Digital Undercurrents

Welcome to Definition Monday, where we define and explain a common technology or security concept for the benefit of our less experienced readers. This week: SIEM Systems.

A SIEM, or Security Incident and Event Manager, is a relatively new concept in information security. The concept was pioneered about a decade ago, and has been evolving rapidly ever since.

A SIEM performs two major functions:

Log Centralization

The first, and original, purpose of a SIEM is to serve as a single point of collection for activity logs from disparate systems on an enterprise network. Nearly everything is capable of producing logs in some standarized format: Windows servers, VPN concentrators, network firewalls, managed Ethernet switches, Unix hosts, IDS systems, even individual workstations. In a SIEM deployment, each of these network devices sends its generated logs to a single collection point so that they can be analyzed in one place.

The benefit to this is obvious, if only for troubleshooting purposes. Imagine a mid-sized network that has half a dozen DNS servers, four Active Directory domain controllers, two DHCP servers, redundant border routers, and two hundred wireless access points. Finding a particular wireless host and tracking its Internet activity would take hours or days if each of these devices had to be queried and analyzed separately. With the centralized logging of a SIEM, on the other hand, all the information is in one place and easily searchable, usually with an intuitive web interface. You can track the laptop from the time it is issued an address by the DHCP server to the moment it vanished from the last access point.

Correlation Analysis

Additionally, a modern SIEM deployment will include a correlation software engine to mine through these disparate logs and alert the administrative staff to potential problems.

Imagine this example: your enterprise network has an LDAP-based single sign-on environment. This means that the same account credentials can be used to log in to any system on the network. Now imagine that someone is trying to gain access to an account with the username “admin”, assuming (perhaps rightly) that this account has elevated privileges and so it is a particularly tempting target. Your computers are set up with account lockout rules – logging in with the wrong password five times will lock the account.

The attacker knows this, so he tries four passwords for the “admin” account on a random assortment of hosts on your network. In an environment of any size, four incorrect logins are not going to raise red flags. But if the logs from these different hosts are all flowing into a SIEM system, the administrators should be quickly alerted by the correlation engine that someone is definitely trying to compromise the “admin” account.

Advantages and Disadvantages

The advantage of a SIEM should be obvious – it allows administrative staff to view the current and past condition of a network with a stunning level of transparency and immediacy. Most popular SIEM products will interface with almost anything that speaks TCP/IP – and, generally speaking, writing new plugins to understand a foreign format is a straightforward task.

The main disadvantage of a SIEM is that it is a very complex product, and the simple deployment can be a major project unto itself. Each host needs to be configured to speak to the central console. The correlation engine needs to be carefully tuned to minimize false positives and, more importantly, to minimize false negatives. In a complex network, multiple listening hosts (often known as “probes”) may need to be deployed in order to have a clear view of all network traffic. And the hardware to run a project like this needs to be pretty powerful; this isn’t something that will run in a VMWare container with a dozen other machines. You need power, memory, and disk to do this right.

But if those disadvantages aren’t too daunting, a SIEM is a fantastic tool for anyone who needs to manage a network with more than a few dozen hosts.