Abstract image of a woman sitting on books and studying on a laptop

A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security

Tripwire, profile picture
Tripwire

This white paper by Dr. Anton Chuvakin discusses the evolution of SIEM and log management tools, emphasizing their dual role in achieving compliance and enhancing security. It critiques the prevalent trend of organizations using these tools merely for regulatory compliance instead of effectively implementing them for security monitoring and operational efficiency. A pragmatic approach is advocated, suggesting that organizations should focus on implementing SIEM technologies to genuinely improve their security posture rather than just to meet compliance checklists.

BusinessTechnology
1 of 9
Downloaded 10 times
1
2
3
4
5
6
7
8
9
Dr. Anton Chuvakin, Author and IT Security Instructor A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security WHITE PAPER
Introduction Recent economic troubles might have something to do with In more recent years, several different trends—namely the fact that many organizations today seek to establish changes in the regulatory landscape and a shift of attacks only the bare minimum level of security. To be more pre- to the application level—have led to the evolution of the cise, they try to do what they think is the bare minimum. SIEM and log management space. These tools are now used In fact, their belief that security “due diligence” can be for overall compliance management, user tracking, applica- reduced to the level prescribed by regulations such as the tion security monitoring, compliance auditing and even Payment Card Industry Data Security Standard (PCI DSS) is fraud detection. They also continue to be used for opera- more common than ever. Unfortunately, the results of this tional monitoring and issue troubleshooting. flawed thinking include security breaches and other damag- Let’s define what SIEM and log management tools are and ing events. what they do. This trend toward establishing the minimum required level Security information and event management covers of security has affected many security safeguards, including relevant log collection, aggregation, normalization and Security Information and Event Management (SIEM) and log retention, context data collection, alerting, analysis (cor- management. Most organizations simply deploy these tech- relation and prioritization), presentation (reporting and nologies to place a check in the compliance check box. In visualization), security-related workflow, and relevant secu- this paper we will take a look at this disturbing trend and rity content. Typical uses for SIEM tools center on network provide useful guidance for maximizing the value of SIEM security, data security and regulatory compliance. and log management tools, while focusing on protecting On the other hand, log management includes compre- systems and data—not on simply checking the compliance hensive log collection, original log retention, analysis, check box. presentation (search, reporting, and visualization), related But first, let’s get more familiar with the background of workflow, and relevant content such as reports and search SIEM products. Even though organizations have had the queries. Log management usage is broad and covers all pos- need to collect, manage and analyze computer log data sible applications for log data across IT and even beyond for as long as computers have existed, dedicated Security information technology—but certainly includes security and Information and Event Management (SIEM) products only compliance use. emerged on the market in the late 1990s. Later, dedicated To summarize, SIEM focuses on security while log manage- log management tools emerged to address broad log reten- ment focuses on broad use of log data. More specifically, tion and log review requirements across all of IT, and not SIEM tools include correlation and other real-time analysis just the traditional security space. functionality, which is useful for real-time monitoring. In Although the primary purpose for SIEM was to reduce comparison, log tools often focus on advanced search across network IDS “false positives” and to make sense of other all log data. Today, select tools combine select capabilities security alerts and event records, these products often did of SIEM and log management in a single product or product so at the cost of increased product and integration complex- suite. ity. As a result, these tools were only used by the largest organizations because they were willing to invest time in learning how to operate their SIEM frameworks. In addition, such use was mostly limited to network security. 2 | WHITE PAPER | A Pragmatic Approach to SIEM
Which One Is For you? At this point you may be asking, “Which product is for Let’s further examine the defining features of SIEM. me?” The answer is easy: if you have logs (which you do Most organization will look for these features when if you have computers), you need a log management tool. choosing an SIEM product. The features include: And if you want to make use of these logs for security monitoring, you also need SIEM capabilities. However, 1. Log and Context Data Collection. The ability to col- you will learn later in this paper that trying to use lect logs and context data using a combination of advanced and near real-time monitoring features of SIEM agent-based and agent-less methods. tools before you’re able to reliably collect log data rarely 2. Normalization. The ability to convert most original results in success. logs into a universal format, usable for cross-source When choosing a tool, it may be helpful to first begin by reporting and correlation. identifying the problem you’re trying to solve with it. Over 3. Correlation. Rules-based, statistical or algorithmic the years, the following areas where SIEM and log manage- and other methods of relating different events to each ment tools can deliver value have emerged: other and events to contextual data. 1. Security, detective, and investigative. Sometimes also 4. Notification/alerting. The ability to trigger notifica- called threat management, this area focuses on detecting tions or alerts to operators or managers. Common and responding to attacks, malware infection, data theft alerting mechanisms include email, SMS, or even and other security issues. It may be useful to divide this Simple Network Management Protocol (SNMP) area into monitoring and detection of security issues, and messages. investigation and forensic analysis of security incidents. 5. Prioritization. Different features that help distinguish 2. Compliance, regulatory (global) and policy (local). This important events from less critical security events, area focuses on satisfying the requirement of various for example by correlating security events with vul- laws, mandates and frameworks. Most of these mandates nerability data, or asset and identity information. have the intent of improving security, so there is a lot of 6. Real-time View of Security. Security-monitoring overlap between this area and the previous one. dashboards and displays that security operations per- 3. Operational, system and network troubleshooting and sonnel use to easily review current system and user administration. This area applies mostly to log manage- activity. ment, and has to do with investigating system problems 7. Reporting. The ability to generate scheduled and as well as monitoring the availability of systems and as-needed reports to gain historical views of data applications. collected by the SIEM product. Some products also The above three drivers likely cover nearly 100 percent of have a mechanism for distributing reports to security SIEM and log management deployments today. It is worth personnel, either by e-mail or a dedicated web portal. noting that the most common scenarios for SIEM deploy- SIEM reporting relies on parsing and normalizing log ments today are “buy for compliance, use for compliance” data. and “buy for compliance, use for security,” or a combina- 8. Security Role Workflow. Incident management fea- tion of the two. When used in combination, the SIEM or tures that allow security personnel to open incident log management tool is purchased for a tactical compliance cases, perform investigative triage, and perform project, and over time is used to solve many other problems. other security operations tasks using automation or Let’s review this in detail. partial automation. A Pragmatic Approach to SIEM | WHITE PAPER | 3
