SIEM: An Epitaph Blog Post

Wednesday, September 14, 2011

John Linkous


Born 2000. Died 2011.

It is with some sadness that today we announce the death of SIEM. Born to a fanfare of promises at the dawn of the information economy as we now know it, SIEM was lauded as a tool that would protect an increasing volume of data from prying eyes and ne'er-do-wells - both on the inside and the outside.

It tried its best, but nobody could have predicted what was to come.

  • SIEM promised security professionals the opportunity to collect security data from across their network; to provide a consolidated and unified view of their security position. Yet, Advanced Persistent Threats with no common signature or vector now strike indiscriminately at the hearts of organizations like Sony, the International Monetary Fund, Epsilon, Sega, Sony (again) and the CIA. SIEM doesn't even provide the visibility to quickly identify the mode, vector or target of an attack even when an organization knows it is coming!
  • SIEM promised to enable ALL security data to be collated via a single console. Yet, breach detection still requires teams of people to sit inside darkened rooms with a multitude of printed reports, in order to manually cross check data in an attempt to identify anomalies. The average response time for a breach currently stands at 18 days!
  • SIEM promised to equip security professionals at large organizations to identify breaches quickly and enable them to take action. It delivered for a while, when attacks were signature-based or attacks exploited known vulnerabilities, but in a world of advanced, persistent cyber- and insider-based threats it offers no visibility into attacks exploiting misconfigured or badly secured networks.

And, we're not alone.  Sixty-five percent of the senior security professionals we asked said that they weren't confident that their SIEM tools would provide them with the protection they needed. 

These days modern information security requires far more than just log and event data - it requires the ability to collect and analyze ALL network security data, in real-time.

SIEM leaves a legacy on which information security can build.  There will be a collection - all security data is welcomed.

As for what we, and an increasing number of businesses, Government agencies and security professionals believe the solution is... you'll have to wait for our next post for that!!

Cross-posted from The Situational Room

Possibly Related Articles:
Information Security
SIEM Emergency Management Advanced Persistent Threats Network Security Information Security IDS/IPS
Post Rating I Like this!
Matthijs R. Koot Perhaps related, perhaps not: DigiNotar was using RSA enVision SIEM [1]. SIEM can't compensate for incompetence.

[1] See p7/8 (Dutch)
Chris Blask Hi Michael. You seem to be saying: RIP SIEM, Long Live SIM!

"These days modern information security requires far more than just log and event data - it requires the ability to collect and analyze ALL network security data, in real-time."

Who ever said that SIEM was just about log and event data (oh, that's right, LogLogic et al)? If I understand the root of your beef you are at least in part calling out my old nemesis: "E". That damn E draws the eye like a crash on the side of the highway until you drive right into the pile up. If, similarly, the car industry was called the "Automotive and Carburetor Industry", we would likely never have invented fuel injection.

GM: "Well, it's largely about carburetors, so let's focus 50% of our efforts on the fuel jets."

I will use the (damn) SIEM term as long as the industry compels me to, but Security Information Management is the art of gathering far more than just log and event data - it included the ability to collect and analyze ALL network security data, in real-time (why does that sound familiar? ;~).

Telemetry has little value without context, one hand (regardless of the collection rate of hands) can't clap. A box of parts may have all the recognized components of what we call "Car", but that doesn't qualify it for the Indie 500.

This may be, hopefully, the wake for E but it is still just the baby shower for SIM.
Chris Blask Oh, John: I call everyone Michael. Just FYI... ;~)
nathan ouellette SIEM is frequently sold (and rightfully so) as a solution to help aggregate data. That's fact. However this blog fails to touch upon the most common cause of SIEM failures. What IT and security staff tend to underestimate is the fact that it takes knowledge and planning to make the deployment really work. The solution is a means to an end. But those means are 100% predicated upon the project stakeholders feeding it the correct information and understanding the output. That is hardly the job (or fault) of the technology. In fact, the sheer amount of evidence presented regarding SIEM deployment failures overwhelmingly point to project/process failures, not tool or "SIEM" failures as a solution. Perhaps it's time to focus less on the technology bells and whistles of many point SIEM solutions and stress to the potential buyers that this is a marathon, not a sprint. Chances are every stakeholder involved in the project will have their eyes opened to many aspects of its own operations that they never quite understood before. Perhaps this survey/blog/conclusion is really highlighting the fact that SIEM stakeholders are beating on a bunch of hollow logs but they don't like the amount of snakes that are popping their heads out. So why not blame the technology? That seems to be the easier scapegoat.
Chris Blask @Nathan - The issue is not with SIEM as a technology, as you say, but with SIEM deployments on average.

This is in part due to the user and in part the vendor.More than silly users or obtuse vendors, though, it is simply an evolutionary issue. Even John in this article acknowledges what is today the primary focus of infosec, and it is Security Information Management by any name:

"These days modern information security requires far more than just log and event data - it requires the ability to collect and analyze ALL network security data, in real-time."

As always, vendors carry the responsibility to make things consumable by users, so if someone needs to find "blame" they can lay that in our laps. As a community SIEM vendors indeed have *not* yet produced products which are finely tuned to the varied needs of users, products which dock cleaning into standardized machined sockets of technology and human process. Often we ask more of many of our users than they are capable of digesting. There is no "dodge" to clear us, this is our responsibility. But the reality of the evolutionary stage is what it is. The broadening base of SIEM users attests that we are having success at smoothing the edges of our products, and that the meme-pool of related expertise is getting wider and deeper in userspace. Future versions of our products ("AlienVault" as well as our esteemed competition) will without doubt be more off-the-shelf for a broader range of expertise.

This Epitaph is an honest echo of the view of SIM in 2002. At that point we were trying to position our new product (Protego MARS) as Security Threat Mitigation (STM), because "SIM" had gotten such a bad name.

But it was still just Security Information Management.

Today SIM products are more intelligent and easier to use than the ugly SIM of 2002. Every security management conversation I have (and I talk a lot, don't sit next to me on a plane) I find the other party to have a better foundation of understanding than in previous years. The curve of history seems to have SIM ("SIEM", #$&%...) on its back and the future is easily forecastable.

Maybe John's frustration with SIEM is a resonate tone, but all that will mean is that we will rename SIEM again (vote "SIM"! ;~). Even the author of such a critical piece has to acknowledge that Visibility is the key to present and future security.

Either you know what you have and what it is doing or you don't. If you don't (and if that is Not OK), then SIEM by any other name will smell as sweet.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked