Friday, June 27, 2014

Magic Quadrant for SIEM

Broad adoption of SIEM technology is being driven by the need to detect threats and breaches, as well as by compliance needs. Early breach discovery requires effective user activity, data access and application activity monitoring. Vendors are improving threat intelligence and security analytics. 

Market Definition

The security information and event management (SIEM) market is defined by the customer's need to analyze security event data in real time for internal and external threat management, and to collect, store, analyze and report on log data for incident response, forensics and regulatory compliance. The vendors included in our Magic Quadrant analysis have technologies that have been designed for this purpose, and they actively market and sell these technologies to the security buying center.
SIEM technology aggregates event data produced by security devices, network infrastructures, systems and applications. The primary data source is log data, but SIEM technology can also process other forms of data, such as NetFlow and packet capture. Event data is combined with contextual information about users, assets, threats and vulnerabilities. The data is normalized, so that events, data and contextual information from disparate sources can be correlated and analyzed for specific purposes, such as network security event monitoring, user activity monitoring and compliance reporting. The technology provides real-time security monitoring, historical analysis and other support for incident investigation and compliance reporting.

Magic Quadrant

Figure 1. Magic Quadrant for Security Information and Event Management
Figure 1.Magic Quadrant for Security Information and Event Management
Gartner (June 2014)

Vendor Strengths and Cautions

AccelOps

AccelOps is one of the few vendors that have capabilities that are directed at both IT security and IT operations. AccelOps provides log management, search, alerting, real-time correlation, and a dashboard environment for unified security, availability, and performance monitoring and analytics. The vendor's primary focus is its SIEM solution for security practitioners and managed security service providers (MSSPs), but AccelOps also provides a tightly integrated performance and availability monitoring (PAM) solution that is oriented to the IT operations area. MSSP customers typically use both the SIEM and PAM capabilities in order to provide a broad monitoring service to their customers. For end-user customers, the focus in most cases is SIEM, but about 25% of end-user customers have added the PAM component.
Over the past 18 months, the vendor has experienced rapid growth from a relatively small installed base, and is becoming increasingly visible on SIEM evaluation shortlists. Over the past 12 months, AccelOps updates have included integration for dynamically updated external threat intelligence feeds and support for statistical anomaly detection. Development plans include advanced and cloud-based threat visualization analytics.
AccelOps is a good fit for enterprises and MSSPs that require a combination of security monitoring and PAM, and integrated configuration management database (CMDB) capability.
Strengths
  • AccelOps' combination of SIEM and PAM capabilities can be used to implement unified security and operations monitoring from log-based event sources, and can provide the security organization with additional operations support for a security-focused deployment.
  • AccelOps provides strong support for deployment in a virtualized environment as well as public, private and hybrid clouds.
  • Customers report that the technology is relatively easy to deploy, especially given the support for both security and operations monitoring.
Cautions
  • Reporting capabilities are very flexible, but some users indicate that ease-of-use improvements in report customization are needed.
  • The AccelOps design places a heavy reliance on high-quality CMDB data in order to accurately place each device into an asset category. Organizations must validate the accuracy of the automated discovery and classification activities.
  • While AccelOps provide a UI for the simpler integration of unsupported data sources, out-of-the-box support for third-party applications is limited.
  • IAM integration is limited to Microsoft Active Directory and Lightweight Directory Access Protocol (LDAP).

AlienVault

The foundation of AlienVault's security management solution is Open Source SIEM (OSSIM), which provides SIEM, vulnerability assessment, NetFlow, network and host intrusion detection, and file integrity monitoring. AlienVault offers SIEM in two products, one open source and one commercial. AlienVault sells and supports Unified Security Management (USM) as software or appliance, and USM extends OSSIM with scaling enhancements, log management, consolidated administration and reporting, and multitenanting for MSSPs. The sensor, logger and server components of USM are available as all-in-one or separate servers in several tiers to match the size of customer environments. The vendor's target market is enterprises with smaller security staffs and limited security programs that need multiple integrated security technologies at a lower cost and with greater simplicity. AlienVault's Open Threat Exchange community enables sharing of Internet Protocol (IP) and URL reputation information. AlienVault Labs provides an integrated threat intelligence feed to its commercial products that includes updates to signature, vulnerability, correlation, reporting and incident response content. AlienVault has added several wizard and dashboard features to support easier deployment, configuration and maintenance of network and host-based sensors and controls. AlienVault's USM platform provides centralized configuration and management of all AlienVault components.
The AlienVault USM platform should be considered by organizations that need a broad set of integrated security capabilities at relatively low cost compared with other commercial offerings, and by organizations that want a commercially supported product that is based on open source.
Strengths
  • AlienVault USM provides integrated capabilities for SIEM, file integrity monitoring, vulnerability assessment, NetFlow and both host-based and network-based intrusion detection systems.
  • Customer references indicate that the software and appliance offerings are much less expensive than corresponding product sets from most competitors in the SIEM space.
Cautions
  • Although AlienVault has recently expanded the number of predefined correlation rules for third-party commercial products, some existing customers identify this as an area that needs further improvement.
  • Identity and access management (IAM) integration is limited to Active Directory and LDAP monitoring, and application integration is primarily with open-source applications.
  • AlienVault's workflow capabilities do not include integrations with external directories for workflow assignments. 
  • BlackStratus

    BlackStratus has two offerings, Log Storm and SIEM Storm. Log Storm provides log management capabilities aimed at MSSPs and small to midsize enterprises, and is available as virtual and hardware appliances. SIEM Storm provides features such as multitenancy and security event management (SEM) capabilities, such as analytics, historical correlation and threat intelligence integration, and is deployable as software or virtual images. SIEM Storm can be deployed in combination with Log Storm, utilizing it as the storage and collection tier, or it can be deployed stand-alone with an HP Vertica Analytics Database back end.
    Log Storm and SIEM Storm provide an integrated incident management and ticketing system guided by the SANS seven-step incident remediation process, and SIEM Storm also allows the tracking of SLA metrics to accommodate MSSP and service-centric environments. A Web services API providing two-way integrations with third-party systems offers powerful integrative capabilities, but out-of-the-box support for third-party data sources is limited compared with competitor offerings.
    In the past 12 months, BlackStratus added a co-branded portal, integrations with FireEye, Mandiant and EMC's RSA NetWitness, and support for the Vertica Analytics Database to be used as the back end for SIEM Storm.
    BlackStratus is a good fit for service providers requiring a customizable SIEM platform, and end-user organizations looking tor well-formed multitenancy support.
    Strengths
  • Log Storm and SIEM Storm provide a two-way integration API to enable custom-built service architectures.
  • Both offerings include a fully integrated incident and ticket management system based on the SANS seven-step remediation process.
  • SIEM Storm can be deployed with a Vertica Analytics Database back end.
Cautions
  • Out-of-the-box support for third-party data sources is limited and requires custom scripting.
  • BlackStratus has few technology integration partnerships or deep third-party integrations.
  • Advanced security capabilities such as commercial threat intelligence feeds, network forensic/deep packet inspection (DPI) and identity and access management (IAM) integrations are not supported.
  • BlackStratus has focused on sales to security service providers, and has not been very visible in competitive evaluations for end-user deployments.

