Security As A Service
- Many security information and event management (SIEM) vendors are releasing or developing SIEM capabilities — such as behavior profiling and anomaly detection, threat intelligence, and more effective analytics — to support the early detection of targeted attacks.
- High-performance event processing and data retrieval are needed to support the iterative analysis of historical data required for breach detection.
- Deployment and support simplicity is an important attribute for all use cases because of the resource constraints of most IT security organizations.
- Product selection decisions should be driven by organization-specific requirements in areas such as deployment scale, real-time security monitoring, compliance reporting, analytics, and integration with system and application infrastructures.
- Organizations should select a technology whose deployment and support requirements are a good match to the IT organization's project and support capabilities. Organizations may also need to consider services to cover capability gaps.
- When developing requirements, include stakeholders from internal audit, compliance, IT security and IT operations.
- Develop a two- to three-year road map for all functions that will influence buying decisions for the initial implementation.
Organizations evaluating SIEM tools should begin with a requirements definition effort that includes IT security, internal audit, compliance and IT operations. Organizations must determine deployment scale, real-time monitoring and postcapture analytics requirements, and compliance reporting requirements. In addition, organizations should identify products whose deployment and support requirements are a good match to internal project and support capabilities. Gartner recommends developing a set of requirements that resolve the initial problem, but there should also be some planning for the broader implementation of SIEM capabilities in subsequent project phases. Developing a two- to three-year road map for all functions will influence the buying decision for the initial implementation.
SIEM technology is an important element of an organization's security strategy, because it establishes a consolidation point for all forms of security monitoring and can be used to detect a targeted attack in its early phases to minimize damage. SIEM tools provide user activity and data access monitoring and reporting for threat detection, and to satisfy audit requirements. Many Gartner clients need to implement SIEM technology to satisfy regulatory requirements — for example, log management for the Payment Card Industry (PCI) or privileged user reporting for Sarbanes-Oxley (SOX). IT security organizations generally recognize that these compliance-funded projects are opportunities to improve security monitoring and incident response.1 This research will help IT security organizations define their requirements and select technology.
Product Class Definition
SIEM technology supports threat management and security incident response through the collection and analysis of security events from a wide variety of event and contextual data sources in real time. It also supports security policy compliance monitoring and incident investigation through the analysis of and reporting on historical data from these sources. The core capabilities of SIEM technology are the broad scope of event collection and the ability to correlate and analyze events across disparate information sources. The technology is typically deployed to:
- Discover external and internal threats
- Monitor the activities of privileged users
- Monitor server and database resource access
- Monitor and analyze user activity across multiple systems and applications
- Provide compliance reporting
- Provide analytics and workflow to support incident response
SIEM technology aggregates and analyzes the event data produced by devices, systems and applications. The primary data source is log data, but SIEM technology can also process other forms of data, to obtain network context about users, IT assets, data, applications, threats and vulnerabilities. The data is normalized, so that events from disparate sources can be correlated and analyzed for specific purposes, such as network security event monitoring and user activity monitoring for the early detection of breaches or misuse.
Organizations should evaluate the following set of SIEM capabilities:
- Scalable architecture and deployment flexibility: These are derived from vendor design decisions in the areas of product architecture, data collection techniques, agent designs and coding practices. Scalability can be achieved by:
- A hierarchy of SIEM servers — tiers of systems that aggregate, correlate and store data
- Segmented server functions — specialized servers for correlation, storage, reporting and display
- A combination of hierarchy and segmentation to support horizontal scaling
- During the planning phase, many organizations underestimate the volume of event data that will be collected, as well as the scope of analysis reporting that will be required. An architecture that supports scalability and deployment flexibility will enable an organization to adapt its deployment in the face of unexpected event volume and analysis.
- Real-time event data collection: SIEM products collect event data in near real time in a way that enables immediate analysis. Data collection methods include:
- Receipt of a syslog data stream from the monitored event source
- Agents installed directly on the monitored device or at an aggregation point, such as a syslog server
- Invocation of the monitored system's command line interface
- APIs provided by the monitored event source
- External collectors provided by the SIEM tool
- Note: The technology should also support batch data collection for cases where real-time collection is not practical or is not needed.
