Join Q1 Labs’ CSO Chris Poulin to hear how security intelligence – delivered via next-generation SIEM and log management technology – provides the visibility needed to detect anomalies inside and outside your organization. With risk coming from all directions, including an increasing number of insider theft cases, targeted hactivism, and the evolving complexity of external vulnerabilities; the pressure to protect IT resources and gain better network and application visibility is only getting more intense.
Attend and learn:
Enterprises have been using security information and event management (SIEM) systems mainly for compliance reporting to meet PCI DSS and other mandates, but infrastructure vendors are trying to develop a new breed of more
EDISON, N.J., June 24 /PRNewswire/ — netForensics, Inc., a leader in the Security Information and Event Management market, today announced that it has joined the Cisco Developer Network as a Registered Developer within the network security technology category. In addition, netForensics nFX Cinxi One v4.1 has successfully completed interoperability* testing with the following Secure Borderless Networks system: Security Management. This interoperability testing helps ensure that netForensics nFX Cinxi One software easily interoperates with the following Cisco security products: ASA, IPS, IOS, ESA, WSA and CS-MARS. nFX Cinxi One also works with Cisco ASR, Access Control Server, CSA, CSA , Management Center, CatOS, Firewall Service Module, IDS, IOS, PIX and VPN products, and helps customers meet key security business requirements, particularly around compliance and log management.
The Cisco Developer Network (www.cisco.com/go/cdn) unites Cisco with third-party developers of hardware and software to deliver tested interoperable solutions to joint customers. As a Registered Developer, netForensics offers a complementary product offering and has started to collaborate with Cisco to meet the needs of joint customers. With offerings such as nFX Cinxi One v4.1, customers can more quickly deploy Cisco’s Data Security products to enhance the security, visibility, and management of their Secure Borderless Networks architecture.
IT systems generate lots of log data, but how do you correlate and makes sense of it all?
Security Information and Event Manager (SIEM) vendor LogRhythm has added a new approach to understanding log data with a new Advanced Intelligence (AI) Engine. The goal of AI Engine is to find patterns in the logs that can help identify security events and hacks that otherwise would not be discovered.
Trent Heisler, director of technical services at LogRhythm, explained to InternetNews.com that prior to the AI Engine, there was no real easy way to get to the forensic information directly relevant to a security event. He added that it was also difficult to be able to spawn additional investigations around the event.
“What AI Engine does is it gives us visibility by analyzing all log data, it’s not a subset,” Heisler said. “A lot of times some of what may first seem to be benign traffic, is really not.”
Read more click HERE.
Many organizations often talk about “best practices” for security, log management, SIEM, etc. The definition of “best” practice is often fuzzy but can be loosely tied to what leaders in the field are doing today, and which practices will generally lead to great results. Following the same model, we can create a definition of a “worst practice”:
Here are some of the “worst practices” in the area of SIEM and log management that I have observed:
Contributed by: http://logmanagementcentral.com/11-log-management-worst-practices-anton-chuvakin-guest-post/
(Telecomworldwire Via Acquire Media NewsEdge) Log management and security management products provider LogLogic Inc has integrated the combination of MySQL and Oracle (Nasdaq:ORCL) Linux into its suite of security information and event management (SIEM) products, the business software and hardware systems company said on Friday.
No financial details were disclosed.
According to the company, LogLogicâ��s solutions help its more than 1,000 enterprise customers achieve regulatory compliance, protect customer information and improve the efficiency of IT operations.
The company embedded MySQL as the data processing engine for its products, which enables it to handle its expanding processing requirements, including the receipt and indexing of more than 250,000 log entries per second and tens of billions of records per day.
The company also deployed Oracle Linux as the operating system and uses Oracle Unbreakable Linux support for its LogLogic 5 hardware appliance, allowing it to meet customer demand for testing and certification of storage and other environments.
Now that you thoroughly understand the use cases and technology underpinning of SIEM and Log Management platforms, it’s time to flex your knowledge and actually buy one. As with most of our research at Securosis, we favor mapping out a very detailed process, and leaving you to decide which steps make sense in your situation. So we don’t expect every organization to go through every step in this process. Figure out what will work for your organization and do that.
Before you start looking at any tools you need to understand why you might need a SIEM/LM; how you plan on using it; and the business processes around management, policy creation, and incident handling. You can (and should) consult our descriptions of the use cases (Part 1 & Part 2) to really understand what problem you are trying to solve and why. If you don’t do this, your project is doomed to fail. And that’s all we’ll say about that.
By the end of this phase you should have defined key stakeholders, convened a selection team, prioritized the systems to protect, determined protection requirements, and roughed out workflow needs.
This phase can be performed by a smaller team working under the mandate of the selection committee. Here the generic needs determined in phase 1 are translated into specific technical features, and any additional requirements are considered. This is the time to come up with criteria for collection and aggregation, additional infrastructure integration, data storage/archival, deployment architecture, management and identity integration, and so on. You may need to dig into what information your devices provide to ensure you can collect the necessary data to reliably feed the SIEM platform. You can always refine these requirements as you proceed through the selection process and get a better feel for how the products work.
At the conclusion of this stage you develop a formal RFI (Request For Information) to release to vendors, and a rough RFP (Request For Proposals) that you’ll clean up and formally issue in the evaluation phase.
All the SIEM/LM vendors tell similar stories, which makes it difficult to cut through the marketing and figure out whether a product really meets your needs. The following steps should minimize your risk and help you feel confident in your final decision:
I can hear your groans from small to medium sized business who look at this process and think this is a ridiculous amount of detail. Once again we want to stress that we created a granular selection process, but you can pare this down to meet your organization’s requirements. We wanted to make sure we captured all the gory details some organizations need to go through for a successful procurement. The process outlined is appropriate for a large enterprise but a little pruning can make it manageable for small groups. That’s the great thing about process: you can change it any way you see fit at no expense.
