Skip to content

For SIEM 2.0 Read SIEM 1.0 [with some shiny new marketing]

March 6, 2012

Wandering the show floor at RSA I was intrigued by a demo of what was billed as ‘SIEM 2.0’.  I was intrigued… does SIEM have a new pretender to its crown?

Sadly, it appears that SIEM 2.0 is just a repackaging of the same, tired old SIEM story.  The presenter challenges observers to, “answer three questions”.  All three were predicated with, “Would you know if…”:

–       A new account was created on your network, somebody logged in and then within 24 hours the account was deleted?

–       A privileged account was logged in from Kansas – and then again from Russia within a couple of hours?

–       An adobe reader process began activating outbound activity on opening a document?

All relevant questions, but all based around log and event data.  We’d like to ask the vendor in question whether with “SIEM 2.0” they could answer more critical and detailed questions that a real-world security analyst would actually want – and need – to know in order to mitigate a threat in real-time:

–   In addition to telling me that someone logged into an account that was soon deleted, can you tell me about the context of the user?  For example, were there any unauthorized configuration changes on the system on which the account was used in the prior days and weeks?  Is the system(s) from which the account was used compliant with the organization’s security configuration baseline?

–   While geolocation data is nice, it doesn’t help if a legitimate user is on business or vacation and is accessing systems through VPNs or multiple cloud infrastructures; can you determine what the user’s activity patterns are, to see whether recent logons from multiple countries in short periods of time is “normal” based on historical activity?

–   What user context is the Adobe Reader process running inside of?  Have there been any updates or changes to the version of Adobe Reader, including file integrity changes on key executables and DLL’s?  What’s actually inside the payload of network traffic that the process is initiating?

All of these questions are absolutely critical to enhancing the visibility of this so-called “SIEM 2.0” into something that’s actually actionable.  Can a “SIEM 2.0” technology answer these questions?  We’ll see if they respond.

SIEM 1.0, 2.0 and, I suspect 3.0 won’t help you answer these questions because they limit their visibility to event-based information; other pieces of critical data such as system state data, network activity, performance metrics, and user behavior detection are ignored.  SIEM 1.0 has been making the same promises of better visibility for more than 10 years so; perhaps it was time for a refresh, but while the marketing might have been given a polish, you’ll still be left with the same blind spots in your environment that SIEM promised to fix more than a decade ago.  What you need is better awareness… Situational Awareness.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: