Transcription

Running head: ENTERPRISE SIEM UTILIZATIONEnterprise Use of Security Information and Event Management SoftwareBruce W. Barnes IIIClass: ITEC 626University of Maryland University College1 May 20161

ENTERPRISE SIEM UTILIZATION2AbstractThis paper will analyze and justify the utilization of a security information and eventmanagement (SIEM) software. SIEM software is software that provides real-time monitoring ofevents, correlation of audit logs and notification of incidents to appropriate personnel. Largeenterprises would benefit greatly from procuring SIEM software as it saves resources whileresearching potential incidents due to the correlation assembled by the SIEM. Conducting all theactions required to respond to an incident or actively monitor possible intrusions would requireseveral full time employees in large organizations. This can be easily accomplished with theright SIEM software. By procuring a SIEM software, although expensive, it is a worthwhileinvestment in the defense of an enterprise network and fully justifiable if all duties were donemanually. In addition, it meets regulatory compliance requirements such as Sarbanes-Oxley,Risk Management Framework or Health Information Accountability and Portability Act. It alsoassists in the identification and post-incident event management to implement lessons learned.Keywords: SIEM, RMF, enterprise software, business case, SOX

ENTERPRISE SIEM UTILIZATION3Enterprise Use of Security Information and Event Management SoftwareIn this day and age of persistent threats and advanced malware, there is increasingly aneed for automated tools to assist in the defense and posture of networks. These tools rangefrom the simple to the advanced. One of the most advanced tools available for commercial usetoday is Security Information and Event Management (SIEM) software. SIEM is software that“combines security information management and security event management functions into onesecurity management system” (Rouse, 2014). SIEM software greatly enhances cybersecurity ofan enterprise, helps with post incident event management, as well as, meets regulatorycompliance requirements. These three uses are great reasons to procure SIEM software for anenterprise, but compared to performing these actions manually they are also more cost effective.For all these reasons, an appropriately configured SIEM should be part of the network tools abusiness enterprise network should maintain.SIEMWhat is SIEM and ExamplesSecurity Information and Event Management software or SIEM is software thatcorrelates log information from various sources and uses that information to create actionabledata in real time. As stated above, SIEM is a combination of both security informationmanagement and security event management. Security Information Management is thecollection of data and log files into a central location for analysis (Security InformationManagement, 2016). The central location or console is then monitored by a trained professionalwho responds to alerts. SIM typically is done on hosts, such as computers, servers, routers andswitches. Security Event Management is “concerned with the ‘real time’ activities of networkperimeter devices, like firewalls, proxy server, VPN, IDS etc.” (ZOHO Corp, 2007). It may also

ENTERPRISE SIEM UTILIZATION4include some correlation and dashboards. SIEM, being the combination of the SIM and SEM,can be done by a single tool or multiple tools. The objective of SIEM is to help companiesrespond to incidents rapidly and make sense of the growing amount of logs (Detken, Rix,Kleiner, Hellmann, & Renners, 2015).Prior to SIEM, logs were stored in many places. The Domain Controller had the auditlogs for logon, the Exchange server had the email sent and receive logs, the SNMP viewer hadpacket loss information, the proxy had IP to website access and the firewall had blocked accessattempts. As one can see in the event of an incident, it would be difficult to track down all therelevant information. Then came Syslog servers that allowed all these devices to push their logsto a single repository and perhaps perform some data normalization and alerts. This was a greatstep, but then what does one do with that information. This is where SIEM comes along andperforms real-time data analysis to do more than alert, but actually make administrators aware ofa problem when it occurs.A few SIEM software solutions have risen to the top as leaders according to the GartnerSIEM 2015 Magic Quadrant, Figure 1. The leaders are those that match the general marketrequirements, show superior vision for anticipated requirements, strong customer support and ahigh market share. These include IBM Security QRadar, HP Arcsight, Splunk Enterprise andCloud, and Intel Security’s McAfee Enterprise Security Manager (Kavanagh & Rochford, 2015).As one can see, the marketplace is pretty competitive with at 13 vendors that made the cutoffcriteria for the Gartner report.

