Log and Security Event Information Management (SEIM) are two of the 20 Controls that SANS lists for network security. They are also some of the more controversial ones. Logs are very much like digital fingerprints for one’s network and applications. It has great value for both noticing exploits (visibility) and forensically investigating those which have already happened. SEIMs are the intelligence behind log management. They are often bought as a combined offering as one is fairly useless without the other. Metaphorically speaking together they act like an alarm system for your network.
That said, the effectiveness of these controls are only as good as the weakest link along the solution chain: Plan, Deploy, Integrate, Operate, Monitor and Respond. This month alone we’ve run into one customer that couldn’t actually produce their own logs post breach, even though they had a system in place, another who had no backup to their logs when their solution failed, and a third one who had logging in place, but hadn’t configured it well enough to do anything but ignore repeated alerts, because they had experienced so many false positives.
When looking at a Log/SIEM solution there are four options for organizations to consider:
- Updating and fixing what you have, including better configuration.
- Buying a newer solution from a technology vendor.
a. A standalone appliance
b. A software license loaded on your own server or virtual machine
c. An open source software license where you pay for support on the application - Moving some or all of your solution to a managed services provider.
- Doing nothing, because the TCO burden for a solution exceeds the benefit in liability reduction — something that holds true for any technology solution.
With any of these four, one must consider the true cost of owning, operating and monitoring the solution:
- What will it cost to continue using the licenses?
- What will it cost to configure the solution, so that it really does notice a majority of the exploits that your business is most likely to see without alerting you unnecessarily on stuff that has little significance?
- What will it cost for you to manage the solution for updates in code and configuration and who will do that exactly? Unlike a building alarm system where the key vulnerabilities have always been doors and windows, a network’s vulnerabilities seemingly change continuously.
- What will it cost to monitor the solution and again, who exactly will do it? Will it really be an individual who has a dozen other responsibilities where this one gets short changed and thus the solution is only providing a false sense of security?
- How will the logs be archived and reviewed as part of your compliance needs, be they PCI, HIPAA, ISO, etc…
- Who will document all policies and procedures for the solution?
- Finally, what is your incidence response plan (IRP) when a real alert happens and who is responsible for reviewing it and when?
Logging and SEIM solutions have never been more powerful and the options more diverse. To get it right, you have to consider every aspect of its lifecycle and TCO to insure its success.