Deploying and Using SIEM As organizations face complex security, regulatory and oper- ational issues, the tools that help them address those issues Pragmatic Approach to SIEM have grown in complexity as well. As a result, companies Given the trend of focusing on bare minimum security, the sometimes have trouble planning, deploying and then using pragmatic approach to SIEM for many organizations can be SIEM and log management tools effectively. In this paper summarized as “buy for compliance, use for security (and we will share a few proven strategies for implementing and IT operations as well).” Let’s review how you follow this deploying SIEM and log management tools, both for satisfy- approach for achieving security success and not just auditor ing regulatory compliance mandates and beyond. approval. So, how can you use SIEM effectively? You have to do Many Chief Security Officers (CSOs) have found out that some planning before you can answer this question. This compliance initiatives and other projects driven by “the planning includes the most important concept for deploying fear of auditors” can be funded more easily than pure data and utilizing a SIEM—the concept of a “use case.” protection and “the fear of hackers” projects. Even though Originating in the software development industry, the this trend may reverse itself in the future, today it is a fact term “use case”1 simply denotes a description of how the of life. Recent analyst estimates show that 70 percent to 80 user uses a system to solve a particular problem. For exam- percent of SIEM and log management implementations are ple, a use case for SIEM can center on satisfying the PCI driven by compliance needs. DSS requirements or enabling the incident response team to Here is how to follow the pragmatic approach in instances track down a compromised IT asset. where compliance drives SIEM and log management Since SIEM and log management tools are useful for solv- implementation: ing a wide range of IT problems, it makes sense to approach First, compile a list of regulations you must comply with, your SIEM purchase with your particular problem set in focusing particular attention on areas where an SIEM or log mind. For example, if your organization wants to build a management tool can be useful. In many cases, the list may security operations center (SOC), your choice of SIEM will contain only one regulation, but that one regulation is one be very different from an organization that wants to sim- you absolutely must address. ply review server logs for evidence of unauthorized access Second, whenever practical, you should then review other in order to comply with a regulation. Similarly, speeding possible goals that SIEM can help you achieve. Deciding up your incident response routines calls for a different log whether SIEM satisfies a critical business need, such as “buy management tool than one you’d use for HIPAA reporting as an enabling technology for your SOC,” is an essential step. (though better incident handling practices would almost Third, you must decide whether you are prepared to work certainly help you safeguard health information). to make your SIEM tool solve your problem, whether for The entire range of SIEM use cases fits in the three cat- compliance or other needs. Despite help from the vendor egories we mention above: and possibly consultants, there are additional tasks you’ll have to perform to make SIEM work. 1. Security, detective, and investigative; Now, acquire and implement the SIEM solution. This is 2. Compliance, regulatory (global) and policy (local); and where you work jointly with the vendor in order to build 3. Operational, system and network troubleshooting and your initial implementation for regulatory compliance, such administration. as PCI DSS. Before we consider a few SIEM use cases in detail, let’s Now, start actually using SIEM for both the “letter and define what we called a pragmatic approach to SIEM. spirit” of the regulation. This step is the most important one in the approach—one of the biggest mistakes organiza- tions make in this area is thinking that simply owning an SIEM tool makes them compliant. In reality, building daily operational procedures and processes to go with your SIEM 4 | WHITE PAPER | A Pragmatic Approach to SIEM
is the only way to do that. Sadly, few people remember that environment, you need to focus on protecting the data and PCI DSS prescribes a large set of periodic tasks, from annual monitoring all access to it. to daily. Reviewing logs daily is the most well known exam- Even though logging is present in all PCI requirements, ple of such a practice, not just “having logs.” the PCI DSS also contains Requirement 10, which is dedicat- Finally, expand the use case beyond compliance. Tips for ed to logging and log management. Under this requirement, expanding deployment and solving other problems with your logs for all system components must be reviewed at least SIEM tool are provided in the next section. For example, daily—a key operational procedure that is necessary for you can quickly improve your security capability for inci- compliance! These reviews must include logs of servers that dent response and forensics—the easiest and most common perform security functions, such as intrusion-detection security use of log management and SIEM tools beyond systems and authentication, authorization, and account- compliance. ing protocol servers. PCI Requirement 10 is a very common Given the obvious benefits to this approach, it is surpris- reason why organizations research and look into purchasing ing that more organizations don’t follow it. Some simply SIEM and log management tools today. choose to procure a tool, connect it to the network and Further, the PCI DSS states that the organization must never actually use it—whether for security or compliance ensure the integrity of its logs by implementing file integ- purposes. Such organizations will be surprised to discover rity monitoring and using change detection software on logs they are neither compliant nor secure, as this level of imple- (in addition to other key files) to ensure that existing log mentation provides none of the benefits of SIEM. It’s also data cannot be changed without alerting security personnel. interesting to note that many of the organizations studied It also states that logs from in-scope systems must be stored in the Verizon Data Breach report2 that were breached had for at least one year. Broader security monitoring is also all the evidence of the breach in their logs and available present in Requirement 11 of the PCI DSS. since the day of the breach. So, build the urgency for SIEM using regulatory compli- ance, then start taking the regulation to heart by using the HIPAA/HITECH The Health Insurance Portability and Accountability Act tools for compliance and data security. From that point, of 1996 (HIPAA) outlines relevant security standards for expand the use case to solve more problems within your health information. As with PCI, the intent of HIPAA is to organization. Remember, a box in the datacenter rack does reduce risks, but in this case to sensitive health informa- not make you compliant; a tool combined with people dili- tion. Unlike payment data, however, health information gently following operational procedures does. cannot simply be deleted from storage, which certainly As we mentioned above, compliance is often the main complicates compliance with the regulation. The following driver for SIEM deployment today. Let’s delve deeper in the HIPAA requirements apply broadly to logging, log review regulations and their impact on SIEM technology. and security monitoring: Section 164.308(a)(5)(ii)(C) “Log-in Monitoring” calls PCI DSS for monitoring the systems touching patient information The Payment Card Industry Data Security Standard applies for login and access. The requirement applies to “login to all organizations that handle credit card transactions. attempts,” and implies login attempts that failed or Since we talk about the letter and spirit of regulations, succeeded. the spirit of PCI is in reducing the overall risk associated Section 164.312(b) “Audit Controls” broadly covers audit with payment card transactions. While complete elimina- logging and other audit trails on systems that deal with tion of sensitive payment card data for risk reduction is sensitive health information. Review of such audit logs a noble goal, achieving it today is unlikely for most mer- seem to be implied by this requirement. chants. As a result, after appropriately scoping your PCI DSS A Pragmatic Approach to SIEM | WHITE PAPER | 5
Section 164.308(a)(1)(ii)(D) “Information System Activity Review” prescribes review of various records of IT activi- ISO2700x ties such as logs, systems utilization reports, incident ISO27001, formally known as “Information technology— reports and other indications of security-related activities. Security techniques—Information security management systems—Requirements,” is a direct descendant of ISO17799 In addition, the NIST SP 800-66 document titled “An and British Standard 7799. ISO specifies requirements for Introductory Resource Guide for Implementing the Health managing the security of information systems. The stan- Insurance Portability and Accountability Act Security Rule” dard also prescribes audit logging and audit log review and details more specific log management requirements for retention. securing electronic protected health information. Section For example, ISO27001 mentions that “audit logs should 4.1 of this document describes the need for regular review be turned on for security events, user activities, and excep- of information system activity, such as audit logs, access tions. They should be kept for a predetermined period of reports and security incident-tracking reports. time.” (section A.10.10.1 of ISO/IEC 27001 Information A recent enhancement to HIPAA is called the Health Security Management Systems – Requirements). However, Information Technology for Economic and Clinical Health the standard provides no further guidance regarding what Act or HITECH Act. The act seeks to further “address the details must be recorded in logs or how long the logs should privacy and security concerns associated with the electronic be retained. transmission of health information.” The standard does make references to reviewing audit logs and security monitoring without providing operational level NERC details about them. Despite that, organizations that plan to North American Electric Reliability Corporation (NERC) pub- certify their compliance with ISO27001 are likely to deploy lishes Critical Infrastructure Protection (CIP) standards that SIEM or log management tools. contain important information security requirements. The Overall, this summary indicates that many mandates have spirit of NERC is in maintaining the operation of the critical similar requirements with regards to log management and bulk electric system. In the case of NERC, clearly the focus security monitoring. This simply means that complying is on system uptime and not on information confidentiality with one regulation will get you a long way toward comply- as it is in PCI DSS and HIPAA. ing with other current and future regulations. Also, one Among the CIPs, there are requirements about logging, of the most important things to remember from reviewing alerting and log review, as well as broader security monitor- these regulations is that simply deploying a tool, even an ing. For example, Requirement CIP-005-1 R3.2 states that advanced SIEM tool, does nothing for compliance unless “security monitoring process(es) shall detect and alert for you use it. Good auditors will check for processes and pro- attempts at or actual unauthorized accesses. These alerts cedures built around tools in order to satisfy the spirit of shall provide for appropriate notification to designated regulations; they won’t just look at blinking lights in the response personnel. Where alerting is not technically fea- datacenter. sible, the Responsible Entity shall review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every ninety calendar days.” In most cases, the effort focuses on issue detection and rapid investigation, and not on the long-term data theft breach investigation. Additional security monitoring requirements are also defined in the NERC CIP standards. 6 | WHITE PAPER | A Pragmatic Approach to SIEM
