Monday, March 01, 2010

The Myth of SIEM as “An Analyst-in-the-box” or How NOT to Pick a SIEM-II?

In response to one of my previous SIEM posts (“I Want to Buy Correlation” or How NOT to Pick a SIEM?”), one of my readers grabbed onto my analogy (“correlation engine as engine, SIEM with content as car”) and said:

“They want a Security Analyst in a Box, because once you deliver the engine in a car, they realize they don't want to drive either”

This is, sadly, very true, despite the deep and obvious ridiculousness of such sentiment.

So, WTF? Did anybody sell you a tiny teeny security analyst stuck up in one of those 1U SIEM appliances you can buy at Walmart nowadays – or at least from your friendly neighborhood VAR? Where did this come from and what we can do about it?

Well, one thing we can do is simply say: if a Security Information and Event Management vendor came to you and said “this little box will manage your security” and you believed it, you need to have your head examined. But just saying this wouldn’t be funny enough for this blog! Noooooo…

So, instead, I came up with 7 reasons why SIEM is NOT “an analyst in the box”:

  1. SIEM requires the buttons to be pressed, and analyst presses those buttons. See? There is a difference.
  2. Imagine the best SIEM out there with the best correlation engine, the best rules, the best interface, etc [it is also the most expensive…] Now imagine the dumbest person ever to be tasked with event analysis. Well, they are about equally intelligent [*].
  3. Despite what you might think, log analysis (and, definitely, security monitoring in general) is a pretty subjective “art.” Boxes don’t do art well, humans do.
  4. Modern SIEM products have some “value out of the box”: report, stock rules, knowledge bases, etc. And, indeed, a vendor system engineer can even schedule the reports and set the rules for you – before leaving. However, do you have anybody who actually understands the information coming out of the product? Well, that’s the analyst, and he ain’t in the box. You have to hire him or her! (or have a consultant help you :-))
  5. In addition to art, log management often involves politics: can we get those logs? Can we get the context needed for analysis (e.g who owns that system … eh…in addition to RBN that 0wns it, that is :-)). Just like art, boxes don’t do politics well, humans do.
  6. Think of a good SIEM as a robot defender [assuming that you turned on automated response, oh the Adventurous One]. Do you see the military switching from human soldiers completely to robots? Exactly! SIEM + analyst = security defense. SIEM alone = gun rusting in the trench.
  7. Analysts needs to be fed, SIEM can survive on just the diet of logs.

Thus, if you expect a security information and event management system to “be an analyst in the box”, stop expecting it. If you don’t want or can’t run a SIEM, don’t buy it (look here to see whether you are ready) or don’t download it. In other words, SIEM requires ongoing commitment to keep delivering value: no commitment – no value, it is that SIEMple.

BTW, I am thinking of writing a whole mammoth paper on picking the right SIEM. My dear vendor friends reading this blog, wonna sponsor it?

[*] I have seen some data mining algorithm mimic – and actually rival! – the performance of a junior security analyst. Sadly, they were build for a home-grown SIEM, now defunct… Oh, the lore of civilizations long gone :-)

Possible related posts:

Dr Anton Chuvakin