Increasing security breaches, regulatory compliance, targeted attacks driven by financial motivation and an increasing globalization of business that rely upon internet services is driving the need for security information and event management (SIEM) capabilities.

SIEM technologies provide near-real time situational awareness to support efficient incident response and long-term data storage for the purposes of trending, historical analysis and to support regulatory compliance concerns.

Security Event Management
Security Event Management (SEM) provides situational awareness of an IT environment. SEM tools collect data from security and networking device sources, like firewalls, IDS, IPS, routers, and switches, OS logs, application logs, and host-based security products. This data is aggregated, correlated, and analyzed to provide an organization with operationally useful and actionable data.

Anyone who has attempted to correlate firewall and IDS log data, let alone tried to pull out relevant information from one of these log types, understands that manually managing security events is a losing game. Implementing a centralized syslog server and then developing a script to parse through and identify the relevant data is often how companies begin their SEM activities. However they will quickly run into scalability, storage and tool maintenance issues that will limit the value of this approach over time. Requirements for security event management have evolved to include multiple data sources beyond the traditional firewall and IDS combination-making manual or homegrown solutions incapable of providing abilities for effective event management and incident response.

Managed security service providers have gained wide acceptance over the past 5 years providing not only event management but also device management capabilities.

Organizations faced with limited internal resources, or limited security knowledge is the primary consumer of MSSP offering. However, large organizations can also gain significant value from an MSSP solution, however the complexity of the environment means that the additional, and potentially significant, cost of responding to incidents will still need to be borne by the organization itself.

SEM vendors provide an attractive, although in most cases an expensive, alternative to the homegrown solution or the service provider. Most product vendors that offer SEM capabilities also offer SIM capabilities providing multiple functions for the event data they collect. SIEM tool vendors are deployed in large geographically dispersed organizations in all major verticals including government, financial, healthcare, retail and manufacturing.

Any organization regardless of their size will benefit from implementing a SEM strategy. However, the value of the data output is dependent on the data sources being collected as well as the organizations ability to respond to an identified event. SEM tools and services will not prevent an incident from occurring nor will it automatically react to stop the majority of events that do occur. Organizations still need to create incident response teams that are available to deal with a security breach.

Security Information Management
Security information management aims to collect, aggregate, and correlate similar data as is used for event management. This data is used for the purposes of historical analysis, and long-term trending in support of improving an organization’s security posture through increasing efficiencies and effectiveness.

Regulatory compliance, such as Sarbanes-Oxley (SoX), Graham-Leach Bliley Act (GLBA), Payment Card Industries (PCI), and Heath Insurance Portability and Accountability Act (HIPAA), are also driving greater adoption of these tools. Auditors and in some cases the regulations themselves are looking for the auditing and monitoring of various aspects of the IT environment. SIM technologies can provide a foundation for meeting regulatory compliance issues.

Regulatory compliance is not just focused on North American or European based companies. Increased globalization, business process outsourcing (BPO) and use of offshore resources are creating new compliance concerns for companies providing these services throughout the world.

An average IT environment can easily generate several hundred thousand to over a million events per day from all data sources; this data is then collected and stored, sometimes in raw log format. This capability requires extensive backend storage capabilities, but more importantly the indexing of this information for reporting purposes is one of the reasons the SIEM tool vendors have gained a lot of market penetration in the last several years.

North American MSSP’s have started to offer SIM capabilities, with the long-term storage, and maintenance provided by the MSSP facilities. Information management capabilities will be offered by MSSPs globally throughout the next 2-3 years.

SIEM Deployment Options
Organizations that require both event and information management capabilities can look to three main methods for accomplishing these functions within their organization.

nIn-house - A full-featured SIEM product is deployed, administered and maintained internally. The majority of tools on the market provide security event and information management capabilities and the security group provides the resources to maintain the tools and perform the monitoring and reporting functions.

nMSSP - a security service provider provides all or most aspects of a security event and information management. The service provider maintains the monitoring and alerting capabilities, as well as the data acquisition and archiving capabilities for compliance reporting.

nBlended approach. - An organization has one aspect of SIEM deployed internally and the other outsourced. For example an organization may use an MSSP for security event management, but internally support security information management functions such as security information analysis, reporting, policy compliance investigation, data storage and archive.

The majority of large and mid-tier organizations will use a blended approach. Regardless of the approach taken by an organization, in today's increasingly connected and hostile Internet environment all organizations will see benefit to implementing security information and event management capabilities.



Amrit Williams, CISSP, CISM, Research Director, Information Security and Risk, Gartner, Inc.