“Compliance+”: Where to Go of skilled personnel with effective SIEM tools. Fortunately, most organizations have monitoring tools for operational Next? visibility—uptime monitoring. It is important to note that After the initial regulatory challenges are addressed, what many organizations will not ever be large enough to justify do you do next? Given the scope of regulations shown having a full Security Operations Center (SOC). At the same above, your organization would already have a fairly robust time, having a person or a team dedicated to ongoing peri- security monitoring program, backed up by periodic process- odic security monitoring will likely help most organizations. es, review procedures and an exception handling process. We can benefit from the past experiences of organiza- It is likely that you would not be surprised that unau- tions that have gone beyond compliance to learn about the thorized access to servers is covered by a particular numerous possible mistakes and pitfalls that might occur. regulation. It is also likely that unauthorized changes in We will first present a few general tips for succeeding based your environment will be reduced to a minimum. Deploying on these past experiences, and then categorize common integrity checking systems mandated by PCI DSS, and then mistakes that organizations committed while doing so. diligently using them, will allow your organization to be First, if you deploy for compliance, make sure your tools constantly aware of what happens in your environment. If operationalize and adopt the regulation as the framework. unauthorized changes are detected that indicate an inci- Don’t simply put a checkmark in the compliance checkbox. dent, your incident response process will be triggered into Second, always operationalize SIEM and log management action. tools in phases. One common approach is to go from tradi- In addition, complying with regulations has likely enabled tional server and firewall logs to application logs, and from you to keep an eye on the sensitive data that flows in and collection to review to near real-time monitoring. out of your environment. Hopefully, you have applied the Third, always keep the use cases—what you’re trying safeguards not only to regulated data but also to data inter- to achieve with an SIEM tool—in mind. Think about them nally considered sensitive. when using and expanding the use of your SIEM. Even if For example, an organization may choose to fully adopt compliance is a primary SIEM driver, focusing on outcomes PCI DSS compliance and invest time in developing their useful for your business will give you more success on your daily log review practices, tying them to incident response journey to better data security. plans and educating developers on writing better software that deals with payment data. In fact, some organizations Common Pitfalls in Using have been known to build their entire security programs on top of PCI DSS guidance. Clearly this approach will allow SIEM for Regulatory them to benefit from SIEM and log management tools that Compliance they already own. The biggest logging, SIEM and compliance mistake is simply The next step is to improve the incident response process this: thinking that to be compliant you must only collect so that it can react even faster. While regulations prescribe logs in a log management tool. This is one of the most egre- some incident response practices such as having an inci- gious errors you can make. Simply reading the text of most dent response plan, being ready for any incident, including regulations will reveal the additional items you need to a zero-day attack, takes more work and more operational address, such as log review, log protection, logging specific maturity that goes beyond compliance. details for various events, handling exceptions and many The next step beyond compliance might be to improve others. the security monitoring process. Simply buying a tool that PCI DSS prescribes log review and log protection, HIPAA is capable of enabling such monitoring does not create a calls for monitoring, NERC asks for incident process ease. monitoring capability; this capability requires a combination Not a single regulation is solely about storing logs. A Pragmatic Approach to SIEM | WHITE PAPER | 7
A second common mistake is focusing on the letter of regulations, and not their intended spirit. The best way to About the Author summarize it is: if you focus on security, you have a shot Dr. Anton Chuvakin (http://www.chuvakin.org) is a recog- at being compliant and secure; if you only focus on compli- nized security expert in the field of log management and ance, you probably will not be secure and will be out of PCI DSS compliance. He is an author of the books “Security compliance. Just ask the victims of recent breaches who Warrior” and “PCI Compliance” and a contributor to were justifiably found to be out of compliance. “Know Your Enemy II,” “Information Security Management Finally, although the siloed approach to regulations is the Handbook” and others. Anton has published dozens of unfortunate norm today, that does not make it the right papers on log management, correlation, data analysis, PCI approach. Given the large overlap across regulations in what DSS, and security management (see the list at www.info- they mandate relative to audit logging, security monitor- secure.org). His blog http://www.securitywarrior.org is one ing, change detection, incident response and other security of the most popular in the industry. practices, it makes sense to implement this superset of In addition, Anton teaches classes and presents at many requirements. By not tackling regulations one-by-one, you security conferences across the world. He recently addressed avoid wasting resources and causing delays. audiences in United States, UK, Singapore, Spain, Russia and other countries. He works on emerging security stan- dards and serves on the advisory boards of several security Conclusion start-ups. While some organizations continue to try to reduce security Currently, Anton is developing his security consulting to some minimum baseline, this approach is not a recipe practice www.securitywarriorconsulting.com, focusing on for customer trust and data protection. Many of the recent logging and PCI DSS compliance for security vendors and challenges with SIEM and log management stem from the Fortune 500 organizations. Dr. Anton Chuvakin was formerly fact that powerful SIEM technology is purchased to address a Director of PCI Compliance Solutions at Qualys. Previously, a compliance mandate—and does so in a narrow and short- Anton worked at LogLogic as a Chief Logging Evangelist, sighted fashion. Following our roadmap for effective use tasked with educating the world about the importance of of SIEM tools for compliance and beyond will allow you to logging for security, compliance and operations. Before avoid mistakes and gain all the benefits of your investment LogLogic, Anton was employed by a security vendor in a in your SIEM or log management tool. strategic product management role. Anton earned his Ph.D. In addition, you can expand the use of an SIEM tool degree from Stony Brook University. beyond compliance to security and operational use cases, focusing on improved incident response practices and mov- ing to automated security monitoring that occurs in near real-time. This approach is the only way to gain visibility, and therefore control, over your ever-growing IT environ- ment. This is also the only way to prepare for the onslaught of virtualization and cloud computing, which will muddy the waters of what specific information and IT assets need to be protected. The final word on succeeding with SIEM is this: start by using regulatory guidance, take it to heart, operational- ize it, and then expand it to solve “bigger and better“ problems. 1 For example, see http://en.wikipedia.org/wiki/Use_case 2 www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf 8 | WHITE PAPER | A Pragmatic Approach to SIEM
ABOUT TRIPWIRE Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses and government agencies take control of their entire IT infrastructure. Thousands of customers rely on Tripwire’s integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire® VIA™, the comprehensive suite of industry-leading file integrity, policy compliance and log and security event management solutions, is the way organizations can proactively achieve continuous compliance, mitigate risk and improve operational control through Visibility, Intelligence and Automation. Learn more at www.tripwire.com and TripwireInc on Twitter. ©2010 Tripwire, Inc. | Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. | WPSIEM1a

