Hence, today we stand at a point, where we have this huge WEB, WWW. Internal networks, making the different company locations and data available at any point any time. Thus increases the need for better infrastructure, and command over the network, both internal and external. It is becoming seemingly difficult to be informed, let alone be managed about the various security and compliance violations taking place across the length and breadth of any given organization.
SIEM tools, or Security Information and Event Management tools provide a better look and allow management of these security incidents in a practical, real-time environment. There has been a lot of research going on, blogs or news being generated about them, and is at a commendable position, apart from Application Security. Though they are related, but application security focuses of implementation flaws, or bugs in general programming constructs as well as provide insights to design flaws, they concentrate on the applications more from a vulnerability stand point. SIEM in turn provides a platform and reports which just not caters to applications alone but to various network devices and network or sometimes local events as well.
Each day IDS/IPS sensors, Firewalls and various applications write millions of lines of logs. Human parsing of all log events in real time is not difficult but Impossible in it's most optimistic usage. SIEM tools accumulate these logs parse them with some intelligence and presents to the security analyst with a hawk eye view of the events that could be a possible security violation. To put it in detail, there are these network devices (IDS/IPS,Firewalls,Routers e.t.c) and the Domain controllers, Antivirus agents, applications (Enterprise & coustom) generating huge amount of log data. The connectors for the SIEM tool collect these data, preferably over HTTP (local deployment of connectors is a scenario, but there are other issues, discussed later) parse them picking up the most relevant fields, required for the Manager / Server that is the heart of the tool and houses the more intelligent parsers and or a correlation engine. The Correlation Engine finds out relations between diverse or similar events, coming form the different or same device(s), with the help of various Rules written by the security analyst/expert. Thus it flags an alert based on the conditions that are relevant for a certain organization, to the security analyst/expert. This provides relief from hand sieving huge amount of data (I presume this would again entail the usage of log analyzers), and yet getting the right event to focus upon in real time.Also a SIEM tool has its own database of events that it captures from various devices, for past data analysis and or for proof of a security breach.
Below is one probable Architecture of a SIEM tool.
(The thin lines show inward flow of events/logs. The thick lines show the events being transfered to the console and the events database)
SIEM allows better incident management compared to conventional methods, along with more reliability. It requires a full insight on the network and it's behavior to achieve the near perfect scenario of never missing a single security event in real time. It requires a lot of effort from both the analyst (Level 1/Level 2 of support) and the expert (Level 3/Level 4 of support) to devise accurate rules, making it sure that almost nothing is missed out. These tools allow one to track all kinds of malicious attempts to scan, gather information (one type can be of SQL injection on well known tables of various implementations of a database) or compromise of a network as well as regulation issues as SOX compliance.
Todays SIEM tools both open source and proprietary softwares, provide various facilities from detection to reporting of incidents. Reporting in the security incident scenario being is an important function, these modern tools provide a plethora of stylish and meaningful reports, with functionalities like that of a BI(Business Intelligence) drill down report. These tools alert about web attacks, such as SQL Injection, Script injection e.t.c, to low level scans of devices and servers to probing servers for information as well as they detect network traffic anomaly, device misconfiguration to failed password attempts and presence of unauthorized softwares to name a few.
How does a SIEM tool or platform assist in day to day event management? The implementation of the network and the tool decides the method of operation, but the basics goes like this.
An organization decides to put an SIEM tool to monitor the production environment. It engages some security analysts to monitor the network(ideally on a 24X7 basis). These analyst start with the stock rules present in the tool, finds out security incidents that are applicable to the organization and alerts the security expert or alternatively to system administrators or network engineers. They also do analysis on events that were not considered by the SIEM vendor for an incident and gathers data, which in turn provide information to the experts to formulate new rules, as and when required. The rules accumulate, undergo threshold or correlation changes to slowly evolve into a system that caters to every security or regulations
need by the organization.
There are many vendors of SIEM tools, catering to both individual customers as well as MSSPs (Managed Security Service Providers). To name a few would be ArcSight, RSA, Cisco, Check Point, High Tower, Tri Geo, NetIQ.
The selection of a SIEM tool entirely depends on the use cases or scenarios that an organization is focused on to. Also for a mid size company huge customization costs will deter it to invest into one, but if the out-of-the-box functionalities fulfill the needs, it seems to be a good investment. But again huge International business houses are the one that have both the power and urgency to implement one, keeping them safe and consistent in the security arena.
No comments:
Post a Comment