I had someone that representing Splunk reach out to me yesterday because I think they wanted to originally sell me their implementation services with regards to using Splunk as a SIEM. But SIEMs are something I’ve been involved with for at least 10 years, though they have evolved over time.
I’ve implemented ArcSight three times, Splunk once, LogRhythm once, and been involved with Industrial Defender (unfortunately). And, in all cases, I’ve found commonalities as well as some general rules of thumb.
First, let me say that, if there was only one piece of Security technology that I’d have to put into my environment, it would be a toss up between Firewalls and a SIEM. Now, I know that people would automatically start saying “But Neil! Firewalls are essential in the IT environment!” True. They are an active piece of equipment that deals with security issues as they come up. But remember that Firewalls are pretty much a fancy router. They use ACLs (albeit with much more capabilities) for protection and, if I didn’t have a Firewall, I could make do with a Router with properly applied ACLs.
But SIEMs? SIEMs deal with the shear volumes of logging throughout the environment. But, and here’s the catch and why the headline says that SIEMs are not a panacea:
If you don’t have logging turned on with your end devices or logging configured properly, the SIEM will do you no good.
There are a number of different vendors on the market and they all have good points and bad points but, at the end of the day, they try to deliver the consolidation of logs and analysis of what is provided in the logs. How well they deal with those activities, I’ll leave to others. And how they deliver this capabilities is very similar.
They pretty much all have a combination of agent based and “proxy” based collection points. Typically, an Agent will be placed on an end device if it’s very verbose in it’s logging (eg. Firewalls or ADs). A Proxy will be placed in a single place within a security zone and less verbose devices will send their logs to that Proxy device. The agent based solutions will also send their logs to that Proxy device and, it’s at the Proxy device that consolidation occurs.
Then management of the various Proxy devices (and agents) are done from a central console. The algorithm for analysis is typically done at the central console and provide reporting or near-real time event analysis to the Security Analyst.
But, and here’s the rub, if all your devices don’t have logging turned on and configured correctly, and if you don’t have a clear picture of all your devices through an asset management solution to ensure that each device has logging turned on, how can you determine if you have a clear picture of your environment?
I’ve just scheduled a SIEM presentation for April 12 at 10:00am Pacific to talk about how SIEMs are architected as well as to have an open discussion on the attendee’s experiences with SIEMs. Please go to the Events Calendar to get the appropriate information. This event is open to the Public.