If you believe deploying SIEM (Security Information and Event Management) with your perimeter security is an effective defense against the ever-growing threats facing your corporate network then read on, or you may learn the truth the hard way.
SIEM was born of SIM (Security Information Management). SIM was the result of a period of massive corporate malfeasance in the early days of the 21st century. Enron, Worldcom and others were the primary motivators of Sarbanes-Oxley. A new regulatory regime that drove compliance officers to deploy SIM as a means of providing evidence their financial control policies were in place and enforced.
As with most accounting-focused initiatives, it was rearward facing. The compliance model driving SIM delivered on weekly, monthly, quarterly and annual reporting requirements, which ultimately captured past incidents.
As SIM became commonplace in publicly traded companies (think ArcSight), some people thought that there was a security play for SIM. And just like that, SIEM was invented as a new security product category.
The need to manage security logs wasn’t something new. In the early days of IDS (remember ISS RealSecure), there was quite a bit of excitement. IDS systems were rapidly deployed. By the early 2000s, they were commonplace. But the IDS systems created a new problem: they generated enormous amounts of data in the form of logs/alerts. Unfortunately, in the real world of signature-based anomaly detection, (the core brain of most IDS systems), there’s a lot of false positives. IDS systems had real limitations in their ability to produce black and white results. They produce lots of gray. Gray is a problem. Gray is noise. And noise means extra work.
The response to this noise was to outsource IDS logs to a 3rd party. Companies couldn’t justify having resources sift through the massive logs in search of threats. By this time, a market called Managed Security Service Providers (MSSP) was already in flight. This market was created because firewall management became quite difficult.
Firewalls like Checkpoint's were powerful but required some skill to manage effectively. These skills were in short supply (just as security skill remains in short supply to this day). So MSSPs stepped up to concentrate the talent around a model that supported many corporate networks. It was valuable and so the MSSP market grew. The IDS noise problem was something MSSPs were ready and willing to help solve. However managing IDS logs/alerts requires a different approach than a change-control firewall policy service.
Moving the noise generated by IDS systems to “expert”, MSSPs solved one problem, (or at least gave the perception of solving one problem) - “We have smart people looking for threats in our IDS logs.”
But the honest, often unheard truth is that ultimately, relying on logs leaves you incapable of taking the appropriate action because the noise can’t become a signal without better context.
No matter how long you stare at an IDS log event, it won’t become any more informative. The same is true for the vast majority of security log events. But let’s put that primary flaw in log-based security aside for a moment.
Today we have powerful security devices, like NGFW, IPS/IDS, endpoint and everything in-between deployed with watered-down policies that compromise the efficacy of the perimeter. And even using the word perimeter is a bit of a joke today with the mobility of endpoints.
I think Amit Yoran, the CEO of RSA Security stated the problem beautifully in his 2015 RSA keynote titled “Escaping Security’s Dark Ages” when he said:
“Nonetheless, many security professionals base their programs on the futile aggregation of telemetry from these virtually blind IDSes, AV platforms, and firewall logs, implementing the glorious and increasingly useless money-pit, known as the SIEM. I know it didn’t surprise many of you when last year’s Verizon Data Breach Investigations Report asserted that less than one percent of successful advanced threat attacks were spotted by SIEM systems. Less than 1%. The terrain has changed but we’re still clinging to our old maps. It’s time to realize that things are different.“
Relying exclusively on a SIEM to identify and manage threats is reckless; it’s an accounting “rear-view mirror” perspective that can only inform you of known threats based only on the insights gleaned from perimeter defences, which are essentially useless when it comes to new and innovative attacks. And without additional context, you can't identify an actual threat from a mundane false positive.
It’s only going to get harder to protect your networks. You have to embrace the reality that your perimeter and endpoint security products, no matter how powerful, will ultimately fail when dealing with anything other than yesterday’s attacks. The security game has shifted from prevention to detection. The new game plan demands not just an effective perimeter defence to block background radiation, but also requires continuous monitoring that doesn’t rely on a SIEM for its visibility into threats.
Security is hard. But it can be a lot easier if you focus on managing threats effectively and stop worrying about who’s pretending to deliver security by staring at your logs.