ENTERPRISE SIEM UTILIZATION5Figure 1. The 2016 magic quadrant from Gartner comparing the competitors in the SIEM marketagainst each other based uponEnterprise Use and RequirementsIn a business enterprise network a decision may be made about the necessity orrequirement of having a SIEM software on the network. A review of the requirements of thebusiness and its comparison to the SIEM solutions on the market is the best approach. The threeprimary reasons to have a SIEM software are for cyber security, log management and regulatorycompliance. Many companies procure SIEM “to address regulatory compliance,” but are used toassist in their cyber security posture (Kavanagh & Rochford, 2015).Cybersecurity. 67% percent of a pool of 234 large companies stated a SIEM solutionwas procured or used for the “detection of security threats in real-time and better security threatawareness” (Netwrix, 2016). SIEM solutions offer this capability out of the box and a majorreason for procuring it. Good cyber security is what prevents headlines such as “Billion DollarBangladesh Hack” and “Ugly data breach hits ‘exclusive’ Beautiful people dating site.”

ENTERPRISE SIEM UTILIZATION6A significant portion of the capabilities of SIEM is to provide threat detection andprevention.Log Correlation. As mentioned above, a form of log correlation exists in the form of asyslog server. Compared to a syslog server, how is a SIEM solution different? Fortunately,Solarwinds has a comparison chart, see Table 1, that shows how their SIEM solution compares toa standard Syslog server (Solarwinds). As one can see, the Solarwinds SIEM solution performsall the functions of a standard syslog server, but also provides dashboards, prebuilt filters, realtime filters and data normalization from varying sources.The idea behind this log correlation is to bundle the events and information into easierand more manageable alerts. For example, say a user plugs in a thumb drive, remote logs on toanother computer, installs software on the remote computer, transfers data and removes thethumb drive. A good SIEM product should be able to take all the information and bundle ittogether and immediately notify the administrators that a security incident has occurred. In atypical syslog environment, one may look at the logs daily and see that computer 5525 pluggedin a USB drive for 5 minutes and that user ChrisX remoted into another PC. The SIEM takes thenetwork, user and PC information and consolidates it into an event that is now actionable. Whatmay have been missed before is now easier to see, and what may have resulted in 5 alerts maynow give one or two and provide better information.SIEM log correlation is the backbone of this solution. The effective log correlation alsoassists in other activities, like bandwidth usage, peak usage times, trends and uptime. All thisinformation in one location expedites the recovery time from both security incidents and generalissue and contingency response.

ENTERPRISE SIEM UTILIZATION7Regulatory Compliance. A 2016 survey by Netwrix stated that streamlined compliancereporting was one of their key drivers for 50% of respondents. There are multiple compliancerequirements that include Health Information Accountability and Portability Act, Sarbanes-OxleyAct, Federal Information System Management Act and Payment Card Industry. Most includesome form of requirement for maintaining logs to verify data integrity. As McAfeee’s whitepaper on log management states, “log management has traditionally been the neglected stepchildof information security” (McAfee, 2013). With an appropriate SIEM solution, the regulatoryrequirements can be met with minimal effort.The commercial sector is subject to a federal law called Sarbanes-Oxley Act (SOX) that“establish[es] verifiable security controls to protect against disclosure of confidential data, andtracking of personnel to detect data tampering that may be fraud related” (Correlog, 2011). Thetwo main sections related to log analysis are sections 302 and 404 which detail theserequirements. SOX requires protections against tampering of data and the ability to be verifiedby independent auditors. These requirements detail out that one must maintain logs that canverify any changes in data or information. SOCVue is EiQ’s SIEM solution and has a handychart for SOX compliance to include the critical security control of maintenance, monitoring andanalysis of audit logs which it meets (EiQ, n.d.). Another SIEM competitor, Correlog has awhitepaper detailing out how they meet SOX requirements. Specifically be timestamping alldata as received, tracking user access to PCs, high throughput rate, continuous monitoring,requires minimal training, and tests network and file integrity periodically (Correlog, 2011).The federal sector includes a recently developed risk management framework (RMF)developed by the National Institute of Standards and Technology (NIST). This framework ismandated for use in all federal information systems. The idea is security controls should only be

