular systems or information technology environment. Reservation of Rights 2010 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic, internal and noncommercial use and for consulting/advisory engagements, and must include full attribution of the material s source. No other right or permission is granted with respect to this work. ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.590.7491 Fax: +1.847.253.1443 E-mail: info@isaca.org Web site: www.isaca.org Security Information and Event Management: CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout the world. 2
ISACA wishes to recognize: Project Development Team Christos K. Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece, Chair Goran Chamurovski, CISA, ISMS LA, INTEGRA Solution, Macedonia Francis Kaitano, CISA, CISM, CISSP, MCAD.Net, MCSD, IRD, New Zealand Marc Vael, Ph.D., CISA, CISM, CGEIT, CISSP, Valuendo, Belgium Expert Review Team Daniel Berbecaru, CISA, PMP, Revera, Inc., Canada Luis Duarte, CISA, CISM, CGEIT, Cafe De Columbia, Columbia Joerg Fritsch, CISM, NATO C3, The Netherlands Joey Hernandez, CISSP, iscsp, USA Hussam Khattab, CISA, MCSE, PMP, Arab Bank PLC, Jordan Bassil Mohammad, CISA, CISM, CRISC, CEH, Ernst & Young, Jordon Pradeep Navalkar, CISA, CISM, Accident Compensation Corporation, New Zealand Beth Pumo, CISA, CISM, University of Michigan Health System Compliance Office, USA David F. Severski, CISA, CISM, Seattle Children s, USA Stephane Vuille, SGS Group Management Ltd., United Kingdom ISACA Board of Directors Emil D Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USA, International President Christos K. Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece, Vice President Ria Lucas, CISA, CGEIT, Telstra Corp. Ltd., Australia, Vice President Hitoshi Ota, CISA, CISM, CGEIT, CIA, Mizuho Corporate Bank Ltd., Japan, Vice President Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico, Vice President Robert E. Stroud, CGEIT, CA Technologies, USA, Vice President Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President Rolf M. von Roessing, CISA, CISM, CGEIT, Forfa AG, Germany, Vice President Lynn C. Lawton, CISA, FBCS CITP, FCA, FIIA, KPMG Ltd., Russian Federation, Past International President Everett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International President Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Director Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Director Howard Nicholson, CISA, CGEIT, CRISC, City of Salisbury, Australia, Director Jeff Spivey, CPP, PSP, Security Risk Management, USA, ITGI Trustee Guidance and Practices Committee Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Chair Kamal N. Dave, CISA, CISM, CGEIT, Hewlett-Packard, USA Urs Fischer, CISA, CRISC, CIA, CPA (Swiss), Switzerland Ramses Gallego, CISM, CGEIT, CISSP, Entel IT Consulting, Spain Phillip J. Lageschulte, CGEIT, CPA, KPMG LLP, USA Ravi Muthukrishnan, CISA, CISM, FCA, ISCA, Capco IT Service India Pvt. Ltd., India Anthony P. Noble, CISA, CCP, Viacom Inc., USA Salomon Rico, CISA, CISM, CGEIT, Deloitte, Mexico Frank Van Der Zwaag, CISA, CISSP, Westpac New Zealand, New Zealand 3
ISACA and IT Governance Institute (ITGI ) Affiliates and Sponsors American Institute of Certified Public Accountants ASIS International The Center for Internet Security Commonwealth Association for Corporate Governance Inc. FIDA Inform Information Security Forum Information Systems Security Association Institut de la Gouvernance des Systèmes d Information Institute of Management Accountants Inc. ISACA chapters ITGI Japan Norwich University Solvay Brussels School of Economics and Management University of Antwerp Management School ASI System Integration Hewlett-Packard IBM SOAProjects Inc. Symantec Corp. TruArx Inc. 4
Introduction Security Information and Event Management: With each passing year, enterprises collect, process and store an increasing amount of data from an ever-expanding set of internal and external sources. While this abundance of data holds great potential to provide guidance for decision making in many areas of the enterprise, this can only happen once the data have been captured, categorized and subsequently analyzed to determine what useful information the data actually contain. The information derived from this process can provide great rewards in business intelligence and operational effectiveness, but it frequently comes at a significant cost to both system and personnel resources, of which many enterprises have little to spare. This need to extract useful, actionable information is of particular importance for information security, in which the rapid and accurate interpretation of data collected from security devices can mean the difference between business as usual and wide system outages, virus outbreaks or headline-creating data loss. Many information security departments are similarly challenged by a lack of resources and are unable to investigate effectively the countless alerts and logged events that stream across their security system consoles on a daily basis. The end result is that many security professionals often find themselves with too much data and not enough actionable information. 