EMC (RSA)

RSA, The Security Division of EMC (including enVision, NetWitness and Security Analytics), has a large SIEM installed base. However, during 2013, RSA completed its transition from enVision and NetWitness to the Security Analytics platform as Gartner customers continued to identify RSA enVision as the most frequently displaced SIEM technology, RSA Security Analytics (based on the NetWitness platform) provides log and full packet data capture, security monitoring forensic investigation, and analytics. RSA will support the enVision platform until the end of 2017. The Security Analytics reporting system can pull data from both the Security Analytics data structures and the Internet Protocol Database (IPDB) in enVision, helping to accommodate the transition from enVision to Security Analytics within the RSA installed base. The Security Analytics Archiver provides long-term storage and access for compressed logs and log metadata. Security Analytics Warehouse provided big data analytics. The initial release of Security Analytics had limitations on analytics (keyword search into raw data), but a 2013 release provided an analytics engine as an integral component of the Security Analytics Warehouse.
The initial release of Security Analytics lacked complex correlation rule support and a customization interface. RSA has released the Event Stream Analysis appliance, which provides real-time alerting for logs and packets, and includes a rule customization interface. In 2013, RSA released the Security Analytics All-in-One appliance that is a packaging option for smaller deployments. Near-term development plans include native incident management and more behavioral profiling capabilities related to outbound connections.
RSA Security Analytics should be considered by organizations with high-security environments and the staffing resources to support a complex technology that requires extensive customization, and that have a need for a combination of both log-based monitoring and network-level monitoring for threat detection and investigation.
Strengths
  • RSA's Security Analytics platform offers a combination of analytics and basic event monitoring for both full packet capture and log data.
  • RSA Security Analytics can be deployed by organizations that have implemented another vendor's SIEM in cases where full packet capture capabilities are needed
Cautions
  • Security Analytics' support for complex correlation is very recent, and it has very little production experience in this area.
  • Security Analytics displays are basic. The user interface lacks predefined dashboard views and requires extensive customization.

EventTracker

EventTracker targets its SIEM software and service offering primarily at midsize commercial enterprises and government organizations with security and operations event management and compliance reporting requirements. The EventTracker agent provides support for file integrity monitoring and USB control. Basic profiling capabilities are provided via a behavior module that can establish a baseline of a user-configurable period of time and can issue alerts on deviations from normal. During 2013, the vendor expanded its SIEM Simplified remote monitoring service (incident log and configuration review, incident investigation, and audit assistance) through an integration with OpenVAS vulnerability assessment scanning and Snort intrusion detection. EventTracker also introduced basic incident response workflow support. Development plans include support for monitoring packaged applications that are prevalent in midsize enterprises and a SaaS offering hosted in Amazon Web Services, which will be directed to managed service provider (MSP) partners. EventTracker is suited for midsize businesses that require log management, SEM, compliance reporting and operations monitoring via a software-based solution, and midsize businesses that have a requirement for on-premises or cloud-hosted SIEM in combination with basic monitoring services
Strengths
  • EventTracker is easy to deploy and maintain, with compliance and use-case-specific knowledge packs that provide prebuilt alerts, correlation rules and reports.
  • EventTracker supports centralized agent deployment and management in Windows environments.
  • EventTracker includes a behavior analysis module that provides profiling and anomaly detection functions.
  • Services such as periodic log review, audit assistance and health check are available from the vendor at a low cost.
Cautions
  • The vendor targets the midmarket, but is not as visible on customer shortlists as other SIEM vendors that are also targeting this segment.
  • EventTracker's capabilities for application monitoring are more limited than other SIEM products targeting enterprise deployments, as it lacks integration with major packaged applications.
  • The embedded incident ticketing capability is limited in the area of response workflow.

HP

HP's ArcSight line of SIEM solutions resides within HP's Enterprise Security Products (ESP) business unit, which also includes HP TippingPoint and HP Fortify. ArcSight Enterprise Security Manager (ESM) software is oriented to large-scale, SEM-focused deployments. ArcSight Express is an appliance-based offering for ESM that is designed for the midmarket with preconfigured monitoring and reporting. ArcSight Logger appliances and software provide log data collection and management functions that can be implemented stand-alone or in combination with ESM.
During 2013, ArcSight remained among the most visible SIEM competitors on Gartner client shortlists, but the introduction of competitive SIEM technologies within large ArcSight accounts continued, with customers citing ESM complexity and cost as inhibitors to expansion. With ArcSight ESM version 6, HP replaced the ESM Oracle Database with the Correlation Optimized Retention and Retrieval Engine (CORR-Engine) and implemented a simplified events per second (EPS)-based pricing model. We have validated significant improvements in event-handling capacity on the same hardware with reference customers. In late 2013, HP introduced ArcSight Risk Insight for ESM, which provides risk rating and management dashboards for security event data. HP also introduced ArcSight Application View, which enables application activity monitoring that is not dependent on log data. HP also released enhancements to ArcSight Express to simplify deployment and customization. Development plans include further integrations with HP's Vertica Analytics Platform and additional improvements in ease of deployment.
ArcSight Express should be considered for midsize SIEM deployments. ESM is appropriate for larger deployments, as long as sufficient in-house support resources are available.
Strengths
  • ESM provides a complete set of SEM capabilities that can be used to support a security operations center.
  • ArcSight Express provides a simplified option for midsize SIEM deployments.
  • ArcSight Logger can provide an inexpensive log management capability for two-tier deployment architectures that require long-term event archiving.
  • Optional modules provide advanced support for user activity monitoring, IAM integration and fraud management.
  • ArcSight continues to be very visible in competitive evaluations of SIEM technologies.
Cautions
  • ArcSight provides real-time statistical correlation, but profiling and anomaly detection operate against historical data only.
  • While the CORR-Engine has eliminated a major source of deployment and support complexity, customers will still find ESM to be more complex than other leading solutions.

