Top 5 bad assumptions about SIEM

The cliché goes “When you assume, you make an ass out of u and me.” When implementing a SIEM solution, these five assumptions have the potential to get us in trouble. They stand in the way or organization and personal success and thus are best avoided.

5. Security by obscurity or my network is too unimportant to be attacked
Small businesses tend to be more innovative and cost-conscious. Is there such a thing as too small for hackers to care? In this blog post we outlined why this is almost never the case. As the Verizon Data Breach shows year in and year out, companies with 11-100 employees from 36 countries had the maximum number of breaches.

4. I’ve got to do it myself to get it right
Charles De Gaulle on humility “The graveyards are full of indispensable men”. Everyone tries to demonstrate multifaceted skill but its neither effective nor efficient. Corporations do it all the time. Tom Friedman explains it in “The World is Flat.”

3. Compliance = Security
This is only true if your auditor is your only threat actor. We tend to fear the known more than the unknown so it is often the case that we fear the (known) auditor more than we fear the (unknown) attacker. Among the myriad lessons from the Target breach, perhaps the most important is that “Compliance” does NOT equal Security.

2. All I have to do it plug it in, the rest happens by magic
Marketing departments of every security vendor would have you believe this of their magic appliance or software. When has this ever been true? Self-propelling lawn mower anyone?

1. It’s all about buying the most expen$ive technology
Kivas Fajo in “The Most Toys” the 70th episode of Star Trek TNG believed this. You could negotiate a 90% discount on a $200K solution and then park it as shelfware, what did you get? Wasted $20K is what. It’s always about using what you have.

Bad assumptions = bad decisions.
Always true.

SIEM and Return on Investment: Four Pillars for Success

Return on investment (ROI) — it is the Achilles heel of IT management. Nobody minds spending money to avoid costs, prevent disasters, and ultimately yield more than the initial investment outlay. But is the investment justified?

It is challenging to calculate the ROI for any IT investment, and security information and event management (SIEM) tools are no exception.

We recently explored some basic precepts or “pillars” of the ROI of SIEM tools and technology. These pillars provide some sensible groundwork for the difficult endeavor to justify intangible costs of SIEM tools and technology.

Pillar 1. Think Risk: Before and After

Before and after — meaning life with SIEM tools and, subsequently, life without. SIEM tools help eliminate risk. In most cases, risk has a quantifiable cost. While it’s difficult to say how much was saved by avoiding a major intrusion, examining the effect by comparing conditions before, and after, is a good start.

In an ROI analysis, develop a statement such as “before we invested in SIEM practices, tools, or technique X, we were greatly at risk. After we deployed XX, our risk was greatly reduced, if not eliminated.”

Then prove and substantiate the statement. The after statement may be characterized with quantitative data, such as the number of intrusions or access points that were eliminated. The more you can quantify, the better. If you can’t quantify, estimate as best you can, but be consistent and realistic.

Pillar 2:  Think Cost Avoidance versus “Return”

In other words, don’t expect revenues or a gain from the investment.  Rather, the return is the prevention of intrusion and costly security disaster that SIEM afforded. Cost avoidance is your return.

When the security IT firm RSA published a whitepaper on this very topic (SIEM and ROI), they focused on this dimension of ROI: it’s more about cost avoidance than it is about “return.” Cost avoidance is at the heart of the value that SIEM provides.

RSA wrote, “Most experts — who for years argued for or against a ‘return on security investment (ROSI)’ — agree that the value an SIEM solution brings is primarily in the realm of cost avoidance, not ‘return’ as it’s defined in the purest economic sense. So whether you’re looking for an ROI, ROSI, total cost of ownership (TCO), or a breakeven point, the goal is demonstrable value.”

The value of a SIEM solution must be viewed differently. It’s better seen in the cost it avoided rather than the direct dividend or revenue it yielded. As the whitepaper stated: “it’s not a cotton candy machine.”

Pillar 3:  Focus on A Variable That Can Be Measured: Time

If you don’t focus on quantifiable variables in your ROI analysis, you’ll be loaded up with assumptions. And assumptions carry little weight in business justification exercises.

Instead of assuming, use time as a key variable that SIEM helps improve in several ways. Explore how much time is saved. For example, if you are in a market or industry characterized by heavy compliance and auditing, consider the preparation that such compliance requires. SIEM tools save preparation time. Time saved can be redirected to other security needs that are already competing for attention in the daily schedule of today’s busy security manager.

In addition to time saved, there’s also an improvement in reaction time. When the sky is falling, the ability of an organization to trace, find and secure swiftly and promptly is critical. Good tools enable that. Improvements in reaction time can be measured.

Add time saved and reaction time improved, and you’re using a quantifiable variable as a measure of value and ultimately ROI.

Pillar 4:  Consider the Cost of a Solution  Without Early Discovery

Disaster recovery has many costs that are both tangible and intangible. Liken a security intrusion or major breach to a medical problem: the earlier you discover it, the more options you can implement and the greater are the chances that you can mitigate risk. SIEM tools help discover noncompliance and implement detection earlier. This allows more courses of action and presents them sooner — often before an incident occurs or begins to spiral.

Without early discovery, damage may ensue. But how much does it cost?

Cost estimates of security breaches may be found in news reports.  For example, the following cost estimates of data breaches were found with a simple media search:

“Maricopa Community College data breach cost $20 million, including $2.3 million in lawyer fees.”

“The Target breach cost $17 million in third-quarter expenses.”  It should be noted there were later citations that said their fourth quarter recognized $60 million in costs, and then another editorial estimated $1 billion in costs when all was said and done.