More Related Content

PPTX
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Tripwire
 
PDF
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Tripwire
 
PPTX
SIEM Alone is Not Enough
Tripwire
 
PPTX
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
Tripwire
 
PPTX
Logging, monitoring and auditing
Piyush Jain
 
PDF
Nist.sp.800 37r2
newbie2019
 
PPTX
QSA Shares PCI 3.0 Advice & Checklist
Tripwire
 
PDF
Chapter 10 security standart
newbie2019
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Tripwire
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Tripwire
 
SIEM Alone is Not Enough
Tripwire
 
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
Tripwire
 
Logging, monitoring and auditing
Piyush Jain
 
Nist.sp.800 37r2
newbie2019
 
QSA Shares PCI 3.0 Advice & Checklist
Tripwire
 
Chapter 10 security standart
newbie2019
 

What's hot (20)

PPTX
SIEM in NIST Cyber Security Framework
Bernie Leung, P.E., CISSP
 
PDF
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
PPT
Ca world 2007 SOC integration
Michael Nickle
 
PDF
SIEM enabled risk management , SOC and GRC v1.0
Rasmi Swain
 
PPSX
Next-Gen security operation center
Muhammad Sahputra
 
PPTX
CMMC Certification
ControlCase
 
PDF
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
Christina33713
 
PDF
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
Vijilan IT Security solutions
 
PDF
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
PPTX
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
 
PDF
Understanding security operation.pptx
Piyush Jain
 
PPTX
Security management concepts and principles
Divya Tiwari
 
PPTX
Security operation center
MuthuKumaran267
 
PPTX
I.T. Geeks Can't Talk to Management
Tripwire
 
PPTX
IT Governance Roles and Data Governance - Hernan Huwyler
Hernan Huwyler, MBA CPA
 
PDF
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
PPTX
Top 20 Security Controls for a More Secure Infrastructure
Infosec
 
PPTX
Security architecture, engineering and operations
Piyush Jain
 
PPTX
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
PPTX
Optimizing Security Operations: 5 Keys to Success
Sirius
 
SIEM in NIST Cyber Security Framework
Bernie Leung, P.E., CISSP
 
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
Ca world 2007 SOC integration
Michael Nickle
 
SIEM enabled risk management , SOC and GRC v1.0
Rasmi Swain
 
Next-Gen security operation center
Muhammad Sahputra
 
CMMC Certification
ControlCase
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
Christina33713
 
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
Vijilan IT Security solutions
 
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
 
Understanding security operation.pptx
Piyush Jain
 
Security management concepts and principles
Divya Tiwari
 
Security operation center
MuthuKumaran267
 
I.T. Geeks Can't Talk to Management
Tripwire
 
IT Governance Roles and Data Governance - Hernan Huwyler
Hernan Huwyler, MBA CPA
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
Top 20 Security Controls for a More Secure Infrastructure
Infosec
 
Security architecture, engineering and operations
Piyush Jain
 
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Optimizing Security Operations: 5 Keys to Success
Sirius
 
Ad

Similar to A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security (20)

PDF
.The Complete Guide to Log and Event Management
Enterprise Technology Management (ETM)
 
PDF
Changing the Security Monitoring Status Quo
EMC
 
PDF
Event mgt feb09
pladott11
 
PPTX
Introduction to SIEM.pptx
neoalt
 
PPTX
Hacking appliances
Jonathan Suldo
 
PDF
Leveraging Log Management to provide business value
Enterprise Technology Management (ETM)
 
PPTX
Security Information and Event Management (SIEM)
k33a
 
PPTX
McAfee SIEM solution
hashnees
 
PDF
Ijetr042329
Engineering Research Publication
 
PDF
Maceo Wattley Contributor Infosec
Dr. Maceo D. Wattley
 
PPTX
Security Information Event Management Security Information Event Management
karthikvcyber
 
PDF
SIEM evaluator guide for soc analyst
InfosecTrain
 
PDF
Content Aware SIEM™ defined
Enterprise Technology Management (ETM)
 
PPTX
SOAR and SIEM.pptx
Ajit Wadhawan
 
PPTX
PKI.pptx
Ajit Wadhawan
 
PDF
Use Exabeam Smart Timelines to improve your SOC efficiency
JonathanPritchard12
 
PDF
2005 issa journal-simsevaluation
asundaram1
 
PDF
Centralizing security on the mainframe
Arun Gopinath
 
PPTX
Generic siem how_2017
Anton Chuvakin
 
PDF
PSIM: Why Should I Be Interested?
Adlan Hussain
 
.The Complete Guide to Log and Event Management
Enterprise Technology Management (ETM)
 
Changing the Security Monitoring Status Quo
EMC
 
Event mgt feb09
pladott11
 
Introduction to SIEM.pptx
neoalt
 
Hacking appliances
Jonathan Suldo
 
Leveraging Log Management to provide business value
Enterprise Technology Management (ETM)
 
Security Information and Event Management (SIEM)
k33a
 
McAfee SIEM solution
hashnees
 
Ijetr042329
Engineering Research Publication
 
Maceo Wattley Contributor Infosec
Dr. Maceo D. Wattley
 
Security Information Event Management Security Information Event Management
karthikvcyber
 
SIEM evaluator guide for soc analyst
InfosecTrain
 
Content Aware SIEM™ defined
Enterprise Technology Management (ETM)
 
SOAR and SIEM.pptx
Ajit Wadhawan
 
PKI.pptx
Ajit Wadhawan
 
Use Exabeam Smart Timelines to improve your SOC efficiency
JonathanPritchard12
 
2005 issa journal-simsevaluation
asundaram1
 
Centralizing security on the mainframe
Arun Gopinath
 
Generic siem how_2017
Anton Chuvakin
 
PSIM: Why Should I Be Interested?
Adlan Hussain
 
Ad

More from Tripwire (20)

