SIEM: Security, Incident AND Event MANAGEMENT, not Monitoring!

By: Rich Ptak, Managing Partner, Ptak, Noel & Associates LLC

Unfortunately, IT is not perfect; nothing in our world can be. Compounding the inevitable failures and weaknesses in any system designed by fallible beings, are those with malicious or larcenous intent that search for exploitable system weaknesses. As a result, IT and the businesses, enterprises and users depending upon reliable operations are no strangers to disruptions, problems, even embarrassing, even ruinous releases of data and information.  The recent exposure of the passwords of hundreds of thousands of Yahoo! and Formspring [1] users are only two of the most recent, public occurrences that remind us of the risks and weaknesses that remain in the systems of even the most sophisticated service providers.

The wise, or maybe more correctly, experienced solution or system designer recognizes the risk of attempts at unauthorized access to files and data. To frustrate such attacks and minimize their impact, they will design and apply various fail-safe strategies and tactical protective mechanisms as part of good design tactics.  Issues of security are of prime concern and a barrier to use of many technologies (cloud in all its models represents a prime example) and implementation strategies, such as outsourcing services.

One of the reasons that solutions such as SIEM products exist is as a part of the operational response to the risks of failure in data and information protection. In the best implementations, they are used as part of a closed loop process. A basic process would include monitoring to detect suspect or anomalous behaviors which mark intrusion attempts and reveal suspect procedural patterns (e.g. repeated password failures). Upon identification and verification, they typically trigger an event alarm and report to a responsible party. The notified individual may accept and act on the notice. Alternatively, they may perform their own check to assure the alarm is valid. They will then determine what corrective action, if any, is needed and initiate the action. Some installations are set up to automatically trigger corrective action (such as isolating the system or port) in parallel with the notification. But, experience has shown that such process definition alone is not a guarantee of protection and risk reduction.

In fact, a review of a failed process that resulted in a major data leak at a service provider gives an indication of how the best designed system can fail. The company had in place a process which included all the proper activities, as well as a reasonable sequence of review and actions to take in response to an alert to an attempted intrusion or attack. Unfortunately, they had no process to oversee the process and assure that someone reviewed the notification of a suspicious event once it was sent. If the notification arrived out-of-hours, or if it was lost, there was no verification of receipt or provision to check to verify follow-up. The resulting debacle was all but inevitable.

Keep in mind when evaluating internal, as well as external data services that contractual guarantees, compliance audits, code testing and reviews have failed to be 100% effective to prevent data exposure, intrusion or leaks. There are no 100% fail-safe solutions; a workable solution should be viewed as one that reduces risk to an acceptable level.

An effective solution must include an on-going process of maintenance, review and validation testing to assure that it is working correctly, remains relevant and focused on the appropriate issues. Assumptions have to be documented, reviewed and tested to assure they match reality. Boundaries, trip-points and threshold limits need to be reviewed. This holds true even and especially for analyses designed to adjust automatically to circumstances to assure they do not ‘drift’ away from critical values.

SIEM solutions are available in a wide variety of service combinations.  The typical solution includes the functionality needed for event management, information management and network behavior analytics. This allows them to build a comprehensive view of what is happening based on a combination of real-time data and event log information.  Many additional options exist for those with more comprehensive concerns and management needs.  Additional frequently desired functionality includes risk analysis, vulnerability management, security controls, such as integration with identity and access management. Best practices in corporate governance have raised compliance monitoring and management capabilities, including the ability to assess and build compliance reports to be a critical extension.

Finally, any production process requires periodic maintenance and review to remain effective. Communication and reporting flows have to be verified to assure not only that the information and alert arrives, but that it is monitored and reviewed in a regular and timely manner. The temptation exists to assume that a solution would be complete based on functionality alone. It should now be clear that a successful system of data protection requires a combination of solution functionality, process and management that effectively reduces and maintains the risk of a breach to a level acceptable to the service and enterprise needs.

[1] http://www.bbc.co.uk/news/technology-18811300