Tuesday, November 10, 2009

SIEM Bloggables

I was working on a presentation related to Security Information and Event Management (SIEM) the other day. Even though it was intended for a particular audience, a few pieces of it are generic enough to be shared with the world at large. Hopefully said world at large will find it useful for planning SIEM deployments, analyzing your requirements, improving SIEM product design, etc.

So, in no particular order:

What SIEM MUST Have Today?

  1. Log and Context Data Collection
  2. Normalization (including event categorization)
  3. Correlation (what used to be bundled under “SEM”)
  4. Notification/alerting (“SEM”) [the role of real-time processing seems to be shrinking, as I predicted in 2004 - that surprised everybody including myself]
  5. Alert/event prioritization (“SEM”)
  6. Reporting (“SIM”) [including visualization]
  7. Security role workflow [from security analyst roles to incident responder (my classic piece on using SIEM for incident response, BTW) to security manager and – rarely! – the CSO]
  8. Everything else is icing on the cake!

Key SIEM Use Cases

  1. Security Operations Center (SOC): real-time views, analysts online 24/7, chase alerts as they “pop up” [this was the original SIEM use case when SIM started in the 1990s; nowadays it is relegated to the largest organizations only]
  2. Mini-SOC / “morning after”: delayed views (“analyst comes in the morning”), analysts online 1-3/24, review alerts and reports then drill-down as needed
  3. “Automated SOC” / alert + investigate: configure SIEM to alert based on rules and forget until the alert, investigate alerts, review reports weekly/monthly [this is the use case that many users want and few SIEM products can deliver…]
  4. Compliance status reporting: review reports/views weekly/monthly, no security operation focus [it might be common, hopefully the organization can later transition to any of the use cases 1.-3.]

Two Types of Users To Make Happy – with SIEM or Log Management



•Still evolves from “logs are dirt” to raw collection

•Pure compliance focus – “deliver me from evil… eh… auditors”

•Collecting logs

•Checkbox mentality

•Less mature; needs more hand-holding

•Evolved to “so we have them collected – now what?”; now stuck

•“Compliance+” or pure security/operational focus

•Using logs (analysis)

•Situational awareness mentality

•More mature; needs more “cool tools”


Dr Anton Chuvakin