In one of the most recent articles posted on darkreading.com, Robert Lemans speaks about the new features of Security Information and Event Management (SIEM) systems and some common problems the comapnies face when using them.
The most interesting quote in this article came as no surprise – “Yet SIEM deployments are difficult. The complexity of integrating a variety of different data feeds requires knowledgeable security analysts.” The question “Why is SIEM so difficult?” should be raised. The reason is simple – someone has to take the seemingly disparate data and find patterns that represent actions. Hmmm… actions – now we’re getting somewhere. Organizations want SIEM so they can tell what action has been taken. In the case of IT changes that impact security and access to systems and data, the activity data (usually found in the form of logs) itself lacks detail. Generally speaking, the best you can do is to see that a change was made, by whom and when the change was made.
But that’s not the detail a SIEM security analyst is looking for!
To get to the “Ease of Use” in the title of this article, an organization utilizing SIEM wants to know exactly what the change (that is, the action) was. If a SIEM solution has the specific detail on every change (think what the change was, before and after values, who/when/where, etc.) made within critical systems, the utilization of SIEM doesn’t really become an issue of “more data”, but instead “more useful data.”
SIEM is only as good as the data ported to it, so in order to have this level of system change data, you’re going to need to have a solution in place that is auditing changes to your critical systems.