Skip to content

SIEM – a single piece of glass for all security data? Not really!

September 21, 2011

In our second post exploring why we believe SIEM is dead we wanted to look at the promise made by traditional SIEM vendors their tools enable ALL security data to be collated via a single console.  Aside from the fact that traditional SIEM tools only capture log and event-based data [see the first post in this series] they have failed on their promise to provide a single pane of glass with which to see the entire security posture of a large distributed network.  Breach detection for the majority of large enterprise organizations still requires teams of people to sit inside darkened rooms with a multitude of printed reports, in order to manually cross check data in an attempt to identify anomalies.

There are two problems with this: first, while an organization has its entire security team in a room trying to figure out the entry point and intended target of an attack they’re not doing what they should be doing – helping protect the infrastructure.  The second problem is that the attack is still spreading, potentially reeking more havoc and rendering any conclusions made through manual correlation outdated and, potentially, valueless.

To effectively fight a breach security analysts need to see how security data elements (events, yes… but a whole bunch of other non-event data, too), and not just view everything through the myopic, SIEM-centric “everything’s an event!” filter.  They need to see events as events, system configurations as config. data, and network traffic as traffic.  They need to piece together all of those attack vectors that are potentially part of a threat: how the unusual network packet is related to unauthorized changes on the system that sent it; how a failed patch update is resulting in 100% CPU utilization and a runaway process on a critical server; or how a privileged user is changing file system ACLs in a manner that goes against policy.

Oh, and all of this needs to happen in real-time.  Does your SIEM allow you to do all of this?  If not, your SIEM is dead.

Read the third and final part of this series – ‘Identify attacks while they are in progress… and take action AT THAT TIME’ – here

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: