Thanks to Gordon Moore, most technophiles believe that processing power doubles every 18 months. A similar growth pattern is evident in the world of security. Over the years, for instance, standalone firewalls and VPNs have given way to unified threat management (UTM) devices, centralized tools that protect the network perimeter. More recently, security experts have hailed the revolution in traditional security event management tools, now better known as security information and event management (SIEM) tools.
This revelation occurred in a 2005 report from market research firm Gartner. Its report indicated that SIEM tools mix two different functionalities: security information management (SIM) and security event management (SEM). These technologies work together to make networks more secure by making sense of log data to determine when security events have occurred, then generating security metrics to reduce the expense of regulatory compliance and security reporting. There’s no better way to secure a network.
With information and event management incorporated into one tool, SIEM eliminates purchasing additional software and integrating it with your installed base of network security solutions.
How it works
Essentially, like Sherlock Holmes
and Dr. Watson of fictional crimefighting fame, SIEM is a one-two punch
against malware and hackers that begins with the SEM component. The
primary goal of this functionality is to improve the time-to-resolution
of security incidents. SEM provides the ability to process
near-real-time data from security devices and systems to determine when
security events have occurred. As a result, it provides real-time
analysis of security data and helps IT security operations personnel be
more effective in discovering and managing security events.
Benefits
Generally, the
super-duo approach of SIEM reaps multiple benefits for users and user
organizations alike. First, of course, is the fact that SIEM tools
transform disparate security data into security intelligence,
empowering network administrators to use the information to take action
and make networks safer every day. Because they establish logs of
previous security incidents, the tools also streamline high-tech
forensics investigations, expediting the amount of time it takes to
recover from an attack.
With information and event management incorporated in one tool, SIEM eliminates needing to purchase additional software and having to integrate it with your installed base of network security solutions. This is because many SIEM solutions work across platforms, further simplifying deployment. Easy and affordable–now that’s a solution worthy of attention.
Process alignment
In principle, SIEM tools are easy to understand. In practice, however,
one of the hardest aspects of utilizing this technology is figuring out
how to get the most from it. Deploying the technology with a
network-centric view captures high-level network information from
firewalls, routing tables, and other security devices on the network.
This top-level information may provide insight into major security
breaches, but could gloss over security leaks inside the network itself.
For a more comprehensive view, many users choose to set their SIEM tools to monitor data from authentication systems, application logs, operating system logs, and identity and access management tools. Taking this approach enables security administrators to gain greater knowledge about what users are doing in the network environment in reference to specific applications and servers. It also provides executive-level reporting in support of compliance efforts.
Challenges
The benefits of SIEM do not materialize immediately. Gartner experts
say successful SIEM deployments require extensive predeployment
planning. According to these experts, organizations that do not
properly plan or limit the initial scope will experience a higher
likelihood of project failures, excessive cost expenditures, and
results that do not meet expectations.
Also important to consider is the scope of what an SIEM tool can provide. For example, if you are looking to eliminate security risks all together, SIEM tools are not appropriate. The intended purpose of these tools is to provide data that allows for more efficient response times during incidents—not to preempt incidents. Furthermore, while SIEM will not make organizations more conforming, the tools can provide an overall foundation to assist network administrators in meeting regulatory compliance requirements.
Check Point approach
Two products from Check Point Software Technologies work together to
offer powerful and easy-to-use SIEM solutions that provide immediate
value out-of-the-box: Eventia Analyzer and Eventia Reporter. These
applications are optimized for integration into a Check Point
environment as well as support full, heterogeneous devices. Like Holmes
and Watson cleaning up London, they work together to make networks a
safer place for users and customers.