Transcription
SIEM: Keeping Pacewith Big Security DataHOW INTELLIGENT AND SCALABLE SIEM SOLUTIONS HELP IT SECURITY PROFESSIONALSSTAY ON TOP OF AN EVER-EVOLVING, DATA-DRIVEN ENVIRONMENTTechnology today has become synonymous withdata. As each new tool enters the enterprise, theshear volume of information IT organizations dealwith compounds. Gartner estimates the amount ofdata analyzed by enterprise information securityorganizations will double every year through 2016.This explosion of data and processing adds not onlycomplexity to the business environment, but alsoa “big security data” challenge that organizationsneed to address. As security needs and compliancemandates continue to evolve, the need for context,analytics and the time period for which data mustbe stored becomes more critical.“Expectations for what security professionals shouldprovide to the enterprise are also changing rapidlybecause of big data,” explains Trevor Welsh, enterprisesolutions architect with McAfee, a leading provider ofenterprise-grade security solutions. “Security groupsare now expected to be experts in a lot of differenttypes of data, including the inner workings of databases, applications or security of an application stack,” hesays. “And now that it’s possible to extract data from
❱❱ SIEM: Keeping Pace with Big Security Datathese places in a meaningful way, the thought is thatsecurity as a group will be able to utilize this data in anintelligent way to provide guidance back to the business. Security teams are tasked not only with protecting the business, but with providing valuable businessintelligence as well.”As data continues to grow exponentially, thethreats facing organizations are evolving aswell. Today’s attackers are skilled professionalsconducting advanced targeted attacks, meaningprevention alone cannot protect enterprises. “Itwasn’t long ago that there were singular bad individuals who wanted to break into big enterprises,cause disruptions and brag,” he says. “However,the scene has changed with advanced persistentthreats (APT) and state-sponsored terrorismprograms added to the mix. As a result, securityprofessionals are expected to monitor systems aswell as parse through mounds of information fromvarious sources to figure out how to best leveragetheir limited resources.”One positive aspect of big security data has beenthe shift in perception around security. “Initiallycompanies did not want to pay for security—notbecause they didn’t care, but because they deemedsecurity as expensive and non-revenue generating,”says Welsh. “However, the stringency and costsof compliance [for PCI DSS, HIPAA etc.] motivatedorganizations to make investments and improve thedata environment—moving the pendulum towardsmeeting compliance. Yet, over time as these effortsbecame more rigorous, companies started to realizethat it was cheaper to just become more secure.This was the advent of CSOs becoming more powerful. They were at the table answering to the CIO anddoing security for security’s sake.”❱❱ UNDERSTANDING SIEMWhile the volume of information and number ofthreats continue to grow, it’s clear that traditional logmanagement systems can’t handle big security data.Fortunately, there are proven technologies capableof helping. The current generation of Security Information and Event Management (SIEM) technologyis a prime example. Solving today’s big security datachallenge requires evolving from traditional relational databases and time-based flat file systems thatlegacy SIEM solutions have leveraged as their coreanalytic capability.SIEM technology provides real-time analysis ofsecurity alerts generated by network hardware andapplications. By definition SIEM focuses on capabilities of gathering, analyzing and presenting information from network and security devices; identityand access management applications; vulnerabilitymanagement and policy compliance tools; operatingsystem, database and application logs; and externalthreat data. Key areas of focus include monitoringand managing user and service privileges, directoryservices and other system configuration changes,as well as providing log auditing and review andincident response.The purpose of SIEM solutions is to accuratelycompare in a single location all the data collectedby a variety of security devices, applications anddata sources. Specifically, with SIEM solutions it’spossible to pool together routers, switches, andvirtual machines (VMs) and then normalize the data.“As a result, no matter where the data comes from,it all looks the same, and it’s easier to draw comparisons,” Welsh explains. “This capability makes itpossible to see, for example, what one IP addressdid across all of the company firewalls.”SIEM is also instrumental in categorizing data, whichis key considering how many different operating systems operate within today’s evolving environment.“Any time someone logs in, it creates an event.The challenge is that all of these login events lookdifferent,” Welsh says. Welsh notes that an effectiveSIEM solution should be able to understand what alogin looks like, regardless of platform. As a result, ifsecurity wants to see all failed log-on activities, theSIEM should have the ability to provide that insight.❱❱ RECOGNIZING DIFFERENCESOf course, it’s important to note that not all SIEMsolutions are created equally. In fact, many SIEMsolutions in place today struggle to collect and manage all the required contextual data. At the sametime, the data load and analytics pressure has grownbeyond what those data management systems canhandle.2“ Securityprofessionalsare expected tomonitor systemsas well as parsethrough moundsof informationfrom varioussources to figureout how tobest leveragetheir limitedresources.”—Trevor Welsh,Enterprise SolutionsArchitect, McAfee
