The Problem With SIEM (and I don’t mean the product…)

Added on January 28, 2010 in General.

Let begin with a recap of the definition of SIEM, SIM & SEM – Security (Information & Event) Management. The parentheses are deliberate – their contents are actually irrelevant when dealing with this definition. IMHO the term was developed to cater for the security vendors and has since been misused, much like many other security acronyms throughout the years, hacker, cracker, etc. SIEM has become a collection of letters to allow a vendor to sell a one-for-all solution to your security monitoring needs – this, as in most cases is merely a pipe dream making someone out there millions. You may be thinking I have some sort of personal vendetta against security vendors, maybe I do, however I think there are some valid points to be made with regards to one size fits all flashy boxes. SIEM just doesn’t work – When it does, I’ll be the first to get down on my knees and hail the almighty solution to all our problems.

The problem with Security Management is not due to a lack of processing power, a lack of storage or the absence of the latest SIEM product to hit the market. It is a lack of understanding – there is just no “one-size-fits-all” solution to the nightmare that is effective security monitoring. Until management realise this, they will be fighting a losing (yet incredibly expensive) battle. How many of you out there have a SIEM/SIM/SEM box sitting on your network, collecting and correlating your logs, quietly shut away in the corner of your server room never to see the light of day? I estimate a fair number of you can relate to the scenario. SIEM products just don’t cut it as the answer to all our problems they are sold to be – as I am about to explain, they are just another (potentially incredibly powerful) tool to add to you’re arsenal.

I will now introduce to you Splunk – they will probably frown upon me discussing their product as a SIEM product, however despite whatever marketing jargon they want to use to seperate themselves in the market, that’s effectively what it is. Splunk is a fantastic “tool” which can be used to correlate, analyse and collect all of your security (and any other) log data into a manageable, feature rich environment with an uber-powerful search capability. They, like many other vendors like to market Splunk as the one tool to suit all you’re needs, this, in my opinion is the wrong way to go about marketing a product like this. Let me give you an example.

I, as a security analyst (whilst trying to juggle configuring my firewalls, writing policy documentation and trying to patch and update all my products) am watching my snort alerts coming through on BASE, Sguil or whatever other platform I use to monitor my sensors, notice a SQL injection attempt against my backend server from a source within the DMZ. Why don’t I have a sensor on the DMZ outside perimeter you may ask? Well – I don’t have the budget and thought if I’m going to put my one and only sensor somewhere I’d rather it be on my internal perimeter. Anyway, luckily I have tripwire installed on all my servers and it is forwarding logs via syslog to my Splunk server. Now, Splunk is unable to provide me with the raw event information that BASE or Sguil are able to provide, yet I can use it as a powerful search/correlation tool to allow me access to context information surrounding a particular security event. I can now use the information provided by Sguil/BASE and use this to search using Splunk through my perimeter firewall logs, proxy logs, tripwire logs and gather information to allow me to understand the context of the attack.

This is where I see the power of SIEM products, not in the sensationalist claims from vendors trying to persuade their clients it is all they need. SIEM can be a fantastically powerful tool for the security analyst when used correctly. Splunk is a great example of this power and coupled with an intuitive interface, incredibly fast indexing and flexible development options makes this one of the most powerful tools to date.

Post to Twitter Post to Delicious Post to Digg Post to Facebook Post to Ping.fm Post to StumbleUpon

0 Comments

0 Responses to “The Problem With SIEM (and I don’t mean the product…)”

Feed for this Entry Trackback Address
  • No Comments

Leave a Reply

About Me

Hi. I'm Matt Newham, 23 years old. I'm a network security engineer, specializing in Intrusion Detection.

My Skype Status

Add me to Skype - Matt Newham: My status is Offline
» Get Skype, call free!

Post Archive

  • -2010 (12)
  • +2009 (7)

Dynamic Tag Cloud

IDS K2 powershell Rants Skype Snipt Snorby Snort Twonky Ubuntu Wordpress General (14)
Reviews (2)
Technical Articles (3)

WP Cumulus Flash tag cloud by Roy Tanck and Luke Morton requires Flash Player 9 or better.