PDF
Mind the Cybersecurity Gap - Why Compliance Isn't Enough
Tripwire
 
PDF
Data Privacy Day 2022: Tips to Ensure Data Privacy
Tripwire
 
PDF
Key Challenges Facing IT/OT: Hear From The Experts
Tripwire
 
PPTX
Tripwire Energy Working Group: TIV Demo
Tripwire
 
PPTX
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire
 
PPTX
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire
 
PPTX
Tripwire Energy Working Group: Customer Session with Chase Cole
Tripwire
 
PPTX
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire
 
PDF
World Book Day: Cybersecurity’s Quietest Celebration
Tripwire
 
PDF
Tripwire Retail Security 2020 Survey: Key Findings
Tripwire
 
PDF
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
Tripwire
 
PDF
The Adventures of Captain Tripwire: Coloring Book!
Tripwire
 
PDF
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
Tripwire
 
PDF
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
Tripwire
 
PDF
Tripwire 2019 Skills Gap Survey: Key Findings
Tripwire
 
PDF
A Look Back at 2018: The Most Memorable Cyber Moments
Tripwire
 
PPTX
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Tripwire
 
PDF
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire
 
PPTX
Defend Your Data Now with the MITRE ATT&CK Framework
Tripwire
 
PPTX
Defending Critical Infrastructure Against Cyber Attacks
Tripwire
 
Mind the Cybersecurity Gap - Why Compliance Isn't Enough
Tripwire
 
Data Privacy Day 2022: Tips to Ensure Data Privacy
Tripwire
 
Key Challenges Facing IT/OT: Hear From The Experts
Tripwire
 
Tripwire Energy Working Group: TIV Demo
Tripwire
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire
 
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire
 
Tripwire Energy Working Group: Customer Session with Chase Cole
Tripwire
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire
 
World Book Day: Cybersecurity’s Quietest Celebration
Tripwire
 
Tripwire Retail Security 2020 Survey: Key Findings
Tripwire
 
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
Tripwire
 
The Adventures of Captain Tripwire: Coloring Book!
Tripwire
 
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
Tripwire
 
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
Tripwire
 
Tripwire 2019 Skills Gap Survey: Key Findings
Tripwire
 
A Look Back at 2018: The Most Memorable Cyber Moments
Tripwire
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Tripwire
 
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire
 
Defend Your Data Now with the MITRE ATT&CK Framework
Tripwire
 
Defending Critical Infrastructure Against Cyber Attacks
Tripwire
 

Recently uploaded (20)

PPTX
BUSINESS CYCLE_INFLATION AND UNEMPLOYMENT.pptx
TasmiaThalil
 
DOCX
Center Enamel Powering Innovation and Resilience in the Italian Chemical Indu...
cecvessels
 
PPTX
Understanding Procurement Strategies.pptx Your score increases as you pick a ...
ssuser886aa1
 
PDF
HQ #118 / 'Building Resilience While Climbing the Event Mountain
meetingmediagroupusa
 
PPTX
2 - Self & Personality 587689213yiuedhwejbmansbeakjrk
inshu28231804
 
DOCX
Emerging Dubai Investment Opportunities in 2025.docx
jenwhite023
 
PDF
Comments on Clouds that Assimilate Parts I&II.pdf
Brij Consulting, LLC
 
PDF
Communication Tactics in Legal Contexts: Historical Case Studies (www.kiu.ac...
publication11
 
PPTX
operations management : demand supply ch
JayeshJaiswal23
 
PPTX
Astra-Investor- business Presentation (1).pptx
diksha27bhardwaj
 
PPTX
IMM.pptx marketing communication givguhfh thfyu
aruntambralli3813
 
DOCX
Hand book of Entrepreneurship 4 Chapters.docx
DrSubinKMohan
 
PPTX
IMM marketing mix of four ps give fjcb jjb
aruntambralli3813
 
PDF
income tax laws notes important pakistan
VrindaTayade1
 
PPTX
33ABJFA6556B1ZP researhchzfrsdfasdfsadzd
Maria Net
 
PDF
Cross-Cultural Leadership Practices in Education (www.kiu.ac.ug)
publication11
 
PPTX
chapter 2 entrepreneurship full lecture ppt
annejo20
 
PDF
Second Hand Fashion Call to Action March 2025
agatadrynko
 
PPTX
df0ee68f89e1a869be4bff9b80a7 business 79f0.pptx
diksha27bhardwaj
 
PPTX
IITM - FINAL Option - 01 - 12.08.25.pptx
MukeshAssociates2
 
BUSINESS CYCLE_INFLATION AND UNEMPLOYMENT.pptx
TasmiaThalil
 
Center Enamel Powering Innovation and Resilience in the Italian Chemical Indu...
cecvessels
 
Understanding Procurement Strategies.pptx Your score increases as you pick a ...
ssuser886aa1
 
HQ #118 / 'Building Resilience While Climbing the Event Mountain
meetingmediagroupusa
 
2 - Self & Personality 587689213yiuedhwejbmansbeakjrk
inshu28231804
 
Emerging Dubai Investment Opportunities in 2025.docx
jenwhite023
 
Comments on Clouds that Assimilate Parts I&II.pdf
Brij Consulting, LLC
 
Communication Tactics in Legal Contexts: Historical Case Studies (www.kiu.ac...
publication11
 
