Content

UTM and SIEM

It's interesting that we would see a parallel evolution of SIEM and UTM culminating in a convergence. It's interesting because historically there is a major difference between the two: SIEMs aggregate log data and don't create any of their own, and UTMs create data and analyze what it sees. So SIEMs have security devices of just about every kind feeding them data while UTMs have sensors feeding them. So why do we tend to think about them - sometimes - as birds of a feather? The answer to that has not really been clear until the recent dramatic change in the threatscape.

Over the past couple of years, something else that likely will be a catalyst has been evolving: The incursion of next-generation devices on the cybersecurity landscape. These tools bring in logs, they talk to sensors and they mix it together with threat feeds from threat intelligence sources. True, there still are pure-play SIEMs - and we saw that this month - but if we polish up our crystal balls we can see where the future is leading us. In this month's reviews, we have a pretty good mix of pure-play, hybrid SIEM/UTM and next-generation tools.

Industry analysts at Forrester, back in 2015, took a close look at SIEM and drew some conclusions. First, they said that SIEM was inadequate for today's threatscape for three main reasons: they cannot detect unknown threats, they cannot detect and understand data exfiltration, and they cannot detect threats that already are inside the enterprise. Forrester also opined that the future lies in security analytics. That - whether the firm intended it or not - set the stage for the next-generation of SIEM.

So, what about the UTM side of the picture? UTMs generally develop their own data in some fashion. Historically, UTMs provided firewall, intrusion detection, anti-malware, anti-spam and content filtering. In that regard, they functioned at the perimeter much like a security gateway. Today, they offer lots of other functionality, such as SSL VPN, access control and communicating with endpoint security tools. That means that the UTM is dealing original data: a login, a denial by a firewall and so on. In fact, it is not unreasonable that the log output of a UTM might feed a SIEM. Now comes the next generation to pull all of the pieces together.

To be sure. the next-generation SIEM consumes logs. But it also performs a lot of analysis that we did not see in SIEMs in the early days. Today, the SIEM looks at every log source on the enterprise - from the perimeter to the endpoints and everything in between.  It also consumes threat data from various threat and intelligence feeds. The idea is to move toward being proactive instead of simply responsive after the fact. Also, this richer collection of input brings the SIEM into the interior of the enterprise and also lets it recognize data exfiltration.

In fact, some SIEMs today constantly inventory the enterprise and add assets as they find them. The administrator can group these and weigh them for analytical purposes. So what of the UTM? UTM functionality may be trying to seek its appropriate level. For example, what should the role of the UTM be?  Should it deliver on the original plan of taking the place of all of the point solutions to point problems? Should the UTM take the place of the DLP device, for example? Should the UTM integrate what's going on inside the enterprise with what's going on outside?

The answer to these questions as we look forward also is the question for you to ask as you make security architecture and security decisions: If you are looking at a SIEM would you likely ask, "Why buy that? My UTM does everything the SIEM does." In fact, some of the SIEMs we looked at this month are so close to being a mix that we have to wonder where the next couple of years are going to take this product group.

The game changer with next-generation SIEM - as with all next-generation tools - is threat intelligence coupled with powerful analytics and machine learning. When you bring these two pieces to bear on a very powerful traditional SIEM, with some of the properties of a UTM, you have the next step in fighting the bad guys. It's interesting, perhaps, that we are an industry that exists because hacking has become such a sophisticated enterprise that we are hard-pressed to keep up. The traditional game of Leapfrog is still with us, but the stakes are higher, the bad guys are more business-like and they are often well funded, professional cybercriminals. The tools in this month's group are made to order for that sort of threatscape.

Specifications for SIEM and UTM tools       =yes =no

Product

EventTracker

CorreLog

LogRhythm 

WatchGuard

AlienVault

Intel Security

Performs log correlation

Offers
agentless log collection

Available as a cloud service

Supports gateway
anti-virus capability

Offers intrusion prevention


(IDS not IPS)

Performs
web content filtering

Supports DLP functionality

Includes built-in templates to support regulatory compliance

Built on next-generation architecture (e.g., machine learning, etc.)


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.