This is an article of a series on a group of security products known as SIEM: security information and event management. This article introduces SIEM.
You have decided to get a SIEM since you need it in your environment. Vendors will soon present to you on the merits of their SIEM and how their product is superior to the competitions. How do you cut through the jargon and understand whether the product fits your needs? Here are some of the things that different SIEM products perform differently.
This might be harder to measure than you think. Note that there are different types of users in every environment. “Using” the SIEM (i.e. running reports and searches and looking at dashboards requires one level of user). With some SIEMs, the user can simply type in a keyword or an IP address and instantly get query results from days of logs. With others, they may need to learn the syntax of a search query. In some cases the search query syntax can be learned in minutes. In other cases, a really good query may require knowledge of regular expressions which require analysts with technical talent.
Administering the SIEM and creating reports and rules typically requires users with a higher degree of technical knowledge. They also need to find the SIEM friendly to use. In some cases, it is very easy to extract out the results of a search as a report and save the format for later use. In others, it is more complex, with multiple modules needing to be created prior to arriving at the final output. Likewise some SIEMs allow correlation rules to be created with just a series of mouse-clicks from a search output. Some others may not have this functionality.
User-friendliness should be a key criteria when there are no dedicated personnel handling the SIEM. If you have a small security team (or worse, if you have no dedicated security team, this will be a significant criteria).
Some vendors advertise ‘turn-key’ products that can get up and running in minutes. Always take with a pinch of salt any promise of instant security. What these provide are a check in the “do we have a SIEM?” checkbox for people with compliance requirements. Given that, setup time still varies among products. Some vendors will have multiple types of products with differing setup times that are worth considering.
Why do these setup times vary? Often the products may be a ‘starter pack’ with a small subset of features or they may turn out to be not very customisable or extensible. Consider whether the product will also fit your needs a few years on when purchasing something that has a short setup time.
Depending upon the environment and the your initial motivations behind getting a SIEM, your need for storage space may change slightly or drastically over the life of the product. Enterprise-grade products ought to be extensible, either by adding storage to the existing setup or by having another instance of the product software running that can be integrated into the current setup. In some architectures it is possible to run a search from one component on all components in the infrastructure. In some other architectures, a selection of events flow up to a higher level manager where these key events are analysed.
Customisability, along with extensibility, are occasionally antithetical to user-friendliness and setup time. Some products come with a large number of use cases that are effective out of the box, but are not customisable or are hard to customise. Others are used best when they are heavily tailored to the environment and allow a great deal of customisability.
Environments with fewer analysts (or no analysts) may not need the customisability option so much. Security operation centres and large environments will work best when the use cases are tailored. These environments are also more likely to have dedicated personnel who can learn the SIEM thoroughly such that the user-friendliness and intuitiveness of the SIEM is less likely to be a problem.
The above four are criteria that help with evaluating traditional SIEM. The below capabilities are now becoming more relevant and useful in improving the effectiveness of SIEMs.
User behavior analytics
While dealing with ‘events’ generated by devices is key to SIEM functionality, attaching those events to actual flesh and blood users performing actions, legitimate and illegitimate, is of considerable value. Today’s SIEMs either have this capability built in or can add in this capability as an extra module. This should be a part of your consideration especially if you look into insider threat (you absolutely should)!
Artificial intelligence / machine learning / anomaly detection
Different companies will call it by different names. The crux is to go beyond pre-built rules to let the machine analyse normal patterns of behavior and inform the analyst of anomalies. The technology is not foolproof, but this is the future.
Get your vendors to do a proof of concept (POC) so that the SIEM demonstrates its value. Have your technical staff evaluate the product based on the criteria for your environment before you make your decision.
Also check out these resources:
My previous article introducing SIEM
Anton Chuvakin’s blog at Gartner is a great SIEM resource
I am speaking at the CSX 2016 Asia Pacific conference (14-16th November 2016) on SIEM. Check it out: http://www.isaca.org/cyber-conference/csxasia.html