operations management : demand supply ch
JayeshJaiswal23
 
Astra-Investor- business Presentation (1).pptx
diksha27bhardwaj
 
IMM.pptx marketing communication givguhfh thfyu
aruntambralli3813
 
Hand book of Entrepreneurship 4 Chapters.docx
DrSubinKMohan
 
IMM marketing mix of four ps give fjcb jjb
aruntambralli3813
 
income tax laws notes important pakistan
VrindaTayade1
 
33ABJFA6556B1ZP researhchzfrsdfasdfsadzd
Maria Net
 
Cross-Cultural Leadership Practices in Education (www.kiu.ac.ug)
publication11
 
chapter 2 entrepreneurship full lecture ppt
annejo20
 
Second Hand Fashion Call to Action March 2025
agatadrynko
 
df0ee68f89e1a869be4bff9b80a7 business 79f0.pptx
diksha27bhardwaj
 
IITM - FINAL Option - 01 - 12.08.25.pptx
MukeshAssociates2
 

A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security

  • 1. Dr. Anton Chuvakin, Author and IT Security Instructor A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security WHITE PAPER
  • 2. Introduction Recent economic troubles might have something to do with In more recent years, several different trends—namely the fact that many organizations today seek to establish changes in the regulatory landscape and a shift of attacks only the bare minimum level of security. To be more pre- to the application level—have led to the evolution of the cise, they try to do what they think is the bare minimum. SIEM and log management space. These tools are now used In fact, their belief that security “due diligence” can be for overall compliance management, user tracking, applica- reduced to the level prescribed by regulations such as the tion security monitoring, compliance auditing and even Payment Card Industry Data Security Standard (PCI DSS) is fraud detection. They also continue to be used for opera- more common than ever. Unfortunately, the results of this tional monitoring and issue troubleshooting. flawed thinking include security breaches and other damag- Let’s define what SIEM and log management tools are and ing events. what they do. This trend toward establishing the minimum required level Security information and event management covers of security has affected many security safeguards, including relevant log collection, aggregation, normalization and Security Information and Event Management (SIEM) and log retention, context data collection, alerting, analysis (cor- management. Most organizations simply deploy these tech- relation and prioritization), presentation (reporting and nologies to place a check in the compliance check box. In visualization), security-related workflow, and relevant secu- this paper we will take a look at this disturbing trend and rity content. Typical uses for SIEM tools center on network provide useful guidance for maximizing the value of SIEM security, data security and regulatory compliance. and log management tools, while focusing on protecting On the other hand, log management includes compre- systems and data—not on simply checking the compliance hensive log collection, original log retention, analysis, check box. presentation (search, reporting, and visualization), related But first, let’s get more familiar with the background of workflow, and relevant content such as reports and search SIEM products. Even though organizations have had the queries. Log management usage is broad and covers all pos- need to collect, manage and analyze computer log data sible applications for log data across IT and even beyond for as long as computers have existed, dedicated Security information technology—but certainly includes security and Information and Event Management (SIEM) products only compliance use. emerged on the market in the late 1990s. Later, dedicated To summarize, SIEM focuses on security while log manage- log management tools emerged to address broad log reten- ment focuses on broad use of log data. More specifically, tion and log review requirements across all of IT, and not SIEM tools include correlation and other real-time analysis just the traditional security space. functionality, which is useful for real-time monitoring. In Although the primary purpose for SIEM was to reduce comparison, log tools often focus on advanced search across network IDS “false positives” and to make sense of other all log data. Today, select tools combine select capabilities security alerts and event records, these products often did of SIEM and log management in a single product or product so at the cost of increased product and integration complex- suite. ity. As a result, these tools were only used by the largest organizations because they were willing to invest time in learning how to operate their SIEM frameworks. In addition, such use was mostly limited to network security. 2 | WHITE PAPER | A Pragmatic Approach to SIEM
  • 3. Which One Is For you? At this point you may be asking, “Which product is for Let’s further examine the defining features of SIEM. me?” The answer is easy: if you have logs (which you do Most organization will look for these features when if you have computers), you need a log management tool. choosing an SIEM product. The features include: And if you want to make use of these logs for security monitoring, you also need SIEM capabilities. However, 1. Log and Context Data Collection. The ability to col- you will learn later in this paper that trying to use lect logs and context data using a combination of advanced and near real-time monitoring features of SIEM agent-based and agent-less methods. tools before you’re able to reliably collect log data rarely 2. Normalization. The ability to convert most original results in success. logs into a universal format, usable for cross-source When choosing a tool, it may be helpful to first begin by reporting and correlation. identifying the problem you’re trying to solve with it. Over 3. Correlation. Rules-based, statistical or algorithmic the years, the following areas where SIEM and log manage- and other methods of relating different events to each ment tools can deliver value have emerged: other and events to contextual data. 1. Security, detective, and investigative. Sometimes also 4. Notification/alerting. The ability to trigger notifica- called threat management, this area focuses on detecting tions or alerts to operators or managers. Common and responding to attacks, malware infection, data theft alerting mechanisms include email, SMS, or even and other security issues. It may be useful to divide this Simple Network Management Protocol (SNMP) area into monitoring and detection of security issues, and messages. investigation and forensic analysis of security incidents. 5. Prioritization. Different features that help distinguish 2. Compliance, regulatory (global) and policy (local). This important events from less critical security events, area focuses on satisfying the requirement of various for example by correlating security events with vul- laws, mandates and frameworks. Most of these mandates nerability data, or asset and identity information. have the intent of improving security, so there is a lot of 6. Real-time View of Security. Security-monitoring overlap between this area and the previous one. dashboards and displays that security operations per- 3. Operational, system and network troubleshooting and sonnel use to easily review current system and user administration. This area applies mostly to log manage- activity. ment, and has to do with investigating system problems 7. Reporting. The ability to generate scheduled and as well as monitoring the availability of systems and as-needed reports to gain historical views of data applications. collected by the SIEM product. Some products also The above three drivers likely cover nearly 100 percent of have a mechanism for distributing reports to security SIEM and log management deployments today. It is worth personnel, either by e-mail or a dedicated web portal. noting that the most common scenarios for SIEM deploy- SIEM reporting relies on parsing and normalizing log ments today are “buy for compliance, use for compliance” data. and “buy for compliance, use for security,” or a combina- 8. Security Role Workflow. Incident management fea- tion of the two. When used in combination, the SIEM or tures that allow security personnel to open incident log management tool is purchased for a tactical compliance cases, perform investigative triage, and perform project, and over time is used to solve many other problems. other security operations tasks using automation or Let’s review this in detail. partial automation. A Pragmatic Approach to SIEM | WHITE PAPER | 3