IBM Security

IBM Security's QRadar SIEM technology provides log management, event management, reporting and behavioral analysis for networks and applications. QRadar can be deployed as appliance or software (running on Red Hat Enterprise Linux Server appliances) in an all-in-one solution for smaller environments, or it can be horizontally scaled in larger environments using specialized event collection, processing and console appliances. A distinguishing characteristic of the technology is the collection and processing of NetFlow data, DPI, full packet capture, and behavior analysis for all supported event sources.
Enhancements to QRadar during the past 12 months included the introduction of QRadar Incident Forensics, which extends flow analysis, adding DPI and full packet capture capabilities. In addition, IBM Security introduced integrated vulnerability scanning via QRadar Vulnerability Manager (using technology licensed from Critical Watch), as well as new graphing/charting capabilities, improved search performance and API enhancements. IBM has developed two-way integration between QRadar and IBM's InfoSphere BigInsights, and also with IBM's analytics and data visualization technologies. IBM also provides additional connectors to Hadoop instances.
IBM offers a co-managed service option for QRadar, which combines an on-premises QRadar deployment with remote monitoring from IBM's managed security services operations centers. QRadar is a good fit for midsize and large enterprises that need general SIEM capabilities, and also for use cases that require behavior analysis, NetFlow analysis and full packet capture.
Strengths
  • QRadar provides an integrated view of the threat environment using NetFlow DPI and full packet capture in combination with log data, configuration data and vulnerability data from monitored sources.
  • Customer feedback indicates that the technology is relatively straightforward to deploy and maintain in both modest and large environments.
  • QRadar provides behavior analysis capabilities for NetFlow and log events.
Cautions
  • QRadar provides less-granular role definitions for workflow assignment compared with competitors' products.
  • QRadar's multitenant support requires a master console in combination with distributed QRadar instances. The number of third-party service providers that offer QRadar-based monitoring services is limited when compared with vendors that lead in this area.

LogRhythm

LogRhythm sells its appliance- and software-based SIEM solutions to midsize and large enterprises. The SIEM offering can be deployed in smaller environments with a single appliance or software instance that provides log management and event management, or it can be scaled as a set of specialized appliances or software instances (log management, event management and centralized console). Network forensic capabilities such as DPI flow monitoring and full packet capture are supported via LogRhythm's Network Monitor, which can be integrated as a network sensor. The technology also includes optional agents for major OSs that can be used for filtering at the source. LogRhythm's System Monitor Agents include host activity monitoring capabilities such as system process monitoring and file integrity monitoring for Windows and Unix.
New features and improvements in the latest 6.2 release of Security Intelligence platform include Active Directory group-based authentication for LogRhythm users, System Monitor Agent and collector load balancing, and a new capability designed to infer missing user information from event data called the Identity Inference Engine. Other enhancements in the past 12 months include a new UI release in 1Q14 that provides tablet support. Moreover, predefined correlation rules have increased to more than 500, and predefined modules containing correlation rules, saved searches and reports covering topics such as privileged user monitoring, network anomaly detection and targeted attack detection have been added. LogRhythm also released Network Monitor in 2013, a network forensic solution that provides flow analysis, deep packet inspection and full packet capture capabilities that can be seamlessly integrated with LogRhythm SIEM as a network sensor.
Plans for the next 12 months include enhancements to case and incident management support, the user interface, and data storage efficiency.
LogRhythm is an especially good fit for organizations that require a combination of SIEM, file integrity monitoring (FIM), and network monitoring, and those organizations that value ease of deployment and predefined function over a "build your own" approach to monitoring.
Strengths
  • LogRhythm provides a balance of log management, reporting, event management, privileged-user and file integrity monitoring, and network forensic capabilities to support security operations and compliance use cases.
  • Its appliance format and configuration wizards allow for fast deployment with minimal resources.
  • Gartner receives consistent user feedback stating that LogRhythm's predefined correlation rules and reporting templates provide coverage for the most useful and important use cases and ease initial implementation.
  • LogRhythm continues to be very visible in competitive SIEM technology evaluations of Gartner clients.
Cautions
  • Users report that email alert template content can only be minimally customized.
  • In order to continue to support older versions of devices, legacy log processing rules are not removed. Feedback has indicated that this can cause confusion among users.

McAfee

McAfee, part of Intel Security, provides McAfee Enterprise Security Manager (ESM), which combines security information management (SIM) and SEM functions, and is available as a stand-alone, all-in-one, virtual appliance and delivered as a managed service by partners. Capabilities can be extended and enhanced with a range of specialized add-on products, such as Database Event Monitor (DEM), which provides database activity monitoring and analysis, Application Data Monitor (ADM) for application monitoring, and Global Threat Intelligence (GTI). McAfee is further developing integration of ESM with its wider security portfolio to enable context about vulnerabilities, endpoint state and threats, and to enable automated response and blocking.
Among the enhancements released in the past 12 months were a new suite of regulatory compliance reports, the capability to use flow data and statistical anomaly tracking in correlation rules, and big data connectors for Hadoop integration. Data obtained via the Hadoop connectors can be used to populate watchlists for correlation and to enrich SIEM data. Plans for the next 12 months include deeper integrations with McAfee's own portfolio to enable autoresponse capabilities such as policy changes on end-user devices, the quarantining and blacklisting of malicious activity, a software development kit (SDK) for external data queries and system management, enhanced threat detection utilizing Data Exchange Layer and Threat Intelligence Exchange, and additional data obfuscation for enhanced compliance in privacy laws.
McAfee Enterprise Security Manager is a good choice for organizations that require high-performance analytics under high-event-rate conditions, as well as organizations with advanced requirements for monitoring database applications and industrial control systems.
Strengths
  • Some of the highest event ingest rates and query performance levels that we have been able to validate have been with McAfee Enterprise Security Manager customers.
  • Database and application monitoring, as well as network-based packet inspection, are provided for via McAfee Enterprise Security Database Event Monitor and Application Data Monitor.
  • McAfee Enterprise Security Manager has strong industrial control system (ICS) and supervisory control and data acquisition (SCADA) device support.
Cautions
  • Users have indicated that vendor support is good, but it can be difficult reaching the right point of contact.
  • McAfee's advanced SIEM features and capabilities in areas such as endpoint intelligence and automated response require integrations with, or further investments in, other McAfee portfolio products.
  • NetFlow filtering and alerting capabilities are limited. For example, there is no easy way to include all the packet data from an event that caused an alert in an email notification.

NetIQ

During 2013, NetIQ focused on completing the consolidation of NetIQ Sentinel (acquired from Novell) with its existing SIEM technology, as well as with its Change Guardian host monitoring. NetIQ Security Manager, NetIQ's SIEM offering, is based primarily on the Sentinel platform, in combination with agent technology and content from Security Manager. NetIQ Sentinel is composed of three packages: Sentinel, Sentinel Log Manager and Change Guardian. Optional host monitoring agents are also available. Sentinel and Change Guardian are offered both as software and virtual appliance deployments. NetIQ Sentinel integrates with other core NetIQ technologies (AppManager, Identity Manager, Access Manager, Directory and Resource Administrator, and Secure Configuration Manager). Enhancements in 2013 included a common administration interface for Sentinel and Security Manager components, initial support for NetFlow analysis, initial support for user import of threat intelligence feeds, and visualizations and point improvements in other areas. Development plans include improvements in scalability, usability and MSSP support.
Sentinel is a good fit for organizations that require large-scale security event processing in highly distributed environments (such as retail). and is an especially good choice for organizations that have deployed NetIQ IAM infrastructure and need security monitoring with an identity context.
Strengths
  • Sentinel and Sentinel Log Manager are appropriate for large-scale deployments that are focused on SEM and threat monitoring.
  • The Change Guardian product line provides policy-based privileged, user activity monitoring and change detection for Active Directory, Windows, Unix and Linux, as well as file integrity monitoring for host systems.
  • NetIQ agent technology can provide guaranteed delivery mechanisms over and above native platform audit functions or agentless methods for use cases that require user and data access monitoring for servers.
Cautions
  • NetIQ Sentinel has relatively low visibility in competitive evaluations of security monitoring technology.
  • There are no specific integrations with IP reputation or other external threat intelligence feeds, although the vendor indicates the intention to release initial support during 2014.
  • Remote monitoring services for Sentinel are provided by a smaller number of third-party service providers when compared with major competitors.
  • Sentinel lacks the ability to replay historical event data against current correlation rules for threat detection use cases.

