5 reasons why SIEM is more important than ever

By Dave Pack, CISSP, manager, knowledge engineering, LogRhythm Inc., special to Network World
August 12, 2011 10:42 AM ET

. What's this?

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note that it will likely favor the submitter's approach.

IT environments are growing ever more distributed, complex and difficult to manage, making the role of security information and event management (SIEM) technology more important than ever. Here's why.

* Compliance: Almost every business is bound by some sort of regulation, such as PCI-DSS, HIPAA and Sarbanes-Oxley (SOX). Attaining and maintaining compliance with these regulations is a daunting task. SIEM technologies can address compliance requirements both directly and indirectly.

DEPLOYMENT TIPS: Security info and event management do's and don'ts

Related Content

Virtually every regulatory mandate requires some form of log management to maintain an audit trail of activity. SIEMs provide a mechanism to rapidly and easily deploy a log collection infrastructure that directly supports this requirement, and allows both instant access to recent log data, as well as archival and retrieval of older log data. Alerting and correlation capabilities also satisfy routine log data review requirements, an otherwise tedious and daunting task when done manually.

In addition, SIEM reporting capabilities provide audit support to verify that certain requirements are being met. Most SIEM vendors supply packaged reports that directly map to specific compliance regulations. These can be run with minimal configuration, and will aggregate and generate reports from across the enterprise to meet audit requirements.

* Operations support: The size and complexity of today's enterprises is growing exponentially, along with the number of IT personnel to support them. Operations are often split among different groups such as the Network Operations Center (NOC), the Security Operations Center (SOC), the server team, desktop team, etc., each with their own tools to monitor and respond to events. This makes information sharing and collaboration difficult when problems occur. A SIEM can pull data from disparate systems into a single pane of glass, allowing for efficient cross-team collaboration in extremely large enterprises.

* Zero-day threat detection: New attack vectors and vulnerabilities are discovered every day. Firewalls, IDS/IPS and AV solutions all look for malicious activity at various points within the IT infrastructure, from the perimeter to endpoints. However, many of these solutions are not equipped to detect zero-day attacks. A SIEM can detect activity associated with an attack rather than the attack itself. For instance, a well-crafted spear-phishing attack using a zero-day exploit has a high likelihood of making it through spam filters, firewalls and antivirus software, and being opened by a target user.

A SIEM can be configured to detect activity surrounding such an attack. For example, a PDF exploit generally causes the Adobe Reader process to crash. Shortly thereafter, a new process will launch that either listens for an incoming network connection or initiates an outbound connection to the attacker. Many SIEMs offer enhanced endpoint monitoring capabilities that keep track of processes starting and stopping and network connections opening and closing. By correlating process activity and network connections from host machines a SIEM can detect attacks, without ever having to inspect packets or payloads. While IDS/IPS and AV do what they do well, a SIEM provides a safety net that can catch malicious activities that slip through traditional defenses.