Security information and event management (SIEM) systems can be valuable in any organisation's IT department. These systems not only help with compliance processes, but can also aid in day-to-day security
SIEM systems ease compliance processes
It's safe to say that compliance is not a universally popular topic among IT organisations. Many view compliance processes as burdens that take up significant manpower and interfere with the way business is normally done, while producing minimal benefits.
This negative perception of compliance is often revealed in the way organisations select and implement compliance systems. In many enterprises, the main factors for selection are that the systems fulfil just the minimum requirements and have the lowest possible initial cost.
While this approach offers low capital expenditure, compliance and reporting systems can also be used to improve business processes and produce immediate business, cost and security benefits.
Selecting a product for strategic rather than tactical reasons can help not only those responsible for security and compliance, but also provide benefits for other parts of an organisation.
Logging and SIEM system specifics
Logging is a key component of compliance and streamlines the whole process by providing a clear audit trail of what has happened on every system.
While there are many options available for system logging, arguably the most efficient choice for those concerned with compliance is to implement or upgrade an existing SIEM system.
SIEM systems are an amalgam of SEM (security event management) and SIM (security information management). A SEM centralises the storage and interpretation of logs, and allows near real-time analysis, which enables security personnel to take defensive actions more quickly. A SIM collects data into a central repository for trend analysis, and provides automated reporting for compliance and centralised reporting.
By bringing those functions together, SIEM systems provide quicker identification, analysis and recovery of security events. They also allow compliance managers to confirm they are fulfilling an organisation's legal compliance requirements.
There are benefits to other areas of business as well:
Improved productivity: SIEM systems allow trained security staff to move from unproductive, repetitive log file analysis to a more proactive role in the organisation. By analysing and correlating event logs from multiple devices, staff members are able to identify problems more easily. SIEM systems also provide a clear audit trail of events for compliance purposes.
Better handling of security breaches: IT staff can use SIEM systems to produce rapid responses to security breach attempts as well as swift resolution of any problems. Consequently, SIEM systems minimise the cost of breaches and associated analysis and remediation, and from a compliance standpoint, offer clear processes for dealing with problems.
Optimisation of business processes: SIEM systems can provide an excellent overview of business processes and the use of business assets. This can allow organisations to make cost savings where assets are under-used, for example.
Business reporting: IT staff can use SIEM systems for reporting and analysis on a wide range of activity that can benefit several areas of an organisation, including the security team, IT management, finance, human resources and operations. Such information ranges from trend analysis to real-time and historical analysis of activity patterns.
This reporting can be categorized in two ways. The first is asset identification, utilisation and grouping. This type of reporting allows IT departments to group servers by operating system and ignore Unix attacks on Windows, and vice versa.
The second categorization covers authentication and access information. These features identify any unusual activities, like out-of-hours access of core systems.
SIEM systems can change the role of the security and compliance team. Staff members whose time has been devoted to report logging can benefit from improved information management and shift the bulk of their time to threat response.
In turn, the reduction in the volume of information produced by logging systems gives staff clarity, weeding out extraneous data, which makes up the majority of logs. And, of course, SIEM removes the cost and tedium involved with some staff spending two or three days a week doing log analysis.
With threats increasing and data volumes rising, security information and event management trending reports can help minimise capital expenditure and deployment, as well as reduce staff management costs. The reports allow management to identify where the greatest dangers are and where systems may be struggling, and therefore to see where any new investment might be required. This is particularly relevant in larger compliance environments that have 'silos' of knowledge and specialist skills requiring the monitoring of multiple devices and threat areas. Reporting is also available for network infrastructure activity, access and authentication and wireless activity.
A wide range of companies offer logging/SIEM tools. Some of the leaders, according to Stamford, Conn.-based Gartner Inc.*, are ArcSight Inc., IBM, Loglogic Inc. and Q1 Labs Inc.
Meeting compliance requirements, improving overall security, providing an overview of the state of the network, business activity monitoring and business intelligence are just the start with logging/SIEM systems. In addition, leading-edge customers are already using the tools to increase the visibility and security of composite Web 2.0 applications, cloud-based services and mobile devices.
Instead of being dead money, an investment made in a compliance-specific system can also work to improve control over a business, now and in the future, allowing it to improve efficiency, meet the challenges of new security problems and potentially increase business profitability.
* Source Gartner MQ May 2009
About the author
Ian Kilpatrick is chairman of value added distributor Wick Hill Group plc, specialists in secure infrastructure.
This was first published in February 2010