1 This inability to extract and leverage the rich set of information provided by security and security-aware systems decreases the value of the security technology investments, increases information security risk, and negatively affects the effectiveness and efficiency of the information security department. Security information and event management (SIEM) technology emerged during the last decade as an attempt to address this data overload. SIEM specifically seeks to answer two distinct questions: Which alerts and logged security events (among the thousands that are happening on my network each day) require my attention? How do I extract meaningful and actionable information from the log data collected from the ever-increasing number of devices on my enterprise infrastructure? This white paper provides an overview of SIEM technology, explores the benefits and risks associated with an enterprise s use of SIEM, and discusses key governance and assurance considerations when deploying an SIEM solution. Defining SIEM Many security professionals often find themselves with too much data and not enough actionable information. The SIEM acronym is attributed to Gartner analysts Amrit Williams and Mark Nicolett 2 and is derived from two separate, but complementary, technologies: security event management (SEM) and security information management (SIM). During the past decade, these two technologies have converged into a single solution set known today as SIEM. SEM was a technology solution that focused on real-time or near-real-time monitoring, correlation and processing of security events. These events were typically alerts generated by a network security device, such as a firewall or intrusion detection system (IDS), because the device had detected potentially malicious network or host activity that matched a preconfigured pattern. SIM, on the other hand, focused on the historical analysis of log file information to support forensic investigations and reporting. SIM often looked at the same events as SEM, but not in real time. Central to the SIM solution was event and log storage and archival, searching and analysis functions, and robust reporting capabilities. 1 Rothman, Mike; Understanding and Selecting SIEM/Log Management: Introduction, Securosis, 27 April 2010, www.securosis.com/blog/understanding-andselecting-siem-log-management-introduction 2 Williams, Amrit; The Future of SIEM The Market Will Begin to Diverge, Amrit Williams Blog, 1 January 2007, http://techbuddha.wordpress.com/2007/01/01/ the-future-of-siem 5
SIEM solutions now frequently incorporate a broader log management function. The SIEM system combines the capabilities of each of these technologies into a single solution. Additionally, SIEM solutions now frequently incorporate a broader log management function that increases the scope of the devices with which they interface to include a much wider set of enterprise systems. The specific capabilities common to most SIEM solutions are as follows: Data collection In a typical use case, an SIEM solution must be able to touch any number of different systems: firewalls, proxy servers, data bases, intrusion detection and prevention systems, operating systems (OSs), routers, switches, access control systems, etc. Some of these may share similar logging and alert functions, but frequently, there is significant variation in the format, protocol and information provided. Data collection happens in a number of ways, often dependent on the solution and end system. Some systems may be able to connect directly to the central SIEM system using a standard protocol, while others may use a vendor-proprietary protocol or application programming interface (API), requiring that the SIEM solution understand that protocol/api or that a third-party application be added to translate from the end source to the SIEM solution. Other end systems simply write a plaintext log file that the SIEM system or an agent will periodically retrieve. Data aggregation Once the SIEM solution collects the information from its various sources, it combines the data into a single data store, facilitating correlation along with other functions of SEM and the forensic and reporting functions of SIM. Aggregation may seem straightforward, but it presents a number of challenges and considerations. Architecture must be considered as well. Depending on the size and physical footprint of an enterprise, the amount of data being collected, and the IT infrastructure, aggregation may be done centrally or in one of several distributed methods. Data normalization Normalization is the process of resolving different representations of the same types of data into a similar format in a common database. SIEM solutions pull information from a large number of devices, and while these devices frequently collect the same information (e.g., source and destination network address, protocol type, time, date), it is often reported in different formats. The process of normalization extracts common information and expresses it in a consistent format, which allows for a direct comparison of different events. For example, once normalized, a logged event from a Cisco router will look the same as one from a Check Point firewall and any proprietary information will have been discarded. In today s regulation-driven environment, the ability to store log files in their raw format is an important function that should be built into the SIEM product. Frequently, before normalizing data, copies of the raw logs are stored in their native format to ensure that a full record of the logs is maintained. This information can prove valuable for investigations and to ensure compliance. Event correlation Event correlation is the function of linking multiple security events or alerts, typically within a given time window and across multiple systems, to identify anomalous activity that would not be evident from any singular event. To accomplish this, the SIEM solution must have rules in place that instruct the correlation engine about the types of events it should attempt to correlate and the conditions that would warrant an alert. Most solutions have preestablished rule sets, but tuning these preexisting rules is frequently required, as is creating