If we didn't add another single acronym to the technical library of jargon there would already be enough to choke a horse. That there are conflicting ones that mean the same thing doesn't help add any clarity for the layman. Take, for example SEIM or SIEM. One stands for Security Event and Information Management. The other stands for, conveniently, Security Information and Event Management.
What they are is this: systems that conveniently aggregate log data from a collective mesh of network infrastructure in order to gather insight from a comprehensive view of available information. Rather than expecting technology staff to view log data in isolation, on a device-by-device basis, it is far more valuable, and less time-consuming, to look at it across contexts and in contrast to activity on other, interrelated systems.
This sounds pretty swell, doesn't it? The challenge is this: these solutions are complex and costly and are less appropriate for some business than others. How do you know it's a fit for your business? No one wants to bring a tank to a knife fight but we also don't want to bring a knife to a tank battle.
Here's a good way to illustrate using an analogy: it's easy to approach achieving better security the way some of us approach achieving better fitness: first we spend a lot of money on a "solution", typically a highly regarded one, and expect to integrate it into our culture overnight.
Just like the new hotness in fitness equipment for the individual, SIEM or SEIM products are expensive solutions for businesses that likewise promise big returns. Like their fitness-oriented counterparts (for the sake of this post, anyway) they are often acquired the way we buy expensive health club memberships or workout equipment to use in our homes.
When we purchase the membership or equipment and then don't follow through by being committed to using them by building their value into our daily operational culture, they will have wasted our time, money and only contributed to our losing even more ground towards the goal. This often leads to greater frustration, and even resentment, while not reducing any risks or helping us integrate best practices into our culture of fitness or information security management, as the case may be.
So it is with acquiring and paying for security components for your business – paying for it is just a small step and is no guarantee of results, let alone success.
Before even considering these tools, the fundamentals of log management need to be understood. If simple and elegant log management strategies are not working for you, we can take a look at how they can be improved before taking further action. I often field questions about this, so I've written some things down to help us better understand them before making a decision about whether these more complex solutions are actually appropriate for your business or not.
Let's keep in mind one crucial thing that should not be ignore: that successful attacks on the systems that power business rarely look like attacks at first. Only by going back and looking at the evidence in aggregate can we gain any insight into the mechanics of a successful breach.
If this were only true some of the time, we could automate every single security measure available without ever involving any humans at all. That would be nice but, for the average bear, it's not possible for a number of reasons - cost prohibitive and just plain cloogy. That's a highly-technical term that means, in this context, "not fully functional without proper and extensive configuration, documentation and management."
Still, there is no other way around it: it’s critical to know what's happening on your network by keeping in touch with what's going on in your log files and what things look like when they are going well and when they are not going so well. Logs are most often the only way to detect attacks while they are happening (not to mention for tuning overall performance and reliability) and especially after attacks have already happened. Let's face it: most of the time, no one notices they have been hacked until after the fact and, not uncommonly, from someone else.
For example, someone who doesn't know any better (more common than you think) might look at log data for the first time and mistake their own network and system administrators for hackers or, conversely, overlook blatantly malicious behavior without knowing it.
Reasons for this? Far too commonly, regular maintenance activities use greater privileges than required via ubiquitously-named accounts in order to make changes that could otherwise appear to be malicious. This is one of dozens of reasons why it is important to have more information and insight into logging data simply in order to effectively distinguish between friendly and malicious behaviors and activities in these complex environments. The more complex the environment, the more rats-nesty the logging will typically be. That's a highly technical phrase for "tough to keep track of."
SEIM or SIEM is a fancy way of talking about looking at a network through a larger lens. Looking at log data from individual devices alone, in addition to being time consuming when done one-by-one, only offers a one-dimensional view.
Here are some examples:
- A Network Intrusion Detection system (IDS) only cares about packets, the protocols they use and the IP Addresses they are in and outbound from.
- An Endpoint Security system only cares about files, usernames and their respective hosts.
- Local computer logs on servers show user sessions, transactions in databases, configuration changes and related items.