ENTERPRISE SIEM UTILIZATION8implemented if it is right for the system. In the past, a system that could fire warheads was heldto very similar standards of a map kiosk at a hospital. Because of this, an extensive review ofunderstanding the system and enterprise is required.In the category of Audit Review, Analysis and reporting AU-6 stipulate “the organizationemploys automated mechanisms to integrate audit review, analysis and reporting processes tosupport organizational processes for investigation and response to suspicious activities” (JointTask Force Transformation Initiative, 2013, pp. F-45). It also stipulate being able to on-demandreview and analyze logs after-the-fact. Outside the controls, the risk management frameworkrequires organizations to continuously monitor and evaluate changes in the system.These regulatory requirement under RMF essentially mandates the use of SIEM softwarefor government systems. The one caveat to the automation is that it is only required for when thesystem processes any data that is considered moderate or high. This means if a system does notprocess financial records, personnel records, contingency planning, or other data than a SIEMmay not be required. The United States Army, Air Force and the Defense Information SystemsAgency have all procured various SIEM software to include EiQ SecureVue for regulatorycompliance (EiQ, n.d.). The end aim is to meet the regulatory requirements for continuousmonitoring per the NIST Special Publication 800-53.Cost AnalysisAccording to ComputerWeekly, only 32% surveyed have SIEM installed and the keyfactors for purchasing are price and features. A respondent also stated that “unless fullyintegrated and deployed, it’s basically a log manager” (Ashford, 2013). An efficiency surveycame to the conclusion that the total cost of ownership is a main concern for procuring SIEM(Netwrix, 2016).

ENTERPRISE SIEM UTILIZATION9SIEM’s are expensive for small and some medium business enterprises. In an IEEEconference in Warsaw, they showcased methods of using SIEM with opens source tools thatwould reduce the costs to be viable for small and medium business enterprises (Detken, Rix,Kleiner, Hellmann, & Renners, 2015). Table 2 includes a price comparison of various SIEMproviders that had their pricing information available readily on their company’s website. For a500 user company, the average price for a SIEM annual is approximately 50,458.75.Table 2SIEM Solution Price ComparisonSIEM SolutionPriceDetailsSolarwinds 40,035500 NodesSplunk 57,00050 GB/day1IBM QRader SIEM 55,800UnknownHP Arcsight 49,000500 PCs and 40 Network1Note. Could not identify limits on this price, but was in comparable price range as others.System Administrators make on average in the United States 65,273 (Glassdoor, 2015).A simple check of if the requirement and compliance reporting would require hiring anadditional System Administrator, it is cost beneficial to procure a SIEM solution e.g. 65k versus 50k. The System Administrator salary is also not fully burdened, in that it doesn’t includesupport and benefits of the position. It also doesn’t address the total cost of ownership, includingtraining, time saved, and deployment and installation.From my experience, most training courses run about 5,000. So adding this to the SIEMcolumn, brings the cost edge closer, but still in favor of a SIEM.A typical incident may require two to six hours to research and identify the root cause. At12 incidents a year, 50/hour is 2,400. One point that should be considered is that a SIEM mayprevent a certain number of incidents. If we assume a 50% reduction, we are looking at a 1,200

ENTERPRISE SIEM UTILIZATION10savings for SIEM. In addition, with SIEM we may also see another 50% reduction in researchtime, revealing another 600 in savings.Annual regulatory compliance reporting should also be considered. At 50/hour, asavings of a man-week can save 2,000 over manually finding and compiling a report. Thereason this is possible is a main feature of SIEM products includes the regulatory compliancereporting. One just needs to ensure it is in the product features prior to procurement.When all these numbers are added together, we obtain that a System Administrator wouldstill cost 65,000 per year. The SIEM solution comes in at 51,200, making it a clear winner.In the event a business was not looking to hire an additional employee to take on theseroles, we are still looking at a potential 80 hours’ worth of time saved. It must also be consideredthat although a SIEM solution might not produce a return on investment for every situation, itdoes reduce risk overall. What is the value in avoiding a news headline about a company databreach?ConclusionSecurity Information and Event Management software is software that performs the realtime, continuous monitoring and log correlation required to meet regulatory compliance, increasecyber security posture and expedite post incident management.SIEM solutions all perform some form of log correlation and centralization. This iscritical for most businesses.The SIEM solutions also greatly support the auditing and regulatory requirements.Whether it is the Sarbanes-Oxley Act, Federal Information System Management Act, RiskManagement Framework, Health Information Accountability and Portability Act, or evenPayment Card Industry standards, SIEM satisfies the requirements for auditing.