SolarWinds

SolarWinds packages its Log and Event Manager (LEM) software as a virtual appliance. LEM has integrations with SolarWinds' other products for operations monitoring to support activities such as change detection and root cause analysis. SolarWinds' development road map is focused on increasing ease of deployment and ease of ongoing operations for resource-constrained security groups. SolarWinds LEM is a good fit for small or midsize companies that require SIEM technology that is easy to deploy and those that use other SolarWinds' operations monitoring components.
Strengths
  • SolarWinds LEM is easy to deploy and provides extensive content in the form of dashboards, predefined correlation rules and reports.
  • The technology is also well-suited for organizations that have already invested in the vendor's other technology solutions.
  • An agent for Windows systems can be used to exert endpoint control, including USB devices, and network quarantine functions in response to events observed by the SIEM offering.
Cautions
  • SolarWinds LEM is optimized for small to midsize deployments, while other SIEM solutions are a better fit for large-scale deployments.
  • SolarWinds LEM provides basic statistical and behavior analytics, but has no integration with data warehouse technologies.
  • Customers requiring more extensive user and application or Web monitoring must acquire other SolarWinds products to extend the capabilities available in LEM.
  • Although LEM includes a native flow capture and display capability, flow data is not available for real-time correlation in LEM.

Splunk

Splunk Enterprise provides log management, search, alerting, real-time correlation and a query language that supports visualization using more than 100 statistical commands. Splunk is widely deployed by IT operations and application support teams for log management analytics, monitoring and advanced search and correlation. Analytics on batch data stored in Hadoop/NoSQL Stores and relational databases is provided by a separate product called Hunk, and the DB Connect App for bidirectional support for relational databases. The Splunk App for Enterprise Security provides predefined reports, dashboards, searches, visualization and real-time monitoring to support security monitoring and compliance reporting use cases. During 2014, the vendor has remained very visible on SIEM evaluation shortlists. In many cases, Splunk has already been deployed by IT operations groups. However, there has also been an expansion in the number of customers deploying the Splunk App for Enterprise Security for stand-alone SIEM use cases.
Over the past 12 months, Splunk has released many new functions directed at a major competitive issue — deployment complexity. Splunk App for Enterprise Security now ships with 68 predefined security indicators that can be used to construct a custom dashboard, and there are now 40 predefined dashboards in the security domain menu. Splunk released a report builder with 200 predefined reports/panels. Splunk now aggregates 18 threat intelligence feeds to enable consolidation into common watchlists.
Development plans include improved threat detection through trending, anomaly detection, expanded use of predictive analytics, and discovery of behavioral outliers for assets and users. Splunk is a good fit for security organizations that require customizable security monitoring and analytics, and is an especially good fit for use cases that span security and operations, and for deployments with a focus on application monitoring.
Strengths
  • Splunk's strong presence in IT operations groups can provide the security organization with early hands-on exposure to its general log management and analytics capabilities, "pre-SIEM" deployment by operations for critical resources, and in-house operations support for an expanded security-focused deployment.
  • Splunk's dashboarding and analytics capabilities provide a flexible framework for customization to meet a variety of event management and log management requirements.
  • Splunk has built-in support for a large number of external threat intelligence feeds from commercial and open sources.
Cautions
  • Splunk provides predefined parsing to a more limited set of IAM vendors than some competitors' products. Potential buyers should anticipate customization work to handle the parsing of IAM logs outside Active Directory, LDAP and selected other IAM technologies.
  • Predefined reporting, while improved in the current release, is still more basic than that of many competitors.
  • In cases where operations teams are not using Splunk for operations monitoring (to share deployment costs), Splunk is often significantly more expensive than competing SIEM solutions.

Tenable Network Security

Tenable Network Security's focus in this market is evolving to emphasize continuous compliance monitoring based on endpoint state (vulnerabilities, configuration), file activity, network activity and log data. This evolving emphasis is to augment or complement a broad SIEM deployment, although there are overlapping use cases. Tenable Network Security supports SIEM use cases through the SecurityCenter Continuous View (SCCV) console, Nessus, Log Correlation Engine (LCE), and Passive Vulnerability Scanner (PVS) as a capability of its Integrated Vulnerability, Threat and Compliance Platform. LCE provides log and event collection, NetFlow monitoring, normalization, analysis, and reporting. SCCV adds the ability to correlate events with data from Nessus and PVS, in addition to threat list intelligence from third-party providers. Windows and Unix log collection agents can also provide basic file integrity and change monitoring. Tenable's SIEM customers tend to use the vulnerability scanning and configuration assessment capabilities as components of their SIEM deployments.
SCCV, LCE, Nessus and PVS are available as software, and SCCV, Nessus and PVS are also available as hardware or virtual appliances. Network monitoring is available via the NetFlow and raw traffic monitoring capabilities of LCE, or is enhanced through integration with LCE and the passive network traffic monitoring provided by PVS. Recent enhancements include packaged content for specific use cases and policy creation wizards for use cases such as threat management. Development plans include enhanced user activity monitoring and the introduction of support for business application monitoring. The combination of SCCV and LCE for SIEM use cases and scanning and monitoring via PVS and Nessus provides unified management, monitoring, reporting and vulnerability assessment. Tenable's SIEM solution is a good choice for organizations that want to implement continuous monitoring based on the assessment of vulnerabilities, security configuration and log data.
Strengths
  • The integration of SCCV, LCE, Nessus and PVS provides a single-vendor solution for customers addressing security and compliance requirements that span event and log analysis, vulnerability assessment, and security configuration auditing.
  • SCCV and LCE provide statistical analytics, including notification of first-time events and deviations from baseline activity levels.
Cautions
  • LCE does not provide support for co-managed SIEM offerings.
  • LCE does not provide integration with IAM policy sources, but the vendor indicates there is current development activity in this area.
  • LCE does not integrate with major packaged applications.
  • SecurityCenter lacks workflow integration with enterprise directories.
  • Organizations that require a broad-scope SIEM implementation should consider alternative solutions.