  • 4. Deploying and Using SIEM As organizations face complex security, regulatory and oper- ational issues, the tools that help them address those issues Pragmatic Approach to SIEM have grown in complexity as well. As a result, companies Given the trend of focusing on bare minimum security, the sometimes have trouble planning, deploying and then using pragmatic approach to SIEM for many organizations can be SIEM and log management tools effectively. In this paper summarized as “buy for compliance, use for security (and we will share a few proven strategies for implementing and IT operations as well).” Let’s review how you follow this deploying SIEM and log management tools, both for satisfy- approach for achieving security success and not just auditor ing regulatory compliance mandates and beyond. approval. So, how can you use SIEM effectively? You have to do Many Chief Security Officers (CSOs) have found out that some planning before you can answer this question. This compliance initiatives and other projects driven by “the planning includes the most important concept for deploying fear of auditors” can be funded more easily than pure data and utilizing a SIEM—the concept of a “use case.” protection and “the fear of hackers” projects. Even though Originating in the software development industry, the this trend may reverse itself in the future, today it is a fact term “use case”1 simply denotes a description of how the of life. Recent analyst estimates show that 70 percent to 80 user uses a system to solve a particular problem. For exam- percent of SIEM and log management implementations are ple, a use case for SIEM can center on satisfying the PCI driven by compliance needs. DSS requirements or enabling the incident response team to Here is how to follow the pragmatic approach in instances track down a compromised IT asset. where compliance drives SIEM and log management Since SIEM and log management tools are useful for solv- implementation: ing a wide range of IT problems, it makes sense to approach First, compile a list of regulations you must comply with, your SIEM purchase with your particular problem set in focusing particular attention on areas where an SIEM or log mind. For example, if your organization wants to build a management tool can be useful. In many cases, the list may security operations center (SOC), your choice of SIEM will contain only one regulation, but that one regulation is one be very different from an organization that wants to sim- you absolutely must address. ply review server logs for evidence of unauthorized access Second, whenever practical, you should then review other in order to comply with a regulation. Similarly, speeding possible goals that SIEM can help you achieve. Deciding up your incident response routines calls for a different log whether SIEM satisfies a critical business need, such as “buy management tool than one you’d use for HIPAA reporting as an enabling technology for your SOC,” is an essential step. (though better incident handling practices would almost Third, you must decide whether you are prepared to work certainly help you safeguard health information). to make your SIEM tool solve your problem, whether for The entire range of SIEM use cases fits in the three cat- compliance or other needs. Despite help from the vendor egories we mention above: and possibly consultants, there are additional tasks you’ll have to perform to make SIEM work. 1. Security, detective, and investigative; Now, acquire and implement the SIEM solution. This is 2. Compliance, regulatory (global) and policy (local); and where you work jointly with the vendor in order to build 3. Operational, system and network troubleshooting and your initial implementation for regulatory compliance, such administration. as PCI DSS. Before we consider a few SIEM use cases in detail, let’s Now, start actually using SIEM for both the “letter and define what we called a pragmatic approach to SIEM. spirit” of the regulation. This step is the most important one in the approach—one of the biggest mistakes organiza- tions make in this area is thinking that simply owning an SIEM tool makes them compliant. In reality, building daily operational procedures and processes to go with your SIEM 4 | WHITE PAPER | A Pragmatic Approach to SIEM
  • 5. is the only way to do that. Sadly, few people remember that environment, you need to focus on protecting the data and PCI DSS prescribes a large set of periodic tasks, from annual monitoring all access to it. to daily. Reviewing logs daily is the most well known exam- Even though logging is present in all PCI requirements, ple of such a practice, not just “having logs.” the PCI DSS also contains Requirement 10, which is dedicat- Finally, expand the use case beyond compliance. Tips for ed to logging and log management. Under this requirement, expanding deployment and solving other problems with your logs for all system components must be reviewed at least SIEM tool are provided in the next section. For example, daily—a key operational procedure that is necessary for you can quickly improve your security capability for inci- compliance! These reviews must include logs of servers that dent response and forensics—the easiest and most common perform security functions, such as intrusion-detection security use of log management and SIEM tools beyond systems and authentication, authorization, and account- compliance. ing protocol servers. PCI Requirement 10 is a very common Given the obvious benefits to this approach, it is surpris- reason why organizations research and look into purchasing ing that more organizations don’t follow it. Some simply SIEM and log management tools today. choose to procure a tool, connect it to the network and Further, the PCI DSS states that the organization must never actually use it—whether for security or compliance ensure the integrity of its logs by implementing file integ- purposes. Such organizations will be surprised to discover rity monitoring and using change detection software on logs they are neither compliant nor secure, as this level of imple- (in addition to other key files) to ensure that existing log mentation provides none of the benefits of SIEM. It’s also data cannot be changed without alerting security personnel. interesting to note that many of the organizations studied It also states that logs from in-scope systems must be stored in the Verizon Data Breach report2 that were breached had for at least one year. Broader security monitoring is also all the evidence of the breach in their logs and available present in Requirement 11 of the PCI DSS. since the day of the breach. So, build the urgency for SIEM using regulatory compli- ance, then start taking the regulation to heart by using the HIPAA/HITECH The Health Insurance Portability and Accountability Act tools for compliance and data security. From that point, of 1996 (HIPAA) outlines relevant security standards for expand the use case to solve more problems within your health information. As with PCI, the intent of HIPAA is to organization. Remember, a box in the datacenter rack does reduce risks, but in this case to sensitive health informa- not make you compliant; a tool combined with people dili- tion. Unlike payment data, however, health information gently following operational procedures does. cannot simply be deleted from storage, which certainly As we mentioned above, compliance is often the main complicates compliance with the regulation. The following driver for SIEM deployment today. Let’s delve deeper in the HIPAA requirements apply broadly to logging, log review regulations and their impact on SIEM technology. and security monitoring: Section 164.308(a)(5)(ii)(C) “Log-in Monitoring” calls PCI DSS for monitoring the systems touching patient information The Payment Card Industry Data Security Standard applies for login and access. The requirement applies to “login to all organizations that handle credit card transactions. attempts,” and implies login attempts that failed or Since we talk about the letter and spirit of regulations, succeeded. the spirit of PCI is in reducing the overall risk associated Section 164.312(b) “Audit Controls” broadly covers audit with payment card transactions. While complete elimina- logging and other audit trails on systems that deal with tion of sensitive payment card data for risk reduction is sensitive health information. Review of such audit logs a noble goal, achieving it today is unlikely for most mer- seem to be implied by this requirement. chants. As a result, after appropriately scoping your PCI DSS A Pragmatic Approach to SIEM | WHITE PAPER | 5
  • 6. Section 164.308(a)(1)(ii)(D) “Information System Activity Review” prescribes review of various records of IT activi- ISO2700x ties such as logs, systems utilization reports, incident ISO27001, formally known as “Information technology— reports and other indications of security-related activities. Security techniques—Information security management systems—Requirements,” is a direct descendant of ISO17799 In addition, the NIST SP 800-66 document titled “An and British Standard 7799. ISO specifies requirements for Introductory Resource Guide for Implementing the Health managing the security of information systems. The stan- Insurance Portability and Accountability Act Security Rule” dard also prescribes audit logging and audit log review and details more specific log management requirements for retention. securing electronic protected health information. Section For example, ISO27001 mentions that “audit logs should 4.1 of this document describes the need for regular review be turned on for security events, user activities, and excep- of information system activity, such as audit logs, access tions. They should be kept for a predetermined period of reports and security incident-tracking reports. time.” (section A.10.10.1 of ISO/IEC 27001 Information A recent enhancement to HIPAA is called the Health Security Management Systems – Requirements). However, Information Technology for Economic and Clinical Health the standard provides no further guidance regarding what Act or HITECH Act. The act seeks to further “address the details must be recorded in logs or how long the logs should privacy and security concerns associated with the electronic be retained. transmission of health information.” The standard does make references to reviewing audit logs and security monitoring without providing operational level NERC details about them. Despite that, organizations that plan to North American Electric Reliability Corporation (NERC) pub- certify their compliance with ISO27001 are likely to deploy lishes Critical Infrastructure Protection (CIP) standards that SIEM or log management tools. contain important information security requirements. The Overall, this summary indicates that many mandates have spirit of NERC is in maintaining the operation of the critical similar requirements with regards to log management and bulk electric system. In the case of NERC, clearly the focus security monitoring. This simply means that complying is on system uptime and not on information confidentiality with one regulation will get you a long way toward comply- as it is in PCI DSS and HIPAA. ing with other current and future regulations. Also, one Among the CIPs, there are requirements about logging, of the most important things to remember from reviewing alerting and log review, as well as broader security monitor- these regulations is that simply deploying a tool, even an ing. For example, Requirement CIP-005-1 R3.2 states that advanced SIEM tool, does nothing for compliance unless “security monitoring process(es) shall detect and alert for you use it. Good auditors will check for processes and pro- attempts at or actual unauthorized accesses. These alerts cedures built around tools in order to satisfy the spirit of shall provide for appropriate notification to designated regulations; they won’t just look at blinking lights in the response personnel. Where alerting is not technically fea- datacenter. sible, the Responsible Entity shall review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every ninety calendar days.” In most cases, the effort focuses on issue detection and rapid investigation, and not on the long-term data theft breach investigation. Additional security monitoring requirements are also defined in the NERC CIP standards. 6 | WHITE PAPER | A Pragmatic Approach to SIEM