custom rules tailored to the environment. Caution must be exercised to avoid establishing too many or too complex correlation rules because each new rule will exponentially increase computing requirements and, eventually, may render the correlation process ineffective. Alerting Closely tied to event correlation, alerting is the functionality that enables SIEM systems to establish alerts based on both preestablished and custom alert triggers. All solutions will at least alert to the SIEM console, but some may offer extended alerting capabilities (such as alerts sent via text messaging and e-mail and trouble ticket generation). Reporting The reporting function is often the central focus of the compliance use case. It is critical for the SIEM solution to make the processes of defining, generating and exporting reports as versatile and user-friendly as possible. Both custom reporting and report templates (generally for common regulations such as Payment Card Industry Data Security Standards [PCI DSS], the US Sarbanes-Oxley Act, solvency or J-SOX) are typically part of an SIEM solution. Forensics The ability to search log and alert data for indicators of malicious or otherwise anomalous activities is the forensic function of the SIEM. Forensics, which is supported by the event correlation and normalization processes, requires highly customizable and detailed query capabilities and drill-down access to raw log files and archival data. Working in concert, these technologies can greatly enhance the investigative capabilities of security analysts, just as the data collection, aggregation and correlation technologies enhance their ability to detect and respond to real-time events. 6
Central management console While not a specific capability or technology, a central management console or dashboard is among the most critical components of an SIEM solution. It is the primary interface to monitor real-time events and to perform analysis, reporting and manipulation of stored log data. Business Benefits of SIEM The business benefits derived from a properly implemented SIEM program include: Greater value from investment in security technology SIEM enables more effective use of the security log and event information, thereby allowing security teams to realize more fully the potential of security systems. Comprehensive and efficient reporting Developing and delivering reports to multiple assurance and regulatory entities can be almost a full-time job for a security manager. By supporting a wide range of systems and facilitating much of the log collection and reporting process through automated tools and report templates, an SIEM solution can reduce a task that formerly took days to a matter of hours, freeing the security manager to better focus on higherpriority responsibilities. Reduced capital and operational costs Converging tools such as SEM, SIM, log management and analysis systems, and database activity monitoring (DAM) systems into a single SIEM solution will enable the enterprise to save time and money. Purchase and maintenance costs associated with many monitoring and analysis systems can be lessened by having a single SIEM tool. Reduced risk of noncompliance SIEM systems provide enterprises with detailed reports. During an audit or investigation, an enterprise will have the information needed to demonstrate compliance or due diligence. Broader organizational support for information security An effective SIEM system involves a broad base of stakeholders who must work together, frequently in cross-functional teams, to evaluate events, create reports and take actions to address incidents flagged by the SIEM system. These activities can help break down organizational silos and create a broader and more consistent culture of security and overall risk management. Early detection of security incidents Just as the right tools make a difference for a mechanic, a properly implemented SIEM solution provides security analysts with a tool set that can greatly enhance their effectiveness. A more effective security team has a greater likelihood of intercepting and addressing security events in their early stages before they can significantly impact the enterprise. This effectiveness can help reduce the overall information risk profile of the enterprise. Risks Associated With an SIEM Implementation Purchase and maintenance costs associated with many monitoring and analysis systems can be lessened by having a single SIEM tool. While SIEM is largely a passive system, there are risks to the effectiveness of the SIEM platform and the surrounding operational environment if steps are not taken to anticipate and mitigate risks inherent to the deployment of the technology. Figure 1 shows some key operational risks associated with the procurement, deployment and ongoing management of an SIEM solution. Figure 1 Risks Associated With SIEM Risk Scenario Impact/Associated Risks Mitigation Strategy Mismatch of the SIEM product/platform/ deployment model with log data volume, leading to poor system performance Inaccurate reports Undetected security events It is important to ensure that a careful assessment is made of the rate of log data expected to be processed by the SIEM solution. In addition to the rate of data, the location of target hosts and the network that the log data must traverse will impact both product selection and the deployment model utilized. 7
