Why SIEM Appliances Are So 8-Track Tape
Not unlike the 8-track tape or tube television, today’s network infrastructure—and the legacy equipment that supports it—is facing a transformation unlike anything we have seen in history. The global digital transformation trend, the need to reduce IT costs and the proliferation of IoT endpoints are driving market demand for virtualized or software-driven appliances.
According to Gartner, the Internet of Things (IoT) will move towards the mainstream in 2016. With this trend, enterprises will be exposed to new forms of incoming data and external connections that can potentially create pinholes in existing network security environments. Meanwhile, network and security operations teams are struggling to gain visibility into the landscape while attempting to manage and secure any number of moving endpoints and analyze trends and anomalies in real time – a monumental challenge, to say the least.
Part One of this two-part article will look at the state of the SIEM market and parameters to consider before selecting a SIEM solution for your network.
Not All SIEM Solutions Are Alike
In order to stay ahead of these massive shifts in technology, network and security operation teams are using multiple monitoring programs, each with their own unique user interface, programmed to monitor one appliance or another. This trend has also introduced a variety of Security Information and Event Management (SIEM) vendors in the past several years.
When comparing SIEM solutions, there are many factors to consider, particularly when faced with the proliferation of virtual networks into today’s enterprise environments. There are many claims made by these SIEM vendors today. However, when you take a closer look, or worse, install the solution and train your staff, you may find that your SIEM solution is not providing you with the capabilities you need in your current or future environment.
When exploring your SIEM options, take a hard look at key capabilities before deciding on and installing any solution. Explore all the variables and limitations of each product to help you determine the best solution for your environment. Finally, be sure to include both network and security ops teams in the decision to insure key stakeholders’ needs are considered. Doing so will result in a consolidated, comprehensive approach that will encourage these key teams to work together in the future.
Architecture and Scalability
Regardless of your network environment, virtual or physical, offsite or in the Cloud, SIEM solutions must be flexible, scalable and cloud-ready to meet your current needs and set you up for success in the future. IT teams must be able to discover and identify any device connecting to the network in real time, a tall order in today’s dynamic environment. Below are a few of the key benefits of a virtual appliance over a hardware based solution:
- Flexible form factors that support modular components through a single, seamless platform
- Cloud-ready to support environments such as AWS and Azure
- Hardened operating system to facilitate upgrades
- Ability to scale log collection and parsing without falling behind
- Ability to scale, search and report with real-time correlation of event data points
- Multi-tenant design to handle overlapping IP addresses and reporting domains
Deployment and Administration
Today’s overburdened IT personnel need solutions that are easy to deploy, manage and administrate, to insure a rapid time to value. It is imperative the solution provides a cross-correlation of network and security operation analytics to insure a holistic view of the organization. When comparing solutions, consider these key points:
- Web-based GUI that provides all analytics from a single user interface. Some leading solutions require users to switch between three, or more, separate GUIs to see the entire landscape.
- Tiered access controls to support multiple admin levels and the data each user can see
- Full audit trail of user activity
- Easy software upgrade with no downtime and event loss
- Ability to immediately patch critical OS vulnerabilities
- Secure user authentication via external credentials or two-factor authentication
Real-time Event Data Collection
Best practices call for high-volume log ingestion with minimal delay or loss. Identify solutions that can consume and analyze high volumes of log data, from both current devices and future sources of log data. Be aware that some leading solutions max out at 5K events per second (EPS) per log manager and only allocate 2K EPS to the event manager. Key elements include:
- Agentless log collection whenever possible and the ability to identify performance issues associated with IoT endpoints such a CPU and memory utilization changes
- The ability to parse a log to any number of attributes. Solutions that use a NoSQL database to parse data, as opposed to the limited requirements of a relational database schema, will allow users to more easily create a new attribute on demand.
- A distributed collector architecture that is load-balanced for data collection to insure peaks in log data aren’t being lost due to the a single collector’s limitations
- The ability to identify asset and device context through a discovery engine that collects configuration, hardware, installed software, running processes, patches and network topology in real time
- A collection system that captures application-contextual information for triaging security issues
- A real-time audit trail for IP addresses, user identity, physical and geo-location to develop a time-based network identity to user identity mapping by combining information from DHCP, domain controller, VPN, WLAN logs etc.
The ability to rapidly detect issues is critical to faster remediation. Some solutions claim to offer real-time monitoring, but they make the process complex and, ultimately, incomplete. Some current providers, for instance, have Web GUIs that only work with the Event Manager database. Other noteworthy capabilities to consider are:
- Ability to search events in real time in a streaming mode from one GUI
- Ability to search historical events through SQL-like queries and Boolean filter conditions
- Scalable alerts on complex event patterns in real time, including all events from any log source
- Discovery of CMDB objects and user/identity and location in searches and rules that do not have to be manually defined
- Searching of events across organizations, seamlessly. Especially important for Ops teams that manage multiple networks or MSPs.
- Dynamic watch lists that track critical violators and then use them in rules
- Scalable analytics and incident prioritization via Business Service
- A Business Service Dashboard that shows the impact of security, availability and performance issues
Part Two of this article will look at the notion of cybersecurity through visibility and how threat intelligence integration, advanced threat detection and other factors can make or break your SIEM strategy.
About the Author:
Dr. Partha Bhattacharya is co-founder, chief technology officer and vice president of engineering at AccelOps. He has more than 20 years of experience in networking, security, database, system architecture and software development. Partha holds 15 patents and is the recipient of two IBM Outstanding Innovation Awards and a fellowship from the University of Maryland Systems Research Center. He holds a Ph.D. in electrical engineering from the University of Maryland.
Edited by Peter Bernstein