A capable SIEM needs to take vulnerabilities, threats, assets and flows into account in order to give a credible picture of the enterprise at any moment, says Peter Stephenson.
Security information and event managers (SIEM) have pretty much reached their plateau in terms of product-type maturity. In terms of functionality, we did not see much that was new this year. However, the tools we looked at exhibited many improvements in the depth to which they analyze data and present it to the administrator.
That said, there are some areas that are coming to the fore in this group. For example, compliance is a big deal or, as SC Lab Manager Mike Stephenson put it, "Compliance, compliance, compliance." It would seem that the tenor of the times has caught up with us. Of course, the notion of compliance is not new. Several SIEMs have had a strong compliance focus, but now it appears that this is the driver behind the current crop of appliances.
Another development we saw this month is that SIEMs are beginning to lose their personalities. Whereas we are used to seeing appliances that are strong in log management or reporting or some other functionality, we now see all tools trying to be full-out SIEMs with all of the bells and whistles of a first rate correlation and reporting system. And, for the most part, they are succeeding.
Traditionally, a SIEM had either a SEM - security event manager - or a SIM - security information manager - personality. Today's products have morphed into both in almost all cases. Taken with the lack of a particular functional specialty, this gives us a crop of first-rate appliances that all have similar price tags and functionality. That can make it hard to choose.
So what should you look for when you select a SIEM? Some have the compliance piece refined more than others - although all are heading in that direction - so if you really need compliance reporting focus on those. The ability to distribute the tool across a large network is critical as well. Some devices do better in a confined environment, while some are intended to operate as distributed tools.
Another thing that is quite critical is the extent to which data feeds are supported. A capable SIEM should support network logs of just about any kind in common use directly (i.e., without translation to a syslog format), net flows and application logs. It is good if the SIEM interfaces directly with a firewall or IDS/IPS. It also is good if the product offers geolocation.
Reporting is a big deal, and virtually our entire crop this month had good or very good reporting. It is, of course, important to have lots of canned reports that meet specific requirements, such as executive reports and compliance reports. However, truly capable SIEMs also have the ability for users to craft reports. Anyone who ever had a narrow requirement for a SIEM or SIEM-like product knows the value of being able to build an equally narrow report.
Another trend that we are beginning to see is the marriage of the SIEM to a particular product suite that enhances the basic appliance. One of the most obvious of these is application monitoring.
In today's environment, applications are as vulnerable as networked devices - sometimes more so. Right at the top of that list are SQL databases - subject, of course, to SQL injection attacks. If one is running mission-critical SQL databases, pick a SIEM that can take log data from them and correlate it with the network data.
Correlation, of course, is what SIEMs are all about. To that end, look for a SIEM that lets you balance the elements needed to correlate with appropriate weightings. Not all alerts from logging and monitoring devices have equal weight. Also, different assets have different criticalities, so that needs to be taken into account. Finally, the vulnerabilities of those assets need to be considered.
The bottom line here is that a capable SIEM needs to take vulnerabilities, threats, assets and flows into account in order to give a credible picture of the enterprise at any moment.
One final consideration is forensics. SIEMs have huge value in forensic analysis of events. In order for the SIEM to have value, though, it must be able to reach back easily and quickly for historical information that it can correlate with current information. Historical information has the benefit of providing context to the event, as well as showing pre-event activity, critical in trace-back.
Overall, today's SIEM is nothing like the SIMs and SEMs of days past. Today's SIEM is a powerhouse of data capture, correlation analysis and reporting.