Target’s security breach is a parable that continues to unfold daily, and it has drawn all of in as interested readers, from companies that process transactions, to vendors who provide security solutions, as well as customers wondering how to protect themselves from fraud.
As a provider of security software, also known as SIEM, AccelOps believes that traditional SIEM solutions are indeed falling short. While there is no “one size fits all” to securing every network, these seven deadly sins of current SIEMs must be solved to effectively secure the data of the modern enterprise.
Deadly Sin #1: Client/Server Based Log Management Doesn’t Scale
Client/server architecture is used for log management in SIEM to normalize data in various log formats. For example, Windows logs are stored in a proprietary format, while network devices send syslog messages using the same RFC, but content varies. Database audit logs are a mix of table data and file audit data.
Putting these logs in a client/server architecture was an immediate fix, but managing multiple log formats in a big data world has become unwieldy.
As an industry, we will all benefit from an RFC or standard form of log collection that does not require clients, does not need special formatting, and is not taxed in terms of processing. Once we start collecting data in a standard format and categorize them properly, the storage, indexing and retrieval become easier.
The savior: Standardize data set formats and store them in a centralized data structure.
Deadly Sin #2: Rules-Based Only Analytics
Rules require frequent human modification to be effective. You set up a rule, test the rule, and then tweak as necessary. And different rules must be set up to monitor different situations. Conversely, machine learning continuously analyzes data inputs across your network to understand what is normal and what is not normal. Alerts, reports and notifications can then be created to keep you informed on what needs your attention and/or action.
As new applications, devices and event types are constantly being added, rules and reports need dynamic updates.
Savior: Add machine-learning capabilities to SIEM.
Deadly Sin #3: Creating Events, Not Just Analyzing Them
SIEM solutions frequently attempt to be everything a CISO would ever want, including tools that create events such as intrusion detection and prevention. The real value of a SIEM is to aggregate, analyze and act on data from various sources — not to create it.
A SIEM should bring context to the individual events happening in your network (the who, what, where, when, why and how) and to fill in the gaps with other known information sources. This provides you with a complete view of your network activity, not just isolated data feeds.
Savior: Focus SIEM on being the brains of the network, not the arms and legs.
Deadly Sin #4: Processing Only Security Data to Determine Security Issues
Traditionally SIEMs analyze only security data. However, today’s SIEMs can receive a variety of non-security related information, such as performance and availability data, which can be valuable in determining performance baselines.
For example, if a DDOS attack is happening on your firewall, you might not detect it when it first begins. Most organizations do not examine who is being denied on the outside interface of the firewall, so they do not know who is knocking at your organization’s virtual door. The firewall might be very powerful and keeping up with the attack, but you are still under attack.
If you limit your analysis to security data and overlook network performance anomalies, you might not diagnose the problem until the firewall is overwhelmed and is not processing any requests.
Savior: Cross-correlate relevant security, performance and availability data to detect potential problems before they become material.
Deadly Sin #5: Reporting on Post-Processing Analysis of SIEM Data
You want to move beyond knowing, “What just happened?” to knowing, “What’s happening now?” Today’s SIEM solution should provide you with real-time analytics across your entire cloud – public, private and hybrid – not just historical data. By monitoring network services and traffic from network flows and firewall logs, you can understand what anomalies are occurring in your network as they happen.
Savior: Use real-time analytics to proactively secure your network.
Deadly Sin #6: Responding Passively to Security Threats
Today’s SIEMs respond to rules that are set, watched and tweaked by human interaction. The real value of SIEM is when the system can respond to threats without human interaction, such as sending an alert or do basic ITIL service management integration out-of-the-box. Many SIEM rules are basic and over time become repetitive and can be automated into a workflow. The system should also be capable of becoming self-sufficient, taking corrective (or offensive) action on its own by working with an enterprise’s existing change and configuration management tools.
Savior: Use machine learning and workflows to actively respond to threats.
Deadly Sin #7: Heavy Reporting Dashboards Are Not Optimized for Mobile Devices
SIEM management consoles are “code heavy” in the front end and “CPU heavy” on the back end. The result is that dashboard performance data is slow and not able to show real-time results. Furthermore, the dashboards are too complicated and detailed for an IT professional whose device of choice is his iPhone. SIEMs need to use rules and machine learning to eliminate network noise and show real-time results, and create dashboards that are graphically driven and responsive to mobile devices.
Savior: Lighten-up reporting dashboards and make them look great on a mobile device, which is the preferred device for security professionals.