Figure 1 Risks Associated With SIEM (cont.) Risk Scenario Impact/Associated Risks Mitigation Strategy Ineffective/incomplete processes to respond to events, leading to ignoring or mishandling alerts or other events Inadequate program/process for ongoing tuning and configuration of the SIEM solution, leading to excessive false positives, misinterpreted or missed events, key systems excluded from event/log capture, and poor SIEM system performance All key systems not supported by the SIEM solution, potentially leaving critical gaps in information collected Insufficient resource allocation to manage the SIEM solution, leading to missed, misinterpreted or delayed reaction to alerts and events Selection of an SIEM solution that requires a significant number of server-based agents (special software that must be installed on systems that otherwise would not be able to communicate with the SIEM solution), leading to significant resource expenditures required to install, test, update and maintain these agents Lack of consistent time synchronization among all platforms, impacting the event correlation process Regulatory/compliance violations Inaccurate reports Undetected security events Loss of sensitive data Regulatory/compliance violations Inaccurate reports Undetected security breaches Loss of sensitive data Regulatory/compliance violations Inaccurate reports Undetected security breaches Loss of sensitive data Regulatory/compliance violations Inaccurate reports Undetected security breaches Loss of sensitive data Impact to resources required for other information security and general IT tasks Potential conflicts with host server software Missed events and alerts An SIEM solution requires the support of an established incident response program. If not already in place, one should be established prior to the implementation of an SIEM solution. SIEM continued effectiveness depends on ongoing tuning. Changes in the IT infrastructure can have a significant impact on SIEM function. Those responsible for SIEM management should ensure that they are tied into the enterprise change management process and in regular contact with key stakeholders so that changes and new requirements can be anticipated and dealt with effectively. Correlation rules that are too numerous or too complex can also negatively impact the SIEM engine by placing excessive processing demands on the system. Requirements written for the SIEM solution should list all systems that will be monitored by the solution, and confirmation should be secured that these systems are supported by the SIEM solution. Appropriately skilled and trained resources are required to support SIEM. SIEM is not a plug and play solution, and it will not replace the skills of a trained security analyst. Instead, SIEM enables the security analyst to focus on what is important by eliminating what is unimportant or repetitive. Ultimately, it is still the role of a skilled analyst to investigate and make a determination regarding the actual risk presented by a flagged event. Ensure that agreement with the SIEM vendor includes training for personnel on key topics such as integration and signature creation and for hands-on training not only in a lab environment, but also on the system deployed in your enterprise. Note that this risk can be significantly greater in small to medium-sized enterprises because resources are typically already constrained. Ensuring a narrow scope for the initial implementation, combined with appropriate cross training, can help mitigate this additional risk. While an agent is sometimes the only method to communicate between an end system and the SIEM host, deploying and maintaining a large number of agents can produce significant overhead for the IT department. When selecting an SIEM solution, choose one that will not require numerous agents for data collection. All enterprise systems should be linked to a trusted and properly configured time server. 8
Figure 1 Risks Associated With SIEM (cont.) Risk Scenario Impact/Associated Risks Mitigation Strategy Lack of available system-specific expertise required to effectively analyze events, leading to the inability to investigate and resolve issues in an acceptable time frame Missed or misinterpreted events Governance and Change Considerations for SIEM Not all events lend themselves to effective investigation by a security analyst alone. For example, an alert on an action taken by a database administrator (DBA) may or may not have been appropriate for the system in question, but this question cannot typically be answered by an analyst who is unfamiliar with the system. SIEM event investigation workflow can often require the involvement of system owners or other stakeholders who are familiar with the context of the event in question. It is important to engage all individuals necessary for the investigation of flagged events prior to the implementation of the SIEM solution. These individuals and their management will need to be advised of their expected level of involvement and the amount of time that may be required of them. Being asked to assist with these types of assessments with no prior warning or management buy-in can add an unexpected (and frequently unappreciated) workload on these individuals and will not be conducive to a successful SIEM program. The use of SIEM in enterprises has demonstrated a positive impact in the area of governance, risk management and compliance (GRC). In 2007, the Aberdeen Group found that, compared to the industry average, enterprises that utilized an SIEM solution rated their performance 15 percent higher on prioritizing security and compliance-related investments, 11 percent higher on speed of decision making regarding security GRC, and 18 percent higher on optimizing business processes related to security GRC. 3 Careful planning and communication are required to ensure that the SIEM solution meets stakeholder expectations, supports business objectives and adds value to the enterprise. Planning and communication are