With that, we end our series on Understanding and Selecting a SIEM/Log Management platform. Hopefully the content will be useful as you proceed through your own selection process. As always, we appreciate all your comments on our research. We’ll be packaging up the entire series as a white paper over the next few weeks, so stay tuned for that.
Ben Rothke, CISSP, CISA
If security information and event management (SIEM) is such a great tool, it begs the question: Why have so many organizations purchased it at great expense, only to have it end as shelfware? My own experience and that of my colleagues in the industry is that many companies have spent large amounts on a SIEM product, only to have it sit idle.
So why do so many SIEM deployments fail? In his series, Understanding and Selecting SIEM/LM: Selection Process, Mike Rothman of Securosis writes of the various details companies should approach in their SIEM procurement process. Since too many companies fail to use a detailed, systematic process, their deployment is bound to fail. For a VAR or solution provider, the failure of so many SIEM rollouts should be seen as a loud cry for help. VARs and solution providers that understand the reasons behind those failures can learn what needs to be done, helping customers avoid SIEM failures and turning the technology into future profits.
The following tips will give you an understanding of the main items in which to turn a SIEM failure into a success:
Tip No. 1: Know your audience and its needs — SIEM means different things to different organizations. Firms that are under heavy regulatory compliance directives (financial services, health care, pharmaceuticals, etc.) will often be driven by compliance mandates.
Often the SIEM implementation will be driven by audit and legal departments rather than IT. With that, VARs and solution providers must know, in detail, the various regulations and standards. Be it PCI DSS, HIPAA, HITECH, SOX, GLBA, FERPA, etc., they must be able to show customers how a SIEM tool can directly assist in making compliance easier. For example, you don’t need to know PCI DSS like a QSA, but you need to be able to take the PCI DSS and show how the SIEM tool being proposed will help them meet specific requirements or demonstrate compliance during an assessment.
Tip No. 2: Know the SIEM tool you are selling — While many VARs will sell a technology they don’t really understand, the role of a solution provider is just that, to provide solutions; products should be merely part of the answer to a problem.
The first step is to be a guru at the specific SIEM product you are proposing. While SIEM products such as those from ArcSight (soon to be owned by HP) and netForensics do the same thing at a high level, the devil is in the details; at a lower level, the two products are quite different. Solution providers must understand their core products at the expert level, including what they do well, what their shortcomings are, and what types of companies have had success with them in the past.
As a benefit, solution providers should be able to contrast the differences between the SIEM product they sell and those offered by the competition. There are a lot of SIEM vendors selling their wares; in fact, 20 vendors met Gartner’s inclusion requirements for the 2010 SIEM Magic Quadrant (the report is available for free at a number of vendor websites (.pdf)), and there are more that did not make it in. The plethora of products underscores the importance of knowing why your product is best and how it is different from the competition.
Tip No. 3: Have good salespeople, but have even better post-sales engineers — When it comes to a SIEM deployment, the devil is in the details, and a successful SIEM deployment involves many details. SIEM products require a high level of technical expertise to deploy effectively. Most customers do not have the internal expertise to deploy a SIEM, and they reach out to solution providers specifically to assist them. Solution providers help the client ensure their SIEM deployment is a success and solves customers’ unique business problems.
One of the best ways to showcase your expertise is with certification. Vendor certifications, such as the ArcSight Certified Integrator/Administrator (ACIA), are a great way to differentiate yourself from the competition. Make sure customers know that members of your team hold this certification, and explain why the training and experience that come with the certification will ensure the implementation will go as smoothly as possible.
While this point may seem intuitive, the reality is that just about any IT firm can pass itself off as a VAR or integrator, but the deep skills and experience are what separate a good firm from a poor firm. Those that have the product and industry expertise will find that those two factors are what keep their phones ringing as companies are desperate for SIEM assistance.
Tip No. 4: Project planning and avoiding the PnP term — SIEM is the antithesis of plug-and-play (PnP) technology. The reason that there is so much money in it for solution providers is that an enterprise SIEM rollout takes significant time and effort to deploy, tune and manage. It doesn’t work seamlessly “out of the box” as some security technologies do.
Providing detailed project plans is of incredible value to a firm. A good SIEM project plan will detail the requisite tasks along with a timeline. Such a timeline is good protection for the integrator, should the client company complain that it did not know how long the project would take. The most common client complaint VARs and solution providers receive from customers is that SIEM rollouts take much longer than they were lead to believe. Detailed project plans obviate that.
Tip No. 5: Project closure, training and hand-off — Building on the previous tip, all good projects must come to an end. Ensure that the project plan has specifics about what constitutes closure of the project. As part of that, solution providers should make sure everything is appropriately delivered, documented and signed-off; a simple checklist can be enormously helpful. Training should be included as a part of the transition plan to ensure the client is able to effectively use the SIEM product.
Once the project is complete, that doesn’t mean there is not more revenue that can be generated. There are often additional elements that need to be added to the SIEM; infrastructure changes, software updates, mergers and acquisitions, and other issues often create the new need for work.
This is only a brief look at how VARs and solution providers can successfully sell SIEM products. Many more tips could be written about the subject, but the most important thing to remember is that VARs and solution providers must be the experts, and that requires preparation. Clients are indeed desperate for help with SIEM. Follow these tips, and watch their desperation turn into satisfaction.
About the author:
Ben Rothke, CISSP, CISA, is a senior security consultant with BT Professional Services, and the author of Computer Security: 20 Things Every Employee Should Know .