Understanding where SIM ends and log management begins
In my travels, I tend to run into two types of security practitioners. The first I’ll call the “sailor.” These folks are basically adrift in the lake in a boat with many holes. They’ve got a little cup and they work hard every day trying to make sure the water doesn’t overcome the little ship and sink their craft.
The others I’ll call the “builders,” and these folks have gotten past the sailor phase, gotten their ship to port and are trying to build a life in their new surroundings. Thus, they are trying to lay the foundation for a strong home that can withstand whatever the elements have to offer.
Yes, there is a point to these crazy analogies. When you are talking about security management, the sailors don’t have a lot of time to worry about anything. They do the least amount necessary to keep whatever limited security defenses they have up and running. The idea of security information management, log management, configuration management or pretty much [anything] followed by the word management, just isn’t in their vernacular.
In this piece I’m going to focus on the builders. These folks are looking for something a bit more strategic now and they are asking questions like, “do I need SIM?” and “what about log management?” If you are in that camp, consider yourself lucky because many practitioners don’t get there.
To be clear, the title is a little bit disingenuous. I don’t really think that SIM ends and log management begins anywhere. All of these disciplines are coming together into a next generation security management PLATFORM, and based on these platforms I see a lot of security professionals finally starting to make some inroads. You know, more effectively managing their environments.
I don’t have the space to tell the full history of security management, so in a nutshell the discipline has evolved from stand-alone consoles that were built specifically to manage a class of device (firewall, VPN, IPS, etc.) to a central console mentality. This has mapped cleanly to the evolution of most network security vendor’s product lines. They started as a specialist focusing on one discipline (firewall, IPS, etc.) and now they have broadened their offerings into integrated devices that offer multiple functions. Their management consoles reflect that.
But that doesn’t really solve most customer’s problem, which is that they’ve got a heterogeneous set of security devices and it’s neither time nor resource efficient to manage those devices separately. So an overlay management console dubbed SIM (security information management) was built, to integrate the data coming from these specific devices, correlate it, and then tell the administrator what they need to focus on.
This was a bit better (although first generation SIMs cost too much and took too long to get value) – it still didn’t address an emerging problem. That was the need for forensically clean information that could be used for compliance and incident investigations. Thus a few years ago, the log management business was born.
Now many practitioners want the best of both worlds. The nerve of you folks! Basically, you want to be able correlate operational data so you can react faster to imminent attacks, but make sure the data is gathered and stored in a way to ensure it’s useful for investigations and compliance reporting.
The good news is that isn’t too much to ask for, and a number of vendors are now bring these next generation security management platforms to market. What are some of the characteristics of these new offerings? Basically, I believe the PLATFORM must be built on a log management foundation.
Why? Because data integrity is paramount to ensuring the information will stand up in a court of law. So that means the log records (or any other gathered info like Netflow data or transactions) must be cryptographically signed and sequenced. This ensures the data hasn’t been tampered with and creates evidence that cannot be questioned, even by the savviest of vultures – I mean, defense attorneys.
You also want to make sure the data isn’t reduced. With first generation SIMs, the vendors didn’t have a choice but to use data reduction techniques in order to get on top of the sheer volume of information. That’s not really a problem due to the constant march of Moore’s Law on the technology industry. Now ALL of the data can be stored, and it should – at least for a certain amount of time.
Finally you want to make sure the security management platform’s management environment will fit into your own personal workflow. That’s absolutely critical because you’ll have to live in this tool a large portion of every working day. Does it provide you with the ability to customize the environment and provide the information YOU need, not what the vendor thinks you need?
Sounds like a cool vision, no? It is, but it’s usually a pretty big project to get there. So I advocate a phased approach allows you to focus on what problem you need to solve TODAY and build towards the future. It’s kind of like building a house. You may not need a pool today, but if that’s something you think you’d like – you better make sure there is space in the back yard to accommodate those plans.
That’s why I take a platform approach to building your security management environment. Take an application-centric approach, built on top of a common foundation (that’s the platform). SIM is an application. So is network behavior analysis and configuration management. These applications can be driven by the data stored in the platform and the platform can be extended to meet all of your requirements over time.
Other key findings:
– Financial fraud overtook virus attacks as the source of the greatest financial losses.
– Another significant cause of loss was system penetration by outsiders.
– Insider abuse of network access or e-mail edged out virus incidents as the most prevalent security problem, with 59 and 52 percent of respondents reporting each respectively.
Societe Generale: A cautionary tale of insider threats
The $7.2 billion in fraud against French banking giant Societe Generale wasn’t your garden variety cyber attack, but it illustrates an insider threat that gives IT pros nightmares.
Developed by the North American Electric Reliability Corp in 2006, the standard emphasizes log retention and review in sections R5.1.2, 6.4 and 6.5. Access a copy of the Cyber Security Standard for Systems Security Management here.