Jon Oltsik of Network World wrote an insightful blog entry on “Next Generation Log Management” and highlighted the need for the traditional SIEM / logging vendors to go beyond conventional log management capabilties to enable real actionable intelligence and effective forensics.
Jon specifically speaks about adding these features into SIEM products to make data more useful:
1. consolidation of logs and network flows
2. adding automatic geo location awareness into the correlation
3. providing deeper granular visibility and visual tools
Putting log and flow data in context is critical and how vendors do this varies greatly. More so, how easy it is to access, search/analyze and retain the raw and correlated data is where the rubber meets the road.
Regarding location awareness features, its also important to show the location of not just the external IPs, but also to track the user and location of internal IP addresses. In a larger sense, user identity and location involves associating a network identity (e.g. IP address, MAC address) to a user identity (e.g. user name, computer name, domain), and the location (e.g. wired switch port, wireless LAN controller and VPN gateway). SIEMs should auto-resolve true identity not just log reported identity. For external IPs, the AccelOps solution also includes lookups from SAN Stormcenter, Cisco sender base reputation, and the Honeypot database for any external IP.
Visibility and granularity (and analytics) must evolve beyond alerts and reams of syslogs so that the infosec professional can be more efficient and effective – reducing the time and effort to obtain and analyze data from many data sources and IT functional domains.
In addition to the above features, in order to provide a true single pane of glass, a next generation product should consolidate and correlate security/log/netflow events with performance, availability, virtualization and configuration change metrics and events (not to mention having the means to prioritize based on business impact beyond event severity)
It is time to go beyond conventional SIEM/logging – breaking away from more silo’d tools – by having a unified platform and console that empowers security professionals (and the IT organization) to eliminate extraneous operational noise, resolve problems faster, conduct investigations more efficiently, enable better collaboration, and support SLAs.
From a larger perspective, it’s time to consolidate the NOCs with SOCs and provide a true integrated monitoring tool for data centers and IT organizations.
In previous blogs, we have stressed the importance of security and network operations converging along with the need to move away from SILOed approach that current SIEM tools have taken up to this point.
