Security Information and Event Management (SIEM)

Organizations rely on security technology in their efforts to secure their computers and networks. Security technology such as antivirus software, firewalls, and intrusion detection system (IDS) and intrusion prevention system (IPS) have become commonplace in organizations, especially in larger countries around the world. Security information and event management (SIEM) tools, which aggregate, store, manage, and analyze IDS, IPS, and other security-relevant log data to provide an indication of the security condition of systems and networks, are the latest type of technology to gain considerable popularity with organizations. This entry explains what SIEM technology is, the functionality it delivers, the benefits as well as the possible downsides of using this technology, and how to manage this technology to achieve maximum benefits. ABOUT SIEM TECHNOLOGY Security information and event management (SIEM) comes from two acronyms, SIM and security event management (SEM). SIM means security information management—aggregating log data, storing it, and in the process of doing both, meeting compliance requirements. The earliest SIEM tools were actually SIM tools that made possible collecting and viewing log data from a single console. SEM means security event management—collecting log data and applying analysis algorithms to identify threats and quickly respond to them. SIEM is the Gartner Group acronym for SIM and SEM technology, both of which Gartner deems so highly related that they fall into a single category in Gartner’s classification. In reality, vendors have been adding SEM functionality to many SIM products, and a parallel trend has been happening in the SEM product arena to the point that very few single-purpose SIEM products now exist. Most of these products now offer some combination of the following functions: Log aggregation: Gathering log output from all over the network into a single console. Log storage: Storing all aggregated log data in a log server. Real-time analysis of threats: Security operations personnel need to become aware of attacks that occur as soon as possible. SIEM technology is designed to fulfill this need through analysis of log data and issuing alerts whenever individual log data or combinations of such data indicate that attacks have occurred. Retrieval of historical data: Security operations personnel sometimes also need to retrieve and view historical log data to determine whether computers and devices are behaving the way they should, whether users have been conforming to the provisions of an organization’s information security policy, and so on. SIEM technology supports the ability to retrieve stored data to enable users to obtain this type of information, usually through reports that can be scheduled or created on demand. Display of a network’s topology, hosts, and devices: Most SIEM tools provide a depiction of an organization’s network topology and the elements therein. This helps users visualize where threats are manifesting themselves and particular hosts and devices that may be at elevated risk because of compromises in the part of the network where they reside. Display of critical status indicators: Many SIEM tools provide visual depiction of rates and types of attacks that have occurred, percentage of hosts in compliance, and more in the form of pie charts, line graphs, and dashboards. Creation of cases: Many SIEM tools also enable users to open a “case,” a way of storing information about an incident and to share with other members of an incident response effort and forensically preserve such information. Workflow tracking: Using an incident response methodology is one of the most important things incident responders can do during incident response activity. A workflow describes steps within a methodology that need to be completed. Some SIEM tools provide a workflow to guide incident responders toward appropriate actions and to help them verify that they have completed each step. Compliance verification: Compliance is a major risk issue facing information security practices. Most SIEM tools provide reports which verify that an organization has complied with various provisions of regulations such as the ISO/IEC 27001/27002 requirement for continuous network monitoring. R ol e – S ec ur it y P ol ic y Encyclopedia of Information Assurance DOI: 10.1081/E-EIA-120046525 Copyright # 2011 by Taylor & Francis. All rights reserved. 2617 BENEFITS OF SIEM TECHNOLOGY SIEM technology has grown in popularity over recent years because it offers numerous benefits to information security practices. Some of the most important of these benefits are described in this section. Reduction in Labor Costs All things considered, saving time and money is one of the most compelling reasons to use SIEM technology. Output from sources such as firewalls, IDSs, and individual systems is potentially extremely valuable in helping technical and other staff to determine the security condition of an organization’s systems and networks. Accessing the massive amount of output produced by IDSs, firewalls, and other sources is a major potential challenge, however, because the output of each is by default accessible only on each system or device. Gathering all this information in a single console, a function inherent in current SIEM technology, makes accessing the data much more convenient and efficient. Furthermore, requiring technical staff members to sift through the massive amounts of log data that these systems and devices invariably produce is not practicable due to the amount of time and effort required. An automated means of analyzing this output, the kind of analysis that SIEM tools perform, can thus result in a substantial reduction of analyst time and consequently also labor-related expenses. Given the difficulty information security managers have in obtaining needed financial resources, SIEM technology can go a long way in helping compensate for this problem. Log Data Archival and Log Management For the sake of investigations, due diligence, compliance, and other reasons, SIEM tools that deliver SIM functionality archive log and other data. Given that many SIEM tools receive massive amounts of data, having great amounts of disk space (e.g., several terabytes at a minimum) is essential if the data is to be written to the physical platform on which the SIEM tool resides. A growing trend is to transmit all data to a storage area network (SAN) that has almost unlimited storage space or to transmit data to inline storage devices with very large storage capacity. SIEM tools that provide SIM functionality also provide log management functionality designed to ensure that no log data are overwritten and also that log data can be easily accessed when they are needed, usually through built-in reporting mechanisms. Achieving Compliance with Security Regulations SIEM tools can also help organizations achieve compliance with a variety of security-related regulations and standards such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm–Leach–Bliley Act (GLBA), the Payment Card Industry Data Security Standard (PCI-DSS), ISO/IEC 27001/27002, and Basel II. For example, SIEM tools can help verify compliance with PCI-DSS Requirement 1.2, firewall configuration verification—traffic from untrusted networks, by confirming that no incoming traffic from networks other than trusted ones (e.g., branch office networks, networks of third-party business partners, and so on) has gotten past each external firewall. SIEM tools’ archived log data are the major basis by which compliance with regulations is verified. Log data reveal not only traffic flow and access patterns, but also the fact that critical security devices such as firewalls, IDSs, and IPSs are deployed and are be where they should be placed within each network, whether or not unpatched vulnerabilities exist, whether critical servers have withstood attacks, and much more. Facilitating Ability to Distinguish between Significant and Non-significant Events Most SIEM tools receive a large amount of log data from many systems and devices and then supply the data to event correlation algorithms that trigger alerts when indications of attacks occur. The alerts inform security analysts concerning significant events that require attention and action; information about non-significant events is accessible, but analysts do not have to be bothered with it. Accordingly, tasks such as security threat monitoring and incident response become considerably more manageable for analysts, who can pay more attention and devote more time to analyzing critical information instead of having to collect and mentally correlate volumes of data pertaining to potential security-related events. Contributing to a More Complete Threat Analysis Recognizing the totality of threats that can materialize is a nearly impossible task, yet performing a valid threat analysis is one of the most important components of risk management. SIEM tools can help in that they employ event correlation algorithms that can identify previously overlooked threats. Additionally, because SIEM tools aggregate and archive log data, they facilitate post-hoc analysis of threats as well as threat trends that would not otherwise be feasible to perform. Compensating for Limitations in Intrusion Detection Technology Like any security (or other) technology, intrusion detection technology is imperfect. If it were perfect, this technology would produce a correct detection every time an attack occurred and would never produce a false alarm. The degree of imperfection depends on the particular IDS tool, but even the best IDS tool available today cannot correctly detect every attack and avoid all false alarms. R le – S eurity P olicy 2618 Security Information and Event Management (SIEM) D ow nl oa de d by [ C or ne ll U ni ve rs ity ] at 1 4: 39 1 4 Se pt em be r 20 16 As stated earlier, SIEM tools collect output