also critical in introducing the inevitable changes to process that will occur with the introduction of SIEM. As the SIEM deployment unfolds, the following guidelines can help ensure that the changes and impacts to the enterprise that accompany procurement, integration and implementation are anticipated and appropriately addressed: Ensure that all stakeholders have been engaged and have realistic expectations and clear goals in mind for the SIEM solution Enterprises should begin an SIEM project with a clear understanding of the specific problems they are trying to solve and the success criteria for the project. Leveraging an experienced consultant or impartial reseller can help ensure Enterprises that utilized an SIEM solution rated their performance 15 percent higher on prioritizing security and compliance-related investments, 11 percent higher on speed of decision making regarding security GRC, and 18 percent higher on optimizing business processes related to security GRC. that the goals set truly belong to the enterprise and have not been skewed by vendor input. It is also critically important that all stakeholders be involved in requirements development. In large, distributed enterprises, it is particularly important to reach out to all stakeholders to ensure that another log management solution is not already deployed within the enterprise because this could lead to redundancies, conflicts and system overhead. Define scope An important component of governance and change considerations for the project is determining the specific use cases that are required and validating these with the appropriate stakeholders, including internal audit, compliance, risk management, IT security, IT operations, IT architecture, legal counsel and key business leadership. 3 Aberdeen Group, The Role of Security Information and Event Management (SIEM) in Security Governance, Risk Management, and Compliance (GRC), March 2008, www.intellitactics.com/pdfs/grc_whitepaper_aberdeen.pdf 9
Based on the use cases selected, a list can be made of all potential data sources (system types) associated with each use case and the type of data that will be captured from each source. This list will help in selecting the SIEM solution and can also help identify additional stakeholders or individuals who must be included in the workflow. Consider change and legal ramifications While an SIEM solution can add efficiencies in many ways and reduce workload for tasks such as compliance reporting, depending on the use case, it can also create new processes and business impacts by revealing situations that may have previously gone unnoticed. For example, if the enterprise did not previously monitor privileged users such as DBAs, but will now monitor them with the SIEM solution, this will produce new information that must be reviewed and potentially acted on. If the activity of a DBA is logged by the SIEM system as suspicious, someone must be available to make a determination as to whether the activity was actually a security violation, an error or a nonevent. On systems such as databases, the expertise and contextual knowledge to make this determination typically fall outside of the security department. This is a workflow decision that must be made when planning this type of monitoring. Will those who need to make the assessment be available when needed? What type of turnaround (SLA) is expected? Do the identified individuals have time to drop everything to make an assessment each time an alert is raised? How do their managers feel about this new responsibility? As seen in this example, there can be new questions and potential changes when implementing this type of solution. Carefully planning the workflow steps that will be required by each use case and involving the impacted stakeholders early in the process can help avoid significant setbacks to the SIEM implementation. When considering a solution such as SIEM, the previous questions must be asked and answered to understand not only what type of technical solution is needed, but how to best manage, implement and utilize the tool. Issues such as business process improvement and human resource management will be impacted, and careful planning to address these issues prior to selection and implementation of an SIEM system will help to ensure that the enterprise derives value from the system immediately. Assurance Considerations for SIEM The IT assurance team has the responsibility of assuring senior management that the selection, implementation and ongoing management of the SIEM solution are appropriately managed and governed. Assurance efforts pertaining to an SIEM implementation should focus on the following four areas: 1. Strategy and governance The design and implementation of an effective SIEM architecture are driven by a good governance and enterprise strategy that clearly defines the strategy, goals and objectives for implementing SIEM. Some of the concepts to take into consideration include: Does the enterprise have an information security program in place (including policies, standards and procedures) that addresses the requirements for SIEM? The program should include baselines and thresholds to be monitored by the SIEM solution and clear roles and responsibilities for managing the SIEM infrastructure. A governance steering committee to review and analyze reports and metrics should exist, coupled with a security review committee to review the SIEM implementation. Is a risk management framework in place? Do clear risk assessment procedures for reviewing risks associated with SIEM exist, and are risk mitigation controls specified? Was a risk assessment project carried out to review each business process that is impacted by the SIEM initiative? 2. People People are the greatest asset of any enterprise and are integral to the successful implementation of the SIEM architecture. However, to be so, they need the appropriate functional skills and know-how. Senior management needs the assurance that employees have a tactical view of the enterprise and are clear about their roles and responsibilities throughout the SIEM project life cycle. Some questions to ask include: Does the enterprise have effective project management procedures? Effective procedures include building a project team composed of staff People are the greatest asset of any enterprise and are integral to the successful implementation of the SIEM architecture. 10