❱❱ SIEM: Keeping Pace with Big Security DataBelow are a few key qualities that often serve asdifferentiators in applications. As such, IT professionals should consider these needs as it evaluates SIEMsolutions:n Usability. SIEM solution workflow and ease of usemust be intuitive and effective. SIEM solutions shouldpresent security with a dynamic dashboard environment that allows them to quickly drill down intodata. For instance, if someone clicks on an incident,the dashboard should light up with the details so youimmediately know who is involved, the threats, thesystems, geographies, etc. “There is an idea that SIEMneeds to be complex or really simple. The truth is, itshould be in the middle—it needs to be simple for youruse cases. You should be able to meet your requirements after the setup is complete,” Welsh explains. “Ofcourse, SIEM cannot configure itself, so reaching thislevel will take some work.”n Speed. The overall speed to recall data should bea key consideration before selecting a SIEM solution. “The recollection of data for a SIEM is crucialwhether you are performing an ad hoc or forensicsinvestigation,” says Welsh. “For instance, one ofthe most crucial components of a SIEM in today’senvironment is its ability run rules at a high speedagainst all of the data. Considering that data comesin very quickly—up to 10,000 events per second—aSIEM needs to be able to execute and tell the analyst or security group of any issues.”Scalability. “Will the SIEM grow with the organization? This is only possible if the solution hasdistributed correlation, which means the installationcan be expanded without a rip and replace,” hesays. “Given how fast the business environment isevolving, no one can afford to embrace a solutionthat cannot grow with the organization.”nVendor engagement. Pay close attention tohow many training hours a vendor recommends.Success with SIEM deployments is often closelytied to how many training hours and professionalservices a company gets relative to the amountrecommended by the vendor. “Leverage the vendorto help ensure the organization achieves alignmentbetween goals and actual results,” says Welsh. “Youneed to make sure you have an ongoing relationshipwith your vendor if you want to get the most out ofthe investment.”n3An intelligent andeffective SIEMsolution can helpyour organization:Achieve meaningfulsituational awarenessthrough rich context andanalysisnDiagnose and respond toincidents in seconds, nothours, to reduce damage,prevent data breaches, andlower remediation costsnExperience fewer securityand compliance incidentsand lower per-incidentcostsnSimplify compliance policyprocesses and reportingto improve operationalefficiencyn❱❱ FINDING SUCCESSBeyond solution criteria, an organization’s plannedapproach to embracing a SIEM solution can playa crucial role in determining the outcome. Forinstance, it’s important for security professionals toset clear expectations before deploying their SIEMsolution. “Success here really starts with buildingthe knowledge base. For instance, it’s useful to readwhat analysts say because it provides insight intowhat is happening,” says Welsh. “In addition, talkingEffective Real-time SecurityEffective security starts with real-time visibility into all activity on all systems, networks, databases and applications. McAfee Enterprise Security Manager enables your business with true,real-time situational awareness and the speed and scale required to identify critical threats,respond intelligently and ensure continuous compliance monitoring. Security teams now haveaccess to real-time, risk-relevant information to obtain a stronger security posture whileshortening response time. Other features include:❱❱ Actionable information in minutes instead of hours❱❱ Massive data collection across a wide range of information sources❱❱ Real-time threat and risk data integration and event correlation❱❱ Immediate access to years of event and flow data❱❱ Monitoring and reporting support against more than 240 regulations❱❱ Integrated tools for improved security workflow❱❱ Flexible, hybrid delivery options include physical and virtual appliancesReduce training time andoperational costn
