As cyberthreats proliferate and become more dangerous, IT professionals need all the help they can get to protect their organizations. Enter security information and event management (SIEM), an essential tool for analyzing and prioritizing the plethora of event information and security logs that networks generate.
Available from makers such as Check Point, Cisco Systems, Juniper Networks, Novell, RSA and Symantec, SIEM systems help IT react to security incidents quickly, says Jerry Shenk, senior analyst with the SANS Institute. By analyzing and correlating events that occur on a network – from a user logging on to a database being queried to a router being unplugged – then prioritizing these events according to preset definitions, SIEM sifts through millions of log records to efficiently report on the critical incidents that require immediate attention. Reporting capabilities also aid investigations and further regulatory compliance by providing a record of events.
To help flag and manage security events, Boston College chose ArcSight Enterprise Security Manager and ArcSight Logger to identify threats and provide a central repository for logs.
“We were looking for security-specific logging; you can get a lot of information out of server logs or host logs that you can't get out of a network. Especially if you encrypt various data streams in the network, the network device looks at it and says â€˜It's encrypted, I can't help,'” says David Escalante, director of computer policy and security at Boston College.
Indeed, the need for SIEM is evident in higher education, says Shenk. “Even very small organizations can generate millions of events a day, and you simply can't read all of those logs,” he says. “People need something to help them process all of that information.”
Escalante adds that it's particularly important to be able to correlate security events as data centers and networks become more complex. “If someone goes to your main website, it's not like they're going to just one server anymore. You can't check one log and say â€˜Everything looks fine,'” he says. “SIEM monitors all devices and aggregates the information, so it makes the logs of a multihost website look like a single server. It gives you a more integrated view of what's going on.”
However, in order to reach this level of confidence with a SIEM product, a lot of up-front tuning is required, adds David Bowie, senior information security analyst with Boston College. “ArcSight offers prioritization and categorization, but you have to hone it and tune it according to what your real-life experiences are and what you've seen on your network,” Bowie says. “An example would be teaching it what events you think are top priority.”
Percentage of respondents at midsize organizations who said detecting and preventing unauthorized access and insider abuse was the top reason to use log management, which is a subset of SIEM.
SANS Institute, June 2010
Once an institution trains its SIEM product to understand the organization's environment and its security priorities, IT staff can spend less time scanning logs and chasing down alerts because SIEM products consolidate that information in order of importance as defined by IT. Shenk says this makes IT staff more productive because they can rely on SIEM to tell them when an event is routine and can be reviewed later – if at all – versus a security incident that requires immediate attention.
An Extra Pair of Eyes
Virginia Commonwealth University in Richmond has been using Cisco's Monitoring, Analysis, and Response System (MARS) for a few years to help aggregate information from multiple sources across the network, which is currently accessed by 40,000 to 50,000 users, says Gregory Pendergast, information security analyst for VCU. Currently he deems SIEM helpful, but expects the technology to become just as essential as firewalls and intrusion detection systems when the university makes more use of it.
“In order to defend a network, you must be able to effectively â€˜see' what is happening in that network environment,” Pendergast says. “SIEM technologies make that easier by reducing the number of places that you have to look, and reducing the amount of time it takes to find the information you need. When properly tuned, SIEM products can also help bring issues to light that might otherwise get missed.”
Here are some tips for getting the most from security information and event management technology:
- Conduct pre-deployment planning to understand the type and number of sources from which the product will pull information, as well as the anticipated event rate. This will help align expectations.
- Let your institution's needs – not the capabilities of the product – drive deployment.
- Once installed, allow for time to train the SIEM tool so that it can learn what events and information you deem critical versus routine. A 12- to 18-month ramp-up period is typical.
- Teach the product to prioritize events in a way that echoes IT's priorities.
- Conduct occasional fine-tuning to keep up with ever-changing IT environments.
- Update the SIEM system whenever new hardware or software is added to the network.