Is the Current Generation of SIEM Tools Up to the Task?
April 27, 2012 Leave a comment
- Enterprises are evolving their expectations of SIEM technology from a compliance check box item to security operations management.
- Enterprises should ask their SIEM suppliers hard questions about their ability to scale cost effectively and provide meaningful analytics without requiring a new and expensive expert well versed in both security and big data.
Despite the maturity of the security information and event management (SIEM) market and some consolidation in recent years, there are still a large number of vendors. At the same time, the market continues to grow at double-digit rates, with the most current growth rates projected at about 15% annually.
Initial investments made in SIEM were driven by the desire to make the auditors go away happy, knowing that the organization met all the required mandates of government or industry regulations such as Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, PCI, and so on.
There’s a saying one pundit used to describe the situation: You may or may not get hacked, but you WILL get fined. For a lot of organizations that initially invested in SIEM tools to put an x in the compliance check box, the reverse is now true: You will get hacked, but you most likely will not get fined. Most security personnel now believe that they have been breached, or if they have not, they are about to be breached. Just this week, the latest in a series of breach headlines trumpeted the theft of source code from VMware and Facebook. It begs the question: Who’s next?
Even though compliance mandates are supplying the budget for SIEM deployments, enterprises are actually looking to leverage the tools to stand up a more comprehensive security operation in the hope of more quickly discovering and shutting down the low-and-slow or targeted attacks dominating the headlines.
Large security vendors such as IBM and McAfee are responding by beefing up the SIEM products they acquired last fall, adding in more contextual threat and user identity information to the SIEM, as well as enhanced analytics, to help speed discovery and remediation of stealth attacks. There are several questions that enterprise security personnel need to ask in evaluating these enhancements. Can the current architecture of these SIEM tools scale effectively to make use of this huge increase in the amount of data they collect and massage? Are these vendors providing adequate analytics to enable security analysts to find and remediate these breaches quickly and efficiently? Finally, if those enhanced solutions require significantly more investment (above and beyond the initial investment) in hardware, software, and expertise, how can I justify the cost?