- Filtering options at the source also are important methods of data reduction, especially for distributed deployments with network bandwidth constraints. Agent-based collection options and virtualized SIEM infrastructure options will become more important as organizations move workloads to virtualized and public infrastructure as a service cloud environments. A large percentage of organizations that have deployed SIEM technology must integrate data sources that aren't formally supported by the SIEM vendors. SIEM products should provide APIs or other functions to support user integration of additional data sources. This capability becomes more important as organizations apply SIEM technology for application-layer monitoring.
- Event normalization and taxonomy: This is a mapping of information from heterogeneous sources to a common event classification scheme. A taxonomy aids in pattern recognition, and also improves the scope and stability of correlation rules. When events from heterogeneous sources are normalized, they can be analyzed by a smaller number of correlation rules, which reduces deployment and support labor. In addition, normalized events are easier to work with when developing reports and dashboards.
- Real-time monitoring: Event correlation establishes relationships among messages or events that are generated by devices, systems or applications, based on characteristics such as the source, target, protocol or event type. There should also be a library of predefined correlation rules and the ability to easily customize those rules. A security event console should provide the real-time presentation of security incidents and events.
- Behavior profiling: Behavior profiling employs a learning phase that builds profiles of normal activity for discrete event sources, such as NetFlow data, users, servers and so on. The monitoring phase alerts on deviations from normal. Profiling and anomaly detection are emerging capabilities in SIEM that complement rule-based correlation.
- Threat intelligence: Intelligence about the current threat environment exists in a variety of sources, including open-source lists, the threat and reputation content developed and maintained by security research teams within security vendors, and data developed by managed security and other service providers. Threat intelligence data can be integrated with an SIEM in the form of watch lists, correlation rules and queries in ways that increase the success rate of early breach detection.
- Log management and compliance reporting: Functions supporting the cost-effective storage and analysis of a large information store include collection, indexing and storage of all log and event data from every source, as well as the capability to search and report on that data. Reporting capabilities should include predefined reports, as well as the ability to define ad hoc reports or use third-party reporting tools.
- Analytics: Security event analytics is composed of dashboard views, reports and ad hoc query functions to support the investigation of user activity and resource access in order to identify a threat, a breach or the misuse of access rights.
- Incident management support: Specialized incident management and workflow support should be embedded in the SIEM product primarily to support the IT security organization. Products should provide integration with enterprise workflow systems, and should support ad hoc queries for incident investigation.
- User activity and data access monitoring: This capability establishes user and data context, and enables data access and activity monitoring. Functions include integration with identity and access management (IAM) infrastructure to obtain user context and the inclusion of user context in correlation, analytics and reporting. Data access monitoring includes monitoring of database management systems (DBMSs), and integration with file integrity monitoring (FIM) and data loss prevention (DLP) functions. DBMS monitoring can take three forms — parsing of DBMS audit logs, integration with third-party database activity monitoring (DAM) functions or embedded DAM functions. FIM can be provided by the SIEM product directly or through integration with third-party products.
- Application monitoring: The ability to parse activity streams from packaged applications enables application-layer monitoring for those components, and the ability to define and parse activity streams for custom applications enables application-layer monitoring for in-house-developed applications. Integration with packaged applications, an interface that allows customers to define log formats of unsupported event sources, and the inclusion of application and user context are important capabilities that enable the monitoring of application activities for application-layer attack detection, fraud detection and compliance reporting.
- Deployment and support simplicity: Deployment and support simplicity is achieved through a combination of embedded SIEM use-case knowledge, and a general design that minimizes deployment and support tasks. Embedded knowledge is delivered with predefined dashboard views, reports for specific monitoring tasks and regulatory requirements, a library of correlation rules for common monitoring scenarios, and event filters for common sources. There should also be an easy way to modify the predefined functions to meet the particular needs of an organization.