Tibco Software

Tibco Software's LogLogic Log Management Intelligence line of solutions provides log collection and management capabilities. Tibco also offers additional extensions such as LogLogic Compliance Manager and LogLogic Analytics. LogLogic is available as a line of physical and virtual appliances, as well as software-based options. Tibco is pursuing a general development strategy that will provide its large customers with high-end analytics, and complex-event processing through the integration of LogLogic with the Tibco portfolio. Since Tibco's acquisition of LogLogic in 2012, the solution has been integrated with the wider Tibco portfolio, notably Tibco Spotfire for advanced analytics, Tibco Iris for anomaly detection and forensics, and Tibco Business Events for complex-event processing.
The LogLogic Database Security Manager and Security Event Manager are not offered anymore, with some of the Database Activity Monitoring functionality now integrated with LogLogic Analytics, and event management and functionality divided between Tibco Iris and Tibco Business Events. By itself, LogLogic is designed as an organizationwide logging as a service (LaaS) platform to gather log, event and machine data, with only basic SIEM functionality included. In a threat management use case, it is intended to be used in conjunction with external solutions providing advanced capabilities.
LogLogic is a good fit for use cases focused primarily on log management, providing organizationwide LaaS, or those that involve log management and event forwarding to an MSSP or a third-party event manager. In addition, customers already using or planning to use other Tibco solutions will benefit from the integration with LogLogic.
Strengths
  • The LogLogic line of log management appliances provides competitive log management capabilities that can be integrated with a wide variety of third-party event managers.
  • LogLogic offers on-premises log management and reporting for deployments that also use an MSSP for real-time monitoring.
  • LogLogic, in combination with the greater Tibco portfolio, can provide high-scale advanced analytics, event processing and management, and operational workflow integration.
Cautions
  • LogLogic lacks advanced security capabilities, such as advanced correlation rules and endpoint protection technology integration, requiring the purchase of other Tibco products that do not have a security-specific focus, or of an additional third-party SIEM technology.
  • LogLogic does not support threat intelligence integration.
  • Feedback from some users has indicated that the LogLogic transition and integration with the Tibco portfolio is not fully complete.
  • LogLogic was not very visible in competitive evaluations, and we have seen more displacements by SIEM vendors during 2013.

Trustwave

Trustwave's primary business is services for compliance, vulnerability assessment, managed security and security consulting. Its threat and research capability includes SpiderLabs, which provides research on security threats and vulnerabilities in support of service delivery and product development. Trustwave also offers a broad portfolio of security products, including secure Web and email gateways, data loss prevention (DLP), a Web application firewall, network access control, unified threat management (UTM), security scanning, and encryption technologies. The core of this portfolio is an SIEM deliverable in several configurations to meet diverse requirements, from large enterprise, SEM-oriented deployments to midsize deployments with more modest SEM needs.
Trustwave SIEM products are provided as hardware or virtual appliance offerings and can be deployed as Log Management Enterprise or full function SIEM Enterprise. Trustwave's legacy SIEM Operations Edition (OE) is deployed as software only with additional optional components such as Advanced Analytics and Enterprise View. The vendor also offers traditional managed security services through its security operations centers running the SIEM OE product, and the Managed SIEM offering that includes customer premises Log Management appliances.
In 2013, Trustwave integrated the Trustwave Threat Correlation threat intelligence service with its SIEM offerings and added out-of-the-box NetFlow collection and analysis capabilities. Trustwave also released its self-healing network offering that leverages its SIEM to integrate with a number of other Trustwave security products to provide security automation and active response functionality.
Trustwave is a good fit for midsize organizations that require a combination of compliance-oriented services and SIEM technology.
Strengths
  • The Trustwave SIEM products include a broad range of deployment formats and service options, including hybrid options that support customers with limited internal resources for technology management or analysis.
  • SIEM OE offers analytics, capacity and customization capabilities appropriate for customers with large-scale event monitoring requirements.
  • Trustwave's self-sealing network offering leverages Trustwave SIEM to provide autoresponse capabilities such as quarantining and blacklisting.
Cautions
  • The variety of options available to mix and match SIEM with other security products and managed services means that potential SIEM buyers must carefully scope their requirements to enable like-to-like competitive evaluations.
  • Trustwave SIEM OE users have reported that the custom report wizard can be cumbersome to use, and manual custom report creation requires SQL and XML skills.
  • SIEM buyers with requirements to incorporate security technologies from Trustwave's competitors (for example, IPS, DLP and Web application firewall technologies) must monitor the vendor's ability to maintain timely support for these technologies with the Trustwave SIEM products and services.
  • Trustwave is not very visible in competitive evaluations of SIEM among Gartner clients.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor's appearance in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added

  • AccelOps
  • BlackStratus

Dropped

  • Sensage was acquired by KEYW, which is no longer actively selling an SIEM solution.
  • Symantec has withdrawn from the SIEM market but will continue support of Symantec Security Information Manager until November 2017.
  • EiQ Networks is now focusing on providing co-managed solutions that deliver a combination of security controls assessment, configuration auditing and event monitoring. 

Context

SIEM technology provides:
  • SIM — Log management, analytics and compliance reporting
  • SEM — Real-time monitoring and incident management for security-related events from networks, security devices, systems and applications
SIEM technology is typically deployed to support three primary use cases:
  • Threat management — Real-time monitoring and reporting of user activity, data access and application activity, in combination with effective ad hoc query capabilities
  • Compliance — Log management and compliance reporting
  • A deployment that provides a mix of threat management and compliance capabilities
Although many SIEM deployments have been funded to address regulatory compliance reporting requirements, the rise in successful targeted attacks has caused a growing number of organizations to use SIEM for threat management to improve security monitoring and early breach detection. The SIEM market is composed of technology providers that support all three use cases; however, there are variations in the relative level of capability for each use case — in deployment and support complexity, in the scope of related functions that are also provided, and in product support for capabilities related to targeted attack detection (such as user activity monitoring, data access monitoring, application activity monitoring, the use of threat intelligence and anomaly detection). This year's evaluation continues to more heavily weight capabilities that support targeted attack detection. As a companion to this research, we evaluate the SIEM technologies of 13 vendors with respect to the three major use cases noted above (see "Critical Capabilities for Security Information and Event Management").

Organizations should consider SIEM products from vendors in every quadrant of this Magic Quadrant, based on their specific functional and operational requirements. Product selection decisions should be driven by organization-specific requirements in areas such as the relative importance of compliance and threat management; the scale of the deployment; SIEM product deployment and support complexity; the IT organization's project deployment and technology support capabilities; identity, data and application monitoring requirements; and integration with established applications, data monitoring and identity management infrastructure.

Security managers considering SIEM deployments should first define the requirements for SEM and reporting. The requirements definition effort should include capabilities that will be needed for subsequent deployment phases. The project will benefit from the input of other groups, including audit/compliance, identity administration, IT operations and application owners . Organizations should also describe their network and system deployment topology, and assess event rates, so that prospective SIEM vendors can propose solutions for company-specific deployment scenarios. The requirements definition effort should also include phase deployments beyond the initial use case. This Magic Quadrant evaluates technology providers with respect to the most common technology selection scenario — an SIEM project that is funded to satisfy a combination of threat monitoring/response and compliance-reporting requirements.