Yet another is a headline that read: “Navy Intranet Breach Cost $10 Million.”

And the list goes on and on, with the point being that citing news media reports is a quick and somewhat reliable means of presenting the costs associated with remediation and recovery. It strengthens the case for SIEM tool purchases and helps put some urgency into cost avoidance — and is based on someone else’s hardships after an intrusion, not yours.  But it paints a picture of what the price of disaster and a large-scale breach could look like.

Determining the ROI of SIEM is not hard when it is approached in a logical way with known information built on a foundation of cost avoidance, time saved, and improved reaction time.

The ROI of SIEM is best explained in the trouble it avoids and the disaster it prevents.

Security is not something you buy, but something you do

The three sides of the security triangle are People, Processes and Technology.


  1. People –the key issues are: who owns the process, who is involved, what are their roles, are they committed to improving it and working together, and more importantly are they prepared to do the work to fix the problem?
  1. Process –can be defined as a trigger event which creates a chain of actions resulting in something being prepared for a customer of that process.
  1. Technology – Now that people are aligned, and the process developed and clarified, technology can be applied to ensure consistency in the process application and to provide the thin guiding rails to keep the process on track, making it easier to follow the process than not.

None of this is particularly new to CIOs and CSOs, yet how often have you seen six or seven digit “investments” sitting on datacenter racks, or even sometimes on actual storage shelves, unused or heavily underused? Organizations throw away massive amounts of money, then complain about “lack of security funds” and “being insecure.” Buying security technologies is far too often an easier task than utilizing them, and “operationalizing” them for many organizations. SIEM technology suffers from this problem as do many other “Monitoring” technologies.

Compliance and “checkbox mentality” makes this problem worse as people read the mandates and only pay attention to sections that refer to buying boxes.

Despite all this rhetoric, many managers equate information security with technology, completely ignoring the proper order. In reality, a skilled engineer with a so-so tool, but a good process is more valuable than an untrained person equipped with the best of tools.

As Gartner analyst Anton Chuvakin notes, “…if you got a $200,000 security appliance for $20,000 (i.e. at a steep 90% discount), but never used it, you didn’t save $180k – you only wasted $20,000!”

Security is not something you BUY, but something you DO.

IP Address is not a person

As we deal with forensic reviews of log data, our SIEM Simplified team is called upon to piece together a trail showing the four W’s: Who, What, When and Where. Logs can be your friend and if collected, centralized and indexed can get you answers very quickly.

There is a catch though. The “Where” question is usually answered by supplying either a system name or an IP Address which at the time in question was associated with that system name.

Is that good enough for the law? i.e., will the legal system accept that you are your IP Address?

Florida District Court Judge Ursula Ungaro says no.

Judge Ungaro was presented with a case brought by Malibu Media, who accused IP-address “″ of sharing one of their films using BitTorrent without their permission. The Judge, however, was reluctant to issue a subpoena, and asked the company to explain how they could identify the actual infringer.

Responding to this order to show cause, Malibu Media gave an overview of their data gathering techniques. Among other things they explained that geo-location software was used to pinpoint the right location, and how they made sure that it was a residential address, and not a public hotspot.

Judge Ungaro welcomed the additional details, but saw nothing that actually proves that the account holder is the person who downloaded the file.

“Plaintiff has shown that the geolocation software can provide a location for an infringing IP address; however, Plaintiff has not shown how this geolocation software can establish the identity of the Defendant,” Ungaro wrote in an order last week.

“There is nothing that links the IP address location to the identity of the person actually downloading and viewing Plaintiff’s videos, and establishing whether that person lives in this district,” she adds.

As a side note, on April 26, 2012, Judge Ungaro ruled that an order issued by Florida Governor Rick Scott to randomly drug test 80,000 Florida state workers was unconstitutional. Ungaro found that Scott had not demonstrated that there was a compelling reason for the tests and that, as a result, they were an unreasonable search in violation of the Constitution.

Three trends in Enterprise Networks

There are three trends in Enterprise Networks:

1) Internet of Things Made Real. We’re all familiar with the challenge of big data ­ how the volume, velocity and variety of data is overwhelming. Studies confirm the conclusion many of you have reached on your own: There’s more data crossing the internet every second than existed on the internet in total 20 years ago. And, now, as customers deploy more sensors and devices in every part of their business, the data explosion is just beginning. This concept, called the “Internet of Things,” is a hot topic. Many businesses are uncovering efficiencies based on how connected devices drive decisions with more precision in their organizations.

2) “Reverse BYOD.” Most of us have seen firsthand how a mobile workplace can blur the line between our personal and professional lives. Today’s road warrior isn’t tethered to a PC in a traditional office setting. They move between multiple devices throughout their workdays with the expectation that they¹ll be able to access their settings, data and applications. Forrester estimates that nearly 80 percent of workers spend at least some portion of their time working out of the office and 29 percent of the global workforce can be characterized as “anywhere, anytime” information workers. This trend was called “bring your own device” or “BYOD.” But now we¹re seeing the reverse. Business-ready, secure devices are getting so good that organizations are centrally deploying mobility solutions that are equally effective at work and play.

3) Creating New Business Models with the Cloud. The conversation around cloud computing has moved from “if to “when.” Initially driven by the need to reduce costs, many enterprises saw cloud computing as a way to move non-critical workloads such as messaging and storage to a more cost-efficient, cloud-based model. However, the larger benefit comes from customers who identify and grow new revenue models enabled by the cloud. The cloud provides a unique and sustainable way to enable business value, innovation and competitive differentiation ­ all of which are critical in a global marketplace that demands more mobility, flexibility, agility and better quality across the enterprise.