❱❱ SIEM: Keeping Pace with Big Security Datawith others in your security peer group to learnabout actual implementation experiences and usecase can help achieve expectations and allow you togo into the project with achievable goals.”Early on, Welsh recommends focusing on understanding exactly what a SIEM can do for the business. “SIEM is not a magical black box that you setand forget. Instead, a SIEM is an integral part of yoursecurity operations. The most successful deployments occur when IT involves several groups (e.g.compliance, .), OS, desktop support, networking,etc.) within the process,” he says. “Involvement fromthe early stages is instrumental in securing buy-inand provides varied and insightful input, resulting ina better end product.”While many see big data as a challenge to SIEM,Welsh sees its presence within the organization as awelcome partner. “Big data can provide increasinglylarger amounts of intelligence to SIEM, meaningSIEMs have proportionally more opportunity to gaininsight and improve understanding of how criticalnetwork assets are being utilized and by whom,” hesays.Success with SIEMOperating within an industry known for its massive amounts of data and rigorous compliancedemands, an effectively deployed SIEM solution is instrumental for Edward Pardo, CISSP, senior ITsecurity engineer with the Roswell Park Cancer Institute located in Buffalo, NY.“Having the ability to look at events across the entire environment versus a system at a time iscrucial today,” says Pardo. “It’s a SIEM that makes it possible to gain access to the goldmine ofdata that otherwise is ignored.”Properly implemented, a high-value SIEM solution provides visibility to all the connected systems.“There are a lot of times where we use the system to gain a new perspective as to what is goingon. For instance, you can get tunnel vision looking at some of the point solutions and the datathey put out,” he says. “SIEM allows you to put everything together, look at it from every angleand verify that existing management tools are actually doing what they are supposed to bedoing.”According to Pardo, the key to success is to get the business and management actively involvedfrom the beginning. “Early involvement helps answer why we are doing this and gets the teamsonboard that you are going to connect to the system. Without the big picture, they may seeit as duplication of efforts,” he says. “However, SIEM is more like glue that holds everythingtogether. It is the way to truly build IT intelligence. If you look at a lot of the business intelligencearchitecture, it is heavily dependent upon IT. Having a wide range of people on board with theproject in advance simplifies the entire process.”Pardo also recommends taking the time to do it right. This includes building an accurateinventory of the architecture and infrastructure already in place as well as a solid understandingof the organization’s end goal in embracing a SIEM.“If you want to get the most out of a SIEM, you need to realize that it is not a black and whiteproject. There are a lot of questions to address along the way: What is the analysis? How muchdata am I actually bringing in? What are we hoping to do with it?” Pardo says. “It is a situationwhere until you have a true understanding of your environment, it’s difficult to understand thetrue areas of concern. Plus, you don’t want to put yourself in a position where you are bringingtoo much data in too fast. You will end up swamped and will realize that too much of thematerial you are bringing in is garbage.”4“ Leverage thevendor to helpensure theorganizationachievesalignmentbetween goalsand actualresults”—Trevor Welsh,Enterprise SolutionsArchitect, McAfee
ADDITIONAL READING❱❱ SIEM: Keeping Pace with Big Security Data5McAfee updates business securitymanagement toolsADDS REAL-TIME QUERYING CAPABILITIES TO MCAFEE EPO AND ENABLES SIEM TOAUTOMATE SECURITY RESPONSE TO SUSPICIOUS EVENTSThis article orginally appeared in Computerworld,February 2013.McAfee is enhancing its business security platformby adding near real-time querying capabilities to itsOrchestrator (ePO) software and by integrating itwith its security information and event management(SIEM) product to automatically initiate endpointsecurity policy changes.The ePolicy Orchestrator software is the core ofMcAfee’s Security Connected framework and strategy, that aims to have all security products used in abusiness environment working together and sharinginformation. It is a central security managementsoftware that lets businesses gather data from endpoint systems, update and deploy configurations,initiate endpoint and network security policies, andinteract with other security products, not only fromMcAfee, but also from other vendors in the McAfeeSecurity Innovation Alliance.Managing tens or hundreds of thousands of endpoint systems in an enterprise environment can be atime-intensive task. In order to reduce the time penalty, McAfee launched McAfee Real Time for ePO, atechnology that reduces query time to seconds andallows businesses to get information from productsinstalled on endpoint systems and investigate possible security events much faster.