Thursday, June 26, 2014

Government Spying Software

Hacking Team is an Italian malware company that sells exploit tools to governments. Both Kaspersky Lab and Citizen Lab have published detailed reports on its capabilities against Android, iOS, Windows Mobile, and BlackBerry smart phones.
They allow, for example, for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data. They can take screenshots, record audio from the phones to monitor calls or ambient conversations, hijack the phone's camera to snap pictures or piggyback on the phone's GPS system to monitor the user's location. The Android version can also enable the phone's Wi-Fi function to siphon data from the phone wirelessly instead of using the cell network to transmit it. The latter would incur data charges and raise the phone owner's suspicion.
[...]
Once on a system, the iPhone module uses advance techniques to avoid draining the phone's battery, turning on the phone's microphone, for example, only under certain conditions.
"They can just turn on the mic and record everything going on around the victim, but the battery life is limited, and the victim can notice something is wrong with the iPhone, so they use special triggers," says Costin Raiu, head of Kaspersky's Global Research and Analysis team.
One of those triggers might be when the victim's phone connects to a specific WiFi network, such as a work network, signaling the owner is in an important environment. "I can't remember having seen such advanced techniques in other mobile malware," he says.
Hacking Team's mobile tools also have a "crisis" module that kicks in when they sense the presence of certain detection activities occurring on a device, such as packet sniffing, and then pause the spyware's activity to avoid detection. There is also a "wipe" function to erase the tool from infected systems.
Hacking Team claims to sell its tools only to ethical governments, but Citizen Lab has found evidence of their use in Saudi Arabia. It can't be certain the Saudi government is a customer, but there's good circumstantial evidence. In general, circumstantial evidence is all we have. Citizen Lab has found Hacking Team servers in many countries, but it's a perfectly reasonable strategy for Country A to locate its servers in Country B.
And remember, this is just one example of government spyware. Assume that the NSA -- as well as the governments of China, Russia, and a handful of other countries -- have their own systems that are at least as powerful.

A Drone That Blasts Pepper Spray

Coming soon to a protest near you: drones that fire pepper spray bullets.
Desert Wolf's website states that its Skunk octacopter drone is fitted with four high-capacity paintball barrels, each capable of firing up to 20 bullets per second.
In addition to pepper-spray ammunition, the firm says it can also be armed with dye-marker balls and solid plastic balls.
The machine can carry up to 4,000 bullets at a time as well as "blinding lasers" and on-board speakers that can communicate warnings to a crowd.

 

Wednesday, June 25, 2014

Does Keith Alexander's Advice Be Worth $600K a Month?

Ex-NSA director Keith Alexander has his own consulting company: IronNet Cybersecurity Inc. His advice does not come cheap:
Alexander offered to provide advice to Sifma for $1 million a month, according to two people briefed on the talks. The asking price later dropped to $600,000, the people said, speaking on condition of anonymity because the negotiation was private.
Alexander declined to comment on the details, except to say that his firm will have contracts "in the near future."
Kenneth Bentsen, Sifma's president, said at a Bloomberg Government event yesterday in Washington that "cybersecurity is probably our number one priority" now that most regulatory changes imposed after the 2008 credit crisis have been absorbed.
SIFMA is the Securities Industry and Financial Markets Association. Think of how much actual security they could buy with that $600K a month. Unless he's giving them classified information.
Digby:
But don't worry, everything Alexander knows will only benefit the average American like you and me. There's no reason to suspect that he is trading his high level of inside knowledge to benefit a bunch of rich people all around the globe. Because patriotism.

Risks of Not interpreting One-Way Function

New York City officials anonymized license plate data by hashing the individual plate numbers with MD5. (I know, they shouldn't have used MD5, but ignore that for a moment.) Because they didn't attach long random strings to the plate numbers -- i.e., salt -- it was trivially easy to hash all valid license plate numbers and deanonymize all the data.
Of course, this technique is not news.

Tuesday, June 24, 2014

Protecting FromAlgorithm Substitution Attacks

Interesting paper: M. Bellare, K. Paterson, and P. Rogaway, "Security of Symmetric Encryption against Mass Surveillance."
Abstract: Motivated by revelations concerning population-wide surveillance of encrypted communications, we formalize and investigate the resistance of symmetric encryption schemes to mass surveillance. The focus is on algorithm-substitution attacks (ASAs), where a subverted encryption algorithm replaces the real one. We assume that the goal of "big-brother'' is undetectable subversion, meaning that ciphertexts produced by the subverted encryption algorithm should reveal plaintexts to big-brother yet be indistinguishable to users from those produced by the real encryption scheme. We formalize security notions to capture this goal and then offer both attacks and defenses. In the first category we show that successful (from the point of view of big brother) ASAs may be mounted on a large class of common symmetric encryption schemes. In the second category we show how to design symmetric encryption schemes that avoid such attacks and meet our notion of security. The lesson that emerges is the danger of choice: randomized, stateless schemes are subject to attack while deterministic, stateful ones are not.

Open Wireless Movement is considered as ?

In this era of mass surveillance, we have always learned from security folks to protect and encrypt our communication and networks, especially widely open private Wi-Fi networks.
It is always recommended to use a strong password and encryption on Wireless Routers in an effort to safeguard the privacy and security of our web communication and personal data.

Quite the contrary, a group of activists says opening up your home Wi-Fi network could not only enhance your privacy, but actually increase it in the process.
A new movement dubbed as “Open Wireless Movement” is encouraging the users to open-up their private network or at least a small portion of the available bandwidth to strangers. It really sounds quite annoying! Isn’t it?
In this case any unknown can consume a large part of your network bandwidth or can use your network to perform illicit activities, and it will come as a great boon for those cyber thieves who are in wake of finding such open networks to carry out cyber theft.
AN IDEA - OPEN WIRELESS SERVICE FOR US, BY US
The Open Wireless Movement is a coalition of Internet freedom advocates, companies, organizations, and technologists working to develop new wireless technologies and to inspire a movement of Internet openness”, reads the explanation about the Open Wireless Movement.
We are aiming to build technologies that would make it easy for Internet subscribers to portion off their wireless networks for guests and the public while maintaining security, protecting privacy, and preserving quality of access.
The OpenWireless.org website explains the group’s initiative in which a number of non-profit as well as pro-internet rights organizations including the Electronic Frontier Foundation (EFF), Free Press, Mozilla, and Fight for the Future are in collaboration among others to make this possible.
SHARING Wi-Fi PUBLICLY IN A CONTROLLED MANNER
The Electronic Frontier Foundation (EFF) is working on one such technology and is planning to release a flavor of free, open-source router firmware, which they dubbed as "Open Wireless Router", at the Hackers on Planet Earth (HOPE X) conference to be held next month on New York. This firmware will let you share a portion of your partially open Wi-Fi network with anyone nearby without a need of password.