  • 7. “Compliance+”: Where to Go of skilled personnel with effective SIEM tools. Fortunately, most organizations have monitoring tools for operational Next? visibility—uptime monitoring. It is important to note that After the initial regulatory challenges are addressed, what many organizations will not ever be large enough to justify do you do next? Given the scope of regulations shown having a full Security Operations Center (SOC). At the same above, your organization would already have a fairly robust time, having a person or a team dedicated to ongoing peri- security monitoring program, backed up by periodic process- odic security monitoring will likely help most organizations. es, review procedures and an exception handling process. We can benefit from the past experiences of organiza- It is likely that you would not be surprised that unau- tions that have gone beyond compliance to learn about the thorized access to servers is covered by a particular numerous possible mistakes and pitfalls that might occur. regulation. It is also likely that unauthorized changes in We will first present a few general tips for succeeding based your environment will be reduced to a minimum. Deploying on these past experiences, and then categorize common integrity checking systems mandated by PCI DSS, and then mistakes that organizations committed while doing so. diligently using them, will allow your organization to be First, if you deploy for compliance, make sure your tools constantly aware of what happens in your environment. If operationalize and adopt the regulation as the framework. unauthorized changes are detected that indicate an inci- Don’t simply put a checkmark in the compliance checkbox. dent, your incident response process will be triggered into Second, always operationalize SIEM and log management action. tools in phases. One common approach is to go from tradi- In addition, complying with regulations has likely enabled tional server and firewall logs to application logs, and from you to keep an eye on the sensitive data that flows in and collection to review to near real-time monitoring. out of your environment. Hopefully, you have applied the Third, always keep the use cases—what you’re trying safeguards not only to regulated data but also to data inter- to achieve with an SIEM tool—in mind. Think about them nally considered sensitive. when using and expanding the use of your SIEM. Even if For example, an organization may choose to fully adopt compliance is a primary SIEM driver, focusing on outcomes PCI DSS compliance and invest time in developing their useful for your business will give you more success on your daily log review practices, tying them to incident response journey to better data security. plans and educating developers on writing better software that deals with payment data. In fact, some organizations Common Pitfalls in Using have been known to build their entire security programs on top of PCI DSS guidance. Clearly this approach will allow SIEM for Regulatory them to benefit from SIEM and log management tools that Compliance they already own. The biggest logging, SIEM and compliance mistake is simply The next step is to improve the incident response process this: thinking that to be compliant you must only collect so that it can react even faster. While regulations prescribe logs in a log management tool. This is one of the most egre- some incident response practices such as having an inci- gious errors you can make. Simply reading the text of most dent response plan, being ready for any incident, including regulations will reveal the additional items you need to a zero-day attack, takes more work and more operational address, such as log review, log protection, logging specific maturity that goes beyond compliance. details for various events, handling exceptions and many The next step beyond compliance might be to improve others. the security monitoring process. Simply buying a tool that PCI DSS prescribes log review and log protection, HIPAA is capable of enabling such monitoring does not create a calls for monitoring, NERC asks for incident process ease. monitoring capability; this capability requires a combination Not a single regulation is solely about storing logs. A Pragmatic Approach to SIEM | WHITE PAPER | 7
  • 8. A second common mistake is focusing on the letter of regulations, and not their intended spirit. The best way to About the Author summarize it is: if you focus on security, you have a shot Dr. Anton Chuvakin (http://www.chuvakin.org) is a recog- at being compliant and secure; if you only focus on compli- nized security expert in the field of log management and ance, you probably will not be secure and will be out of PCI DSS compliance. He is an author of the books “Security compliance. Just ask the victims of recent breaches who Warrior” and “PCI Compliance” and a contributor to were justifiably found to be out of compliance. “Know Your Enemy II,” “Information Security Management Finally, although the siloed approach to regulations is the Handbook” and others. Anton has published dozens of unfortunate norm today, that does not make it the right papers on log management, correlation, data analysis, PCI approach. Given the large overlap across regulations in what DSS, and security management (see the list at www.info- they mandate relative to audit logging, security monitor- secure.org). His blog http://www.securitywarrior.org is one ing, change detection, incident response and other security of the most popular in the industry. practices, it makes sense to implement this superset of In addition, Anton teaches classes and presents at many requirements. By not tackling regulations one-by-one, you security conferences across the world. He recently addressed avoid wasting resources and causing delays. audiences in United States, UK, Singapore, Spain, Russia and other countries. He works on emerging security stan- dards and serves on the advisory boards of several security Conclusion start-ups. While some organizations continue to try to reduce security Currently, Anton is developing his security consulting to some minimum baseline, this approach is not a recipe practice www.securitywarriorconsulting.com, focusing on for customer trust and data protection. Many of the recent logging and PCI DSS compliance for security vendors and challenges with SIEM and log management stem from the Fortune 500 organizations. Dr. Anton Chuvakin was formerly fact that powerful SIEM technology is purchased to address a Director of PCI Compliance Solutions at Qualys. Previously, a compliance mandate—and does so in a narrow and short- Anton worked at LogLogic as a Chief Logging Evangelist, sighted fashion. Following our roadmap for effective use tasked with educating the world about the importance of of SIEM tools for compliance and beyond will allow you to logging for security, compliance and operations. Before avoid mistakes and gain all the benefits of your investment LogLogic, Anton was employed by a security vendor in a in your SIEM or log management tool. strategic product management role. Anton earned his Ph.D. In addition, you can expand the use of an SIEM tool degree from Stony Brook University. beyond compliance to security and operational use cases, focusing on improved incident response practices and mov- ing to automated security monitoring that occurs in near real-time. This approach is the only way to gain visibility, and therefore control, over your ever-growing IT environ- ment. This is also the only way to prepare for the onslaught of virtualization and cloud computing, which will muddy the waters of what specific information and IT assets need to be protected. The final word on succeeding with SIEM is this: start by using regulatory guidance, take it to heart, operational- ize it, and then expand it to solve “bigger and better“ problems. 1 For example, see http://en.wikipedia.org/wiki/Use_case 2 www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf 8 | WHITE PAPER | A Pragmatic Approach to SIEM
  • 9. ABOUT TRIPWIRE Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses and government agencies take control of their entire IT infrastructure. Thousands of customers rely on Tripwire’s integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire® VIA™, the comprehensive suite of industry-leading file integrity, policy compliance and log and security event management solutions, is the way organizations can proactively achieve continuous compliance, mitigate risk and improve operational control through Visibility, Intelligence and Automation. Learn more at www.tripwire.com and TripwireInc on Twitter. ©2010 Tripwire, Inc. | Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. | WPSIEM1a