- File Integrity Monitoring (FIM) systems monitor only files and changes to operating systems.
- A Digital Asset Management System (DAM) only cares about files like digital media files like audio, video and still images. It will only log who accessed what and when.
None of these alone can tell us what is happening inside and outside your network and/or your business. This is why there is so much interest in these tools the past few years, to offer deep insight into the interrelated context of these devices and services. Companies of all shapes and sizes use them but it is also important to note than not all of them are using them effectively.
SIEM or SEIM has not always existed. The information industry has only in recent years settled on ‘SIEM’ for this type of security solution. It actually evolved from several separate but complementary solutions that preceded it:
- LMS - “Log Management System” – this is a system that collects and stores logs from multiple hosts and systems at a single location. Centralized access to logs saves time in manual review and provides an additional layer of security in removing log data from local devices where it could be tampered with.
- SLM /SEM– “Security Log/Event Management” – this is similar to an LMS but in addition adds features for security analysts focused on reviewing the data. SEM highlighted log entries according to rules that earmark events that may be more significant to security than others.
- SIM – “Security Information Management” - this is a glorified asset management system, more or less, but with features to incorporate security best practices. Logs have vulnerability reports embedded in their summaries, in addition to intrusion detection and AntiVirus alerts.
- SEC - “Security Event Correlation” – this solution takes a step towards connecting otherwise unrelated events. For example, a particular piece of software logs three failed login attempts to the same user account from three different clients. In a log file, these are three separate events. To an analyst, it is a sequence of events worthy of investigation. Log Correlation (looking for patterns in log files) are equipped with algorithms that raise alerts when these behaviors are captured.
- SIEM or SEIM– “Security Information and Event Management” or "Security Event and Information Management" - regardless of where you prefer to arrange the "Information" and the "Event" is “All of the Above." As you can imagine if you've read this far, as the above listed technologies began to merge into single products, SIEM/SEIM became the term for managing information generated from both security and production infrastructure. SIEM or SEIM. No, no one says "See 'em." We typically spell it out S-I-E-M, but do whatever you like.
Think of SIEM/SEIM as another layer above existing systems and security controls that watches everything happening, collecting information about events in an as informed way as possible. SIEM unifies information from otherwise disconnected systems, which empowers the information each collects to be analyzed and cross-referenced at a single location. Yes, SIEM is only as useful as the information we put into it, which is why how we use it matters as much if not more that just the fact that it is in use. Revisit the first paragraph for context.
Yes, this is always a complicated dance. SIEM/SEIM is required to look at a log entry and the “many moving parts” that must be considered in order to make valid decisions about what constitutes valid vs. invalid, or malicious, activity on the network.
By itself, SEIM/SIEM is not a security control or detection mechanism. It is a tool that consolidates and magnifies any and all security technologies you already have in place, making them potentially exponentially more effective. Heavy emphasis on the potentially, because this also means generating massive amounts of information about a system that often requires a dedicated resource to draw real insights from it. Think about that for a moment.
SEIM/SIEM collects logs from everywhere and maps insights about infrastructure and business processes to those logs. It empowers technical personnel to make more reasoned and informed decisions about activities on the network in real-time in order to determine any potential impact on integrity and business continuity.
SEIM/SIEM is a single portal to all activity on a network, decoupling humans from the time suck of investigating each and every log individually on each and every device, even on syslog servers and can eliminate the need for personnel to have product-specific knowledge about the security capabilities of each and every disparate device on your network.
The critical consideration is defining and then feeding the SEIM/SIEM the logs it needs to make it the most effective for each unique environment, as each one is far too "snowflakey" for a one-size-fits-all solution.
Buying these solutions, if done without careful consideration, can lead to more complexity in the environment, rather than less, punctuated by a lack of understanding how to generate value from all the information being collected. That information adds up quickly, too, so managing it and the return gained from doing so has to be worth the effort.
We offer an advanced cybersecurity program that's friendly, flexible, and smart enough to anticipate your needs for the right acronyms and none of the ones you don't need.Learn more about our approach to better security and get in touch.