The Open Wireless Router firmware will help public to access a small pre-defined amount of your network bandwidth and in this way, you can allow anyone nearby or passers-by to check their Gmail, online messages or voice calls from your private Wi-Fi, while discouraging them from downloading a multi-gigabyte file, as it limits the freeloaders to access as little as 5 percent of your bandwidth i.e. In my case it is 4GB out of 80GB in total. So, it solves half of your problem.
PREVENTION FROM SNOOPING, FOR BOTH ENDS
Now, one more problem is that if we will offer our private network to the strangers then we could face a bad browsing experience. For this, EFF says that the Open Wireless Router firmware uses the smart technology that has been designed by keeping priorities of the owner in mind. This means the owner of the private Wi-Fi network will be kept on the top priority over others, so they will not at all experience any fall in their browsing experience.
Also the firmware has been built in such a way that every connection is walled off from other connections thereby decreasing the threat of unwanted snooping. Furthermore, EFF also believes that the movement will make it more difficult to tie an IP address to an individual. So, this solves rest of your problems.
CYBER-CRIMINALS vs TECHNOLOGY
Now, let’s see this effort will come up as a boon for normal public or will offer cybercriminals one more way to attack us. For now I have no idea that how "Open Wireless Router" from EFF will defend Wi-Fi owners in case someone misuse their IP Address to do illegal activities or cyber attacks. As mentioned above, 5% of your network Bandwidth, like 4GB of my bandwidth, would be enough for a cyber criminal to kick your ass.

Open Wireless Network

 I run an open wireless network at home. There's no password. There's no encryption. Anyone with wireless capability who can see my network can use it to access the internet.
To me, it's basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it's both wrong and dangerous.
I'm told that uninvited strangers may sit in their cars in front of my house, and use my network to send spam, eavesdrop on my passwords, and upload and download everything from pirated movies to child pornography. As a result, I risk all sorts of bad things happening to me, from seeing my IP address blacklisted to having the police crash through my door.
While this is technically true, I don't think it's much of a risk. I can count five open wireless networks in coffee shops within a mile of my house, and any potential spammer is far more likely to sit in a warm room with a cup of coffee and a scone than in a cold car outside my house. And yes, if someone did commit a crime using my network the police might visit, as an example the mumbai Taj hotel incident but what better defense is there than the fact that I have an open wireless network? If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence.
This is not to say that the new wireless security protocol, WPA, isn't very good. It is. But there are going to be security flaws in it; there always are.

While none thought you could be successfully prosecuted just because someone else used your network to commit a crime, any investigation could be time-consuming and expensive. You might have your computer equipment seized, and if you have any contraband of your own on your machine, it could be a delicate situation. Also, prosecutors aren't always the most technically savvy bunch, and you might end up being charged despite your innocence.

In a less far-fetched scenario, the Recording Industry Association of America is known to sue copyright infringers based on nothing more than an IP address. The accuser's chance of winning is higher than in a criminal case, because in civil litigation the burden of proof is lower. And again, lawyers argue that even if you win it's not worth the risk or expense, and that you should settle and pay a few thousand dollars.
I remain unconvinced of this threat, though. The RIAA has conducted about 26,000 lawsuits, and there are more than 15 million music downloaders. Mark Mulligan of Jupiter Research said it best: "If you're a file sharer, you know that the likelihood of you being caught is very similar to that of being hit by an asteroid."
I'm also unmoved by those who say I'm putting my own data at risk, because hackers might park in front of my house, log on to my open network and eavesdrop on my internet traffic or break into my computers. This is true, but my computers are much more at risk when I use them on wireless networks in airports, coffee shops and other public places. If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much.
Yes, computer security is hard. But if your computers leave your house, you have to solve it anyway. And any solution will apply to your desktop machines as well.
Finally, critics say someone might steal bandwidth from me. Despite isolated court rulings that this is illegal,and I've heard several stories of people who have been rescued from connectivity emergencies by open wireless networks in the neighborhood.
Similarly, I appreciate an open network when I am otherwise without bandwidth. If someone were using my network to the point that it affected my own traffic, I might want to do something about it; but as long as we're all polite, why should this concern me? Pay it forward, I say.
Certainly this does concern ISPs. Running an open wireless network will often violate your terms of service. But despite the occasional cease-and-desist letter and providers getting pissy at people who exceed some secret bandwidth limit, this isn't a big risk either. The worst that will happen to you is that you'll have to find a new ISP.
A company called Fon has an interesting approach to this problem. Fon wireless access points have two wireless networks: a secure one for you, and an open one for everyone else. You can configure your open network in either "Bill" or "Linus" mode: In the former, people pay you to use your network, and you have to pay to use any other Fon wireless network. In Linus mode, anyone can use your network, and you can use any other Fon wireless network for free. It's a really clever idea.
Security is always a trade-off.

Quadrennial Homeland Security Review Published

The second Quadrennial Homeland Security Review has been published by the Department of Homeland Security. At 100+ pages, I'm not going to be reading it, but I am curious if there's anything interesting in it.

Introducing HackRF  Retro Reflectors

A group of researchers have reverse-engineered the NSA's retro reflectors, and has recreated them using software-defined radio (SDR):
An SDR Ossmann designed and built, called HackRF, was a key part of his work in reconstructing the NSA's retro-reflector systems. Such systems come in two parts – a plantable "reflector" bug and a remote SDR-based receiver.
One reflector, which the NSA called Ragemaster, can be fixed to a computer's monitor cable to pick up on-screen images. Another, Surlyspawn, sits on the keyboard cable and harvests keystrokes. After a lot of trial and error, Ossmann found these bugs can be remarkably simple devices – little more than a tiny transistor and a 2-centimetre-long wire acting as an antenna.
Getting the information from the bugs is where SDRs come in. Ossmann found that using the radio to emit a high-power radar signal causes a reflector to wirelessly transmit the data from keystrokes, say, to an attacker. The set-up is akin to a large-scale RFID- chip system. Since the signals returned from the reflectors are noisy and often scattered across different bands, SDR's versatility is handy, says Robin Heydon at Cambridge Silicon Radio in the UK. "Software-defined radio is flexibly programmable and can tune in to anything," he says.
The NSA devices are LOUDAUTO, SURLYSPAWN, TAWDRYYARD, and RAGEMASTER. Here are videos that talk about how TAWDRYYARD and LOUDAUTO work.
This is important research. While the information we have about these sorts of tools is largely from the NSA, it is fanciful to assume that they are the only intelligence agency using this technology. And it's equally fanciful to assume that criminals won't be using this technology soon, even without Snowden's documents. Understanding and building these tools is the first step to protecting ourselves from them.

