Ever hear the phrase “Choking on data, starving for information?” I credit my exposure to this phrase during a meeting I had with my new Vice President as a fresh-out-of-college employee. He discussed and displayed a massive amount of spreadsheet business data and pointed out how over time management becomes unenthusiastic to data with large quantities of generic numbers. He then switched over to a single bar chart that showed a summarization of the futile numbers with attractive colors and easy-to-view upper and lower limits. His next statement—“Now this is information!”—created a preservation I embrace daily about how data becomes valuable to an organization as information.
Meaningful information is a challenge for any department, organization, or compliance program. When management commits to spend large sums of capital and investments into a security or compliance program, they enjoy seeing ROI in attractive meaningful information. This is where a SIEM (Security Information and Event Management) solution can help correlate an organization’s appetite for information and the harsh quantities of collected signal data. “We have no need for a SIEM,” you say? Well, let’s take a quick look at some data.
A typical Windows 8 user login will generate six (6) Windows Security events in less than a second, not including access to network resources such as mapped printers and network drives. Now, take this number and multiple it by each station on your network (let’s say 100 workstations) during a peak working hour (8am to 9am). That is over 2,160,000 events in 1 hour (6 events x 60 seconds x 60 minutes)! Now you can start to imagine how quickly your organization can be choking on data. Try factoring in security appliances (firewalls, VPNs, proxies, IDS/IPSs) and your ability to analyze data goes from excruciating to borderline impossible. Furthermore, what happens in the event of an unauthorized or unsanctioned security event? Did you get an alert? How do you correlate/relate events from multiple devices scattered across your network? How does your organization take this massive amount of data and make it meaningful information? Do you have a single dashboard to view categorize this data? Enter the SIEM. A SIEM can be an appliance (server), customized software, or vendor service that combines the collection of information and designated events or alerts from multiple data sources. It silently listens to data collection sources, such as services, Workstations, Servers, Firewalls, IPS/IDS, etc. for event data. This event data can consist of almost any instance generated by applications, security, and hardware. With a SIEM, data is analyzed and correlated in real time, which can be displayed via a dashboard, acted upon via scripts or alerts, and stored for compliance or historical information.
Using the 2,160,000 event example above, let’s say you wanted to know how many failed logins occurred this morning from all of your 100 stations. You also want to know if any of these events occurred from your outside VPN IP address range. A SIEM would take these events and correlate them with all of your data sources (firewalls, IPS/IDS, Active Directory), and generate a dashboard to show you all failed logins during the specific time frame and relate them to all VPN logins. You can then further filter the data down to the single event or even the entire communication channel, such as outside IP addresses, VPN addresses, permitted/denied firewall sessions, SSO, or authenticating workstation. With a SIEM, you can even perform additional actions such as banning the IP address/range, adding an email/text alert, sandboxing, or executing customized scripts.
From a compliance perspective, you can create customized dashboards, reports, or correlations to categorize and display all relevant data in conjunction with your compliance program. A SIEM can serve as compliance evidence and a change management information historian. Some SIEMs, such as McAfee’s ESM Nitro, contain prebuilt compliance views for NERC/CIP, PCI, SOX, HIPAA, 27002, FISMA, and others. These dashboards/views will drastically reduce information gathering and decrease required man power during those stressful audit times.
Vulnerability assessment data can also be imported into a SIEM. Popular vulnerability scanning software (think Rapid7’s Metasploit Pro, NeXpose, or Nessus) can be directly imported into a SIEM. With vulnerability scan data, you can easily create automated scans, imports, and dashboards for those critical Electronic Security Perimeter devices and remote access servers. When used with a defense-in-depth program, these intermediary devices become critical gateways to a facility’s operations or an organization’s intellectual property.
In short, a SIEM can drastically reduce man hours, monitoring costs, forensic data gathering, and compliance fines by providing a synergy for a mass majority of your infrastructure. This remarkable transformation of incomprehensible data into meaningful information will not only keep you from choking, but it will also fill your appetite for information.
Special thanks for Roy Solis (firstname.lastname@example.org) who contributed to this article.