In our recent article about endpoint security “getting its sexy back”, one point that Neil Campbell, general manager for security at Dimension Data made, which I decided not to include, was about the future of SIEM.
He said: “At the moment, security incident and event management (SIEM) technology is about reporting and not control, and it needs to expand to control and remediation or the point players will disappear as they are looking for security that fits into an ecosystem that centralises convenience across all layers.
“This is the future of the SIEM and the next logical expansion. If they are looking for a way to differentiate themselves from the competition, they have to branch to the other side of incident response.”
Not that there was anything incorrect in what he said, but I thought it required further investigation and interpretation. I asked Campbell what he meant as SIEM being an endpoint control. He said it wasn’t about SIEM becoming a form of intrusion detection or protection, as that is just another information source for a SIEM.
“What I mean is that SIEMs will expand their capability (and are already starting to) into the realm of remediation, as sometimes it’s not good enough just to be alerted to an incident; you want to automatically respond to an incident with policy changes,” he said.
“Keep in mind that SIEM is good for identifying situations where a single event, which may normally seem innocuous, but becomes far more of a concern when matched to certain other events in the environment.”
He explained that as a SIEM is connected to all of the key devices in a client’s environment, it makes sense to extend that connection to control as it receives event data.
“Once you have the ability to control a response to a given set of circumstances, it’s not a major leap for SIEM platform developers to use a SIEM to set policy centrally on the network,” he said.
At the moment, SIEM is good at saying “I see an incident that you should look more closely at”, but Campbell predicted that they will move to “I see an incident and I am taking the action that you told me I should when this happens”. In the future, he said this will move to “I have configured your network and applications to enforce the policies that you set and I’m now watching for incidents and will respond to those that you’ve told me to”.
Well we can wait and see, but I asked Piers Wilson, head of product management at Tier-3 Huntsman, who recently described the company’s more advantageous approach to SIEM, on what he thought of this potential direction.
He said that he thought that the “direction of travel is right”, as there is certainly call for more intelligent SIEM technology that goes beyond just ticking compliance boxes, writing reports and detecting pre-programmed combinations of events.
He said: “We’ve seen (and in fact were originally conceived to address) a need for more in-depth analytics, better anomaly detection and real-time capability. It is true that having the ability to respond when problems are detected is useful, although much of the demand for this we are seeing is not to carry out direct blocking or active sets of operations – i.e. omitting humans out of the decision making loop completely – it is more subtle than that.
“A more intelligent response, and one we subscribe to, is to anticipate the questions the security analyst will ask, and judge what information they will need to make a decision. Automatically gathering that data at the time of an alert (which might have come from an IPS, say) and carrying out the analysis on their behalf means the operator is able to rapidly confirm a real attack and respond, or safely judge something as a false positive.”
Wilson called it an orchestration and process enforcement role, and coupled with a tool set that allows pre-programmed actions to avert the attack, disable a rogue account, block a leak, contain a problem etc with the safety net of an audit trail and regression capability, then a really slick and effective work flow can be built.
Joe Schreiber, director of solutions architecture at AlienVault, told IT Security Guru that he wishes that there were a better name for SIEM, perhaps something like “Management and Automation of Great Information and Compliance” (MAGIC), but perhaps SIEM has a perception problem.
“It’s often seen as daunting tool, requiring teams of people to set it up, teams of people to manage it and a PhD to understand it’s output,” he said. “Like many things misunderstood, once you get to know them you realise they aren’t as intimidating as you anticipated.
“SIEM at its core is really an automation tool. Often the result of this automation is an alert/alarm for someone to investigate but this process can be used for so much more. Like any good tool, SIEM can save you time and with limited resources time is precious.”
Yes it works, and is seen as a reactive option, but could this be a way forward for SIEM to participate in the protection of endpoints? What Campbell said does make some sense as that is where the intelligence is, but who makes the change – the vendor who makes the product, the administrator who runs it, or the CISO who makes the investment?