Sunday, June 22, 2014

Enterprise log managers: An unusual but vital tool

Ultimately, the goal of enterprise log management (ELM) is to get your most critical events escalated to your operations staff to react and respond with the appropriate actions. In today’s enterprise, you would be culling through millions of events if you were not relying on ELM to correlate that information and point to what is most critical.
You may be asking, “Isn’t this security information and event management (SIEM)?” It’s not. Well, not entirely. ELM and SIEM are interrelated. SIEM is more concerned with the larger view of your overall security landscape, whereas ELM is focused on a specific element of security: “What is happening where?”
SIEM correlates data across varying data sources and environments for a more holistic view. ELM is a subset and critical component of a SIEM system. Not all companies require a SIEM system. However, most companies would benefit from an ELM solution. For the purposes of this article, we’ll stick to ELM. For more information on SIEM, I encourage you to download ISACA’s free SIEM white paper.

 Corporate policies are put forth, as are the related controls, in an effort to deter or prevent undesirable activities. Translating the corporate policies into the solution and configuring the relationship between the policy, the controls and the data feeds from systems and applications that need to be monitored are foundational steps to build an ELM. 

A measure of the quality of an ELM technology is how easy it is to interface with your critical systems. “How many different components does it understand?” so to speak. “How much technical expertise is required in order to make it deliver value?”

Use cases and setup

Privileged access monitoring is a classic example in which ELM gathers logs from various systems and creates a direct workflow to the operations staff, enabling them to take an action against items considered inappropriate.
For example, a domain admin logged in after an allowed change window and failed to authenticate several times in a row – an example of a potential brute force attack. The system must correlate those events and initiate the appropriate workflow, whatever that may be.
The processes established around the solution are just as important. The log management solution is only as good as the processes and teams that support it. Typically, this requires an engineering staff and an operations staff. The engineers build and configure the ELM so the right alerts are coming through.
The operations staff is then able to take the alerts and, ideally, do the “right thing”. Of course, the less mature your existing processes and workflows, the more iterations will be required. The events you consider taggable – the events you are interested in – must tie back to corporate policy. The basic premise that “thou shalt not access that which you are not allowed to access” will guide the rules you develop.
Activity will fall into one of three categories: transactions you don’t care about; transactions you want to know about; and transactions you want to take immediate action on.
For example, you might have miskeyed your password while attempting to log in. That type of transaction is not necessarily one to be concerned about.
However, if there are a thousand more attempts in the next 60 seconds, you should know something is suspicious. This example is likely to be a hacker trying to gain brute-force access to your valuable data. Flag it and determine what part of the organisation should receive the system workflow.
ELM can provide value through non-security use cases as well. There could be transactional activity that indicates a problem, such as multiple acknowledgement requests being generated as a result of a system glitch.
The sheer volume could saturate the network, acting as a denial of service attack. The ELM could flag this type of activity when it occurs, so that remediations can begin to happen in a preventive manner, potentially averting an outage of a critical service.
A virus on the network provides an opportunity for a good ELM to demonstrate intelligence. As the tool logs virus-induced events and correlates them together as a single outbreak, operations will be able to target the affected population proactively.
This approach, as is usually the case, can save hundreds or thousands of hours by solving the problem instead of addressing each incident reactively. Obviously, this becomes a compelling value statement as ITIL has put forth for decades: the presence of multiple incidents occurring for similar reasons typically represent a problem that needs a solution.

Signs your company needs help 

Finally, while many of us assume what we're performing is "good enough" when it comes to streamlining log management, below are a few telltale signs that an organization's security log management process is in trouble. If more than one of these apply to your organization and the issues can't be rectified, it's time to call for outside help.
  • There is limited or no way of automating alerts of logs within the company.
    •  If there is no way to alert on particular log events, the company won't know when it's had an incident.
  • Administrators don't understand what is being logged.
    • Not knowing what logs are coming from the systems is an issue.
    • Not knowing what level of auditing is enabled on the system is also a problem. This might lead to a false sense of security.
    • Not being able to log custom applications. Many systems and applications have custom logs that need to be parsed and stored. Verify that this is possible and happening.
    • Forgetting to log third-party, cloud, mobile and virtualization systems.
  • Performance issues are observed.
    • Slow database that doesn't allow for flexible reporting or searching.
    • No drill-down capabilities when searching for logs; speed is an issue.
    • Use of out-of-date equipment or single points of failure in hardware that would allow logs to be lost.
    • Not calculating the proper events per second (EPS) and losing logs due to saturation.
  • Correlating logs for search purposes is an issue.
    • Without correlation, log managers will try to create a handful of alerts or reports at best. Without this functionality, they can't see deeper into logs to search for security incidents.
  • There's no process in place for monitoring and analyzing logs.
    • No process for adding new systems to the log manager.
    • Unaware of what logs are missing or which systems are not sending logs.
    • No audits of systems to verify that logs are being collected from all systems.

    Requisite Skills

    The primary skill associated with successfully deploying an ELM is being able to translate business use cases into the ELM tool’s language.
    If your environment deals with personally identifiable information, for example, privacy concerns are going to be one of the highest priorities. An understanding must exist of the systems generating the data and how those data relate to the company’s use cases.
    For example, we don’t want people logging on as a local administrator in an Active Directory domain environment; therefore, the ELM would need to alert on the appropriate event ID.
    As IT professionals, we know there will always be a technology that is not commonly known and will require additional work to develop the proper interface. The resources you assign as your solution delivery leads or engineers for an ELM deployment must understand how to translate your business logic into the technical speak of your IT landscape.

    Challenges

    Scalability is the first challenge and biggest concern in architecting the solution. Most likely there will be significant amounts of data logged. Data retention policies and growth must also be considered.
    Depending on your use cases, large portions of data may need to be held for very long periods of time. Therefore, consideration should be given to balance your company’s tolerance for risk with their taste for capital investment.
    ELM systems typically work one of two ways: data intensive, which gathers all data to be analysed later and thus need to scale accordingly; and limited collection, which has agents gather only the information considered “interesting.”
    In the case of the former, storage will be a greater concern; for the latter, processing capabilities will need to be stronger to reduce the chances of introducing latency into transaction processing time.
    Many ELM solutions do not use a communications protocol that provides delivery guarantee, and instead use protocols, such as UDP, which can result in some of the data getting lost. Technology and process verifications could be additional requirements to be factored into the design.
    Of course, well-defined expectations will determine the perceived success of the implementation. Implementing such a solution in a company that has limited policies and procedures will have little success, as there will be few rules to correlate the activity against.
    Define your solution delivery success criteria early and make sure what you choose is measurable. Consider using a governance and management framework such as COBIT 5 to guide the initiative.

    Conclusion

    Some ELMs come with standard rule sets that can accelerate implementation. Recognising efforts to refine rule sets to reflect your organisation’s corporate policies will drive the migration from focused manual intervention to true problem management.
    In this manner, not only will ELM implementers see a reduction in time spent resolving incidents, but their responsiveness will be seen as more proactive than reactive. As a result, these shops should see a reduction in incident management costs.
    And of course, when implemented correctly, security issues will reduce overall and compliance abilities will improve.