ENTERPRISE SIEM UTILIZATIONAs shown, SIEM software is also cost beneficial to a medium sized business that iscomparing hiring an additional System Administrator with the annual cost of SIEM.11

ENTERPRISE SIEM UTILIZATION12ReferencesAshford, W. (2013, January 28). IT Security Purchasing Intentions 2013 - Europe. Retrievedfrom nd-Event-ManagementSIEM-technologyCorrelog. (2011). SOX-Compliance. Retrieved from Correlog.com: pdfDetken, K., Rix, T., Kleiner, C., Hellmann, B., & Renners, L. (2015). SIEM approach for ahigher level of IT security in enterprise networks. 8th IEEE International Conference onIntelligent Data ACquistion and Advanced Computing Systems. Warsaw.EiQ. (n.d.). SecureVue Security Intelligence Platform. Retrieved from erviewGlassdoor. (2015, November 4). Salary: System Administrator. Retrieved from s-system-administrator-salarySRCH IL.0,2 IN1 KO3,23.htmGosier, G. F. (2009). Analyzing Malware Log Data to Support Security Information and EventManagement: Some Research Results. Advances in Databases, First InternationalConference, 108-113. DA.2009.26Joint Task Force Transformation Initiative. (2013, April). Security and Privacy Controls forFederal Information Systems and Organizations (SP 800-53). Retrieved from cations/NIST.SP.800-53r4.pdf

ENTERPRISE SIEM UTILIZATION13Kavanagh, K., & Rochford, O. (2015, July 20). Magic Quadrant for Security Information andEvent Management. Retrieved from Gartner: https://www.gartner.com/doc/reprints?id 12JM104C&ct 150720&st sbLogrhythm, Inc. (2015, October 21). Critical Capbilities Use Cases for Security Informaiton andEvent Management. Retrieved from 917356 20.htmlMcAfee. (2013). Log Management - The Foundation for Federal Security and Compliance.Retrieved from Mcafee White Paper - Log e-papers/wp-log-management.pdfNetForensics. (2009). Essential Practices for Achieving Security Compliance Management.Retrieved from s/Whitepapers/WPnFXSCM.pdfNetForensics. (2010). SIEM in the Cloud: Cost-effective solutions for Taking Control of DataOverload and Scaling Security. Retrieved from s/Whitepapers/nfxCloud.pdfNetwrix. (2016). 2016 SIEM Efficiency Survey. Retrieved from tmlNicolette, M. a. (2011, May 12). Magic Quadrant for Security Information and EventManagement. Retrieved from Jameskaskade.com: anagement.pdf

ENTERPRISE SIEM UTILIZATION14Rouse, M. (2014, December). What is Security Information and event management. Retrievedfrom TechTarget: y Information Management. (2016). Security information management. Retrieved fromWikipedia: https://en.wikipedia.org/wiki/Security information managementSolarwinds. (n.d.). Comparing SolarWinds Log & Event Manager to Kiwi Syslog Server.Retrieved from Solarwinds.com: slem.aspxZOHO Corp. (2007). Analyzing Logs for Security Information Event Management - Whitepaper.Retrieved from df

ENTERPRISE SIEM UTILIZATION15TablesTable 1Feature Comparison between Syslog and SIEMUse CaseConsolidates Log eventsacross multiple SystemsFiltered views base on eventcriteriaLong term log archival andsearchReal-time dashboard withvisualizationsConsolidates log events acrossSyslog, SNMP, flat log files,databasesFilter Log events on multiplecriteriaReal-time log andenvironment informationfiltersOver 700 rules, alerts filters &reports for security &compliance best practicesUSB Detection & PreventionCostSyslogYesLog and Event oYesNo 295Yes 4495

As stated above, SIEM is a combination of both security information management and security event management. Security Information Management is the collection of data and log files into a central location for analysis (Security Information . Cloud, and Intel Security’s McAfee Enterprise S