Primer: Security Information and Event Management

By David F. Carr  |  Posted 2005-08-04

What is it? Security information and event management (SIEM) systems help you gather, store, correlate and analyze security log data from many different information systems. This data may prove valuable as part of a network security organization's immediate response to an attack, making it possible to see, for example, all the virtual private network connections that were active when a behind-the-firewall server came under attack. Or in the case of an incident discovered after the fact, such as the theft of credit card numbers, the system could produce reports for police and regulators from the archived log data.

Why is it important? As the volume and importance of security log data grows, it becomes crucial to store it in a compressed format and have better ways of analyzing it. Measures such as the Sarbanes-Oxley Act have emboldened auditors to require that log data be kept longer in case it is needed for an investigation. Gartner security systems analyst Amrit Williams says applying this requirement to all systems, rather than just financial ones, probably goes beyond the letter of the law. Nevertheless, many of his clients cite pressure from auditors as a reason for buying these security systems, which cost between $100,000 and $500,000.

Who are the vendors? Most major security and systems management vendors have a security information and event management offering. Gartner says the leaders are specialized software vendors, such as ArcSight, e-Security, Intellitactics, netForensics and Network Intelligence; it also gives high marks to Computer Associates' eTrust Security Command Center.

How difficult are these systems to implement? Quite difficult, says Gartner's Williams, given the complexities of gathering log data from so many systems. Most early system software required companies to set up clustered relational databases as the storage mechanism, an obstacle for organizations with little experience using them.

Network Intelligence was the first vendor to win significant market share with a system appliance, which simplified deployment because it came preconfigured with a database for storage. Other vendors, including Cisco (with its acquisition of Protego), have appliance-based offerings, and Symantec is beta-testing an appliance for release this fall. Despite the advantages of appliances, SIEM software will retain market share with customers who want more control and ability to customize than an appliance allows, or who want to extend existing enterprise storage, according to Williams.

Who is using it? Regulated industries such as utilities, financial services and health care are big on these systems. Sean Curry, infrastructure engineering manager at Calpine, an operator of electric power plants, discovered he needed a better way of managing log data after the firm started using virtual private networks, rather than dedicated telecommunications lines, to connect to 103 remote locations. That saved the company about $140,000 per month, but it also meant establishing firewalls at each of those locations, with log entries generated every time a VPN connection was established.

"We're logging 60 gigabytes of data per day, 1,200 events per second," Curry says. As the storage requirements for that data outstripped capacity, Calpine pulled older records offline. Though the records were archived on tape rather than deleted, auditors complained that they weren't readily available for analysis.

Using a Network Intelligence appliance, Calpine can retain more information online in a compressed form and produce more sophisticated reports, more quickly. Curry also runs reports for human resources on whether employees are violating "acceptable use" policies by, for instance, downloading pornography.