from various business areas, in addition to IT, and ensuring that the project team and other stakeholders understand the project scope, outcomes and time lines. Is there an effective training and awareness program? Did the SIEM project team and other staff members receive effective training on the SIEM technology? Is regular and periodic training pertaining to policies, risk and the SIEM technology provided to users? Are users and third parties aware of their roles and responsibilities in relation to SIEM? Does the enterprise have personnel with the skills needed to design and implement an SIEM solution that will meet the enterprise s expectations? 3. Processes The enterprise should outline repeatable SIEM processes that will aid business stakeholders in accomplishing day-to-day business requirements. These processes should be treated as simple guidelines, directions and steps for managing and implementing the SIEM infrastructure. The following business processes should be in place to ensure that the SIEM infrastructure is aligned to the enterprise s policies and standards: Processes for managing user accounts in the SIEM system (creation, deletion, password reset/unlock) and segregation of duties (SoD) Privacy and data integrity controls for protecting sensitive information Processes for data collection, logging, aggregation, correlation and reporting Change and configuration management controls to ensure that changes to the SIEM environment do not introduce risks to the enterprise Consistent processes for reviewing and dealing with security incidents reported through the SIEM system Processes used by management to review SIEM reports Incident response and reporting processes 4. Technology Senior management invests in technologies such as SIEM to enable the enterprise to meet certain business objectives and goals. At the same time, management expects to get the best possible return on investment (ROI) and business value from such investments. It is vital for the enterprise to gain reasonable assurance that the SIEM technology is augmenting, or will augment, the business drivers, strategies and goals. Some questions to ask include: Do the SIEM architecture design principles align with the enterprise strategies? Do the technical controls designed into the SIEM architecture adequately support the business objectives and risk appetite? Does the SIEM architecture effectively allow integration of the SIEM components (several event sources, log collection, log analysis, correlation, reporting dashboard, storage, identity and access management systems, etc.)? Does the enterprise have effective encryption and access controls to protect the data as they move around the various SIEM components? Are logs collected and stored by the SIEM system protected from tampering? Are there effective vulnerability, patching and hardening procedures in place for the SIEM infrastructure? Are the SIEM servers hardened in line with the enterprise s policies, and is the SIEM infrastructure patched regularly to minimize the risk of being exploited? Has the enterprise put in place effective network optimization and performance controls to minimize the risk of outages or network bottlenecks that may be caused by the SIEM system? Are there suitable controls for ensuring effective log storage and retention to minimize the risk of data loss or leakages? Are there controls in place to ensure that all impacted systems are providing logs in the required time frame and format? Were business continuity and disaster recovery considered in the design? 11
Conclusions A properly implemented SIEM solution can provide significant benefit to the enterprise by improving compliance monitoring and reporting capabilities, increasing the efficiency of the information security team, and fostering a broader awareness and culture of risk management. A properly implemented SIEM solution can provide significant benefit to the enterprise by improving compliance monitoring and reporting capabilities, increasing the efficiency of the information security team, and fostering a broader awareness and culture of risk management. However, without proper planning, configuration, monitoring, communication and ongoing management commitment, the same solution may not achieve the desired benefits. The same could occur if an enterprise deploys an SIEM product without a full understanding of the specific information that the enterprise seeks to learn from the solution. To derive value from the system, there must be a structured approach to planning for and integrating new technology solutions to the infrastructure and an ongoing commitment to maintaining and appropriately resourcing the SIEM solution. Additional Resources and Feedback Visit www.isaca.org/siem for additional resources and use the feedback function to provide your comments and suggestions on this document. Your feedback is a very important element in the development of ISACA guidance for its constituents and is greatly appreciated. 12