SIEM in the Age of Digital Transformation

Featured article by Dr. Partha Bhattacharya, Chief Technology Officer at AccelOps

As digital transformation and the Internet of Things (IoT) gain momentum, enterprises will be exposed to new forms of incoming data and external connections that can potentially create pinholes in existing network security environments. Meanwhile, network and security operations teams are struggling to gain visibility into the landscape while attempting to manage and secure any number of moving endpoints and analyze trends and anomalies in real time – a monumental challenge, to say the least.

In the first of a two-part series, we examine the current SIEM market and factors to consider before selecting a SIEM solution for your network.

SIEM Solution Capabilities

Network and security operation teams are using multiple monitoring programs to handle these technology shifts. Each program has its own unique user interface, programmed to monitor one appliance or another. This trend has also introduced a variety of Security Information and Event Management (SIEM) vendors in the past several years.

There are many factors to consider when comparing SIEM solutions, particularly when faced with the proliferation of virtual networks into today’s enterprise environments. There are many claims made by these SIEM vendors today. However, when you take a closer look, or worse, install the solution and train your staff, you may find that your SIEM solution is not providing you with the capabilities you need in your current or future environment.

Look closely at key capabilities before deciding on and installing any SIEM solution. Explore all the variables and limitations of each product to help you determine the best solution for your environment. Finally, be sure to include both network and security ops teams in the decision to insure key stakeholders’ needs are considered. Doing so will result in a consolidated, comprehensive approach that will encourage these key teams to work together in the future.

Scalability and Architecture

SIEM solutions must be flexible, scalable and cloud-ready to meet your current needs and set you up for success in the future, regardless of what your network environment looks like. IT teams must be able to discover and identify any device connecting to the network in real time, a tall order in today’s dynamic environment. Below are a few of the key benefits of a virtual appliance over a hardware-based solution:

– Multi-tenant design to handle overlapping IP addresses and reporting domains

– Flexible form factors that support modular components through a single, seamless platform

– Cloud-ready to support environments such as AWS and Azure

– Ability to scale log collection and parsing without falling behind

– Ability to scale, search and report with real-time correlation of event data points

– Hardened operating system to facilitate upgrades

Deploy, Manage and Administrate Easily

To ensure a rapid time to value, IT personnel need solutions that are easy to deploy, manage and administrate. It is imperative the solution provides a cross-correlation of network and security operation analytics to insure a holistic view of the organization. When comparing solutions, consider these key points:

– Easy software upgrade with no downtime and event loss

– Ability to immediately patch critical OS vulnerabilities

– Tiered access controls to support multiple admin levels and the data each user can see

– Secure user authentication via external credentials or two-factor authentication

– Web-based GUI that provides all analytics from a single user interface. Some leading solutions require users to switch between three, or more, separate GUIs to see the entire landscape.

– Full audit trail of user activity

Event Data Collection in Real Time

Solutions that offer high-volume log ingestion with minimal delay or loss meet current best practices. Identify solutions that can consume and analyze high volumes of log data, from both current devices and future sources of log data. Be aware that some leading solutions max out at 5K events per second (EPS) per log manager and only allocate 2K EPS to the event manager. Key elements include:

– A real-time audit trail for IP addresses, user identity, physical and geo-location to develop a time-based network identity to user identity mapping by combining information from DHCP, domain controller, VPN, WLAN logs etc.

– The ability to parse a log to any number of attributes. Solutions that use a NoSQL database to parse data, as opposed to the limited requirements of a relational database schema, will allow users to more easily create a new attribute on demand.

– A distributed collector architecture that is load-balanced for data collection to insure peaks in log data aren’t being lost due to the a single collector’s limitations

– The ability to identify asset and device context through a discovery engine that collects configuration, hardware, installed software, running processes, patches and network topology in real time

– A collection system that captures application-contextual information for triaging security issues

– Agentless log collection whenever possible and the ability to identify performance issues associated with IoT endpoints such a CPU and memory utilization changes

Monitoring in Real Time

To increase remediation speeds, it’s critical to have the ability to rapidly detect issues. Some solutions claim to offer real-time monitoring, but they make the process complex and, ultimately, incomplete. Some current providers, for instance, have Web GUIs that only work with the Event Manager database. Other noteworthy capabilities to consider are:

– Scalable alerts on complex event patterns in real time, including all events from any log source

– Ability to search events in real time in a streaming mode from one GUI

– Ability to search historical events through SQL-like queries and Boolean filter conditions

– Discovery of CMDB objects and user/identity and location in searches and rules that do not have to be manually defined

– Searching of events across organizations, seamlessly. Especially important for Ops teams that manage multiple networks or MSPs

– Dynamic watch lists that track critical violators and then use them in rules

– Scalable analytics and incident prioritization via Business Service

– A Business Service Dashboard that shows the impact of security, availability and performance issues

In the second of this two-part series, we’ll take a look at what it means to have cybersecurity through visibility, as well as how advanced threat detection, threat intelligence integration and other elements can spell success or disaster for your SIEM strategy.

About the author:

Dr. Partha Bhattacharya is co-founder, chief technology officer and vice president of engineering at AccelOps. He has more than 20 years of experience in networking, security, database, system architecture and software development. Before AccelOps, he founded Protego Networks, where as CTO he created the award-winning MARS security appliance product line. After Protego’s acquisition by Cisco Systems, he led the Cisco team that extended the product’s capabilities to satisfy a global market. Before Protego, Partha was architect and technical lead at Cisco in charge of implementing the company’s security management infrastructure in the PIX, IOS, firewall, VPN, router and IDS products. Partha holds 15 patents and is the recipient of two IBM Outstanding Innovation Awards and a fellowship from the University of Maryland Systems Research Center. He holds a Ph.D. in electrical engineering from the University of Maryland.