“For example, if I want to know if all files are upto date on endpoint systems or some informationabout registry, I can get that in seconds with RealTime for ePO and with very light load on the networkat the same time,” said Gretchen Hellman, directorof product marketing for SIEM at McAfee. That’sthanks to a new communication mechanism thatuses a chaining query method where instead of querying each endpoint individually, the server sendsout a single request that gets passed around in apeer-to-peer fashion, she said.“The performance improvement will vary dependingon network environment, Hellman said. On smallnetworks, such operations can now be performed10 times faster, but on really large networks the performance improvement can be up to 1,000 times,”she said.The second platform enhancement that McAfeeannounced was the integration of its SIEM product,the McAfee Enterprise Security Manager, with ePO,McAfee Vulnerability Manager and the McAfee Network Security Platform.The SIEM already uses McAfee’s Global ThreatIntelligence feed, which contains information aboutmalicious resources such as websites, domains andfile servers. This allows the product to analyze logsand event data collected from endpoints and alertthe system administrator of any suspicious communication with a potential bad actor.The new SIEM enhancements also enable theproduct to also automatically take action based onpredefined rules. For example, when the SIEM seespotential interaction with a bad actor it can automatically initiate a scan on the affected endpoint to seeif there’s malware running on it or can instruct theMcAfee Network Security Platform to immediatelyblock the suspicious communication, Hellman said.It can also tell ePO to make policy changes and tagthe system for additional investigation.“What the SIEM actually does now is take intelligence and turn it into intelligent action,” Hellmansaid.These enhancements are part of McAfee’s SecurityConnected strategy to focus its efforts on achievinggreater integration between its own products andthe products of its partners.“ If I want toknow if all filesare up to dateon endpointsystems or someinformationabout registry, Ican get that inseconds withReal Time forePO and withvery light loadon the networkat the sametime.”—Gretchen Hellman,Director of productmarketing for SIEM, McAfee
ADDITIONAL READING❱❱ SIEM: Keeping Pace with Big Security Data6The Big Security Data ChallengeMAKE SIEM WORK FOR YOUBig Data is not only a challenge for customer-facingorganizations—but for security teams as well. Overthe past decade, the demand for stronger securityhas driven the collection and analysis of increasinglylarger amounts of event and security contextualdata. SIEM has long been the core tool that securityteams have depended on to manage and processthis information. However, as security data volumehas grown, relational and time-indexed databasesthat support SIEM are struggling under the eventand analytics load. Legacy SIEM systems have raiseddoubts about the potential success of SIEM implementations due to their slow performance, inabilityto manage data effectively, and the extremely highcosts associated with scaling.While SIEM initially was adopted by security-conscious industries—such as large financial servicesand government—broad adoption did not takeoff as a viable market until the mid-2000s, whenSarbanes Oxley audit became a reality. Overnight,event management was a core component of the“control framework” in Sarbanes Oxley section 404,and internal and external auditors were requiringit. Sarbanes Oxley was quickly followed by PCI DSSfor retail organizations and credit card processors,which introduced log review requirements to passan audit, inspiring many to turn to SIEM for itspromises of automation. And then the regulatoryexplosion began. The SIEM market exploded alongwith it—into a billion dollar market.❱❱ BIG SECURITY DATAWhy security data has become a Big Data problem isobvious for anyone who has tried to managea legacy SIEM, particularly when you look at the definition of Big Data. Big Data consists of data setsthat grow so large that they become awkward towork with using existing database managementtools. Challenges include capture, storage, search,sharing, analytics, and visualization.Compliance not only increased SIEM adoption butalso led to a flood of additional security instrumentation and increased logging levels. This simultaneously increased the flood of data SIEM now had tomanage and further stretched analytic capabilities.Legacy SIEM systems had always struggled tomanage any increases in volume and correlation ofsecurity data. This dramatic growth in data andcorrelation requirements further revealed the inherent scale and analytic limitations that these SIEMsolutions faced.With this in mind, it’s easy to see t
SIEM: Keeping Pace with Big Security Data 3 Below are a few key qualities that often serve as differentiators in applications. As such, IT profession-als should consider these needs as it evaluates SIEM solutions: n Usability. SIEM solution workflow and ease of use must be intuitive and effective. SIEM
