Separation or Convergence? The Conflicts Between Log Management and SIM
Learn how the convergence of Log Management and Security Information Management (SIM) is changing the way we think about security, and why the demand for SIM is surging, even in the face of the current economic downturn.
Interviewer Scott Smith joins Mark Nicolett and netForensics Vice President of Products, Tracy Hulver, to discuss:
Scott Smith: The expectations on IT security keep increasing: keep the business safe from threats and attacks both internal and external, maintain compliance amid an ever growing docket of regulations, mandates and standards, and do it all without slowing or hindering the efforts or the business. A central approach to meeting these demands has been log management. While log management should be a vital part of any security strategy, it cannot be the strategy. Log management must be part of a wider security information and event management approach that provides security in a proactive and real-time fashion. What exactly should this broader strategy entail? What challenges does it pose and how do you determine the best solution for your security needs?
Welcome to the special program, Separation or Convergence: The conflicts between log management and SIM. We'll answer those questions for you proactively and in real time with two leading experts in this area: Gartner analyst Mark Nicolett and Tracy Hulver, Executive Vice President of Marketing and Products at netForensics. We'll begin with Mark Nicolette. Mark is a Vice President and distinguished analyst for security and privacy research at Gartner and he joins us from the organization's headquarters in Stanford, Connecticut. Mark, thanks for being here.
Mark: My pleasure.
Scott: So Mark, many companies rely heavily on log management in their security efforts. So, why isn't log management enough?
Mark: Well, log management and the ability to collect all log data from every source, store it, and provide query and reporting for it is a base capability. You need to be able to do these things and it's needed to support compliance reporting and forensics. But, it's not enough in many cases. That's because most organizations also want real-time monitoring to support security incident management and the data that is needed for monitoring and analysis is not always present in the log data that's being produced. In these cases, you need to get event data in some different way, from a network monitor, for example.
Scott: So why is log management getting so much attention?
Mark: Log management, as I mentioned, is a base capability and there are really two reasons that it has received so much attention. The first is that log management has become part of the standard of due care for many major regulations. For example, PCI calls it out explicitly and the auditors for a wide variety of regulations expect to find a log management capability deployed for systems and applications, even if it's not called out explicitly in the regulation. It's the case for general regulations like Sarbanes-Oxley and for industry-specific regulations like HIPAA for healthcare and the NERC regulations for the energy industry are just two examples. The second reason that log management is receiving attention is that it's also the foundation that's needed for real time security management and forensics. A lot of the organizations that are deploying log management, the project may be funded for compliance, but they want to move their security capabilities forward as well. You can think of log management as a collection tier that sits in front of the real time event manager. The idea is to collect all the data in real-time and them stream a filtered subset of the events through an event management for analysis. This allows the event manager to scale better because it's processing only a portion of the events in real time.
Scott: You talked about moving security capabilities forward and you talked about the regulations, and there always seems to be a new one we have to deal with, and we are, of course, in a tight economy. So Mark, as we look to move forward with security, how has that economic environment affected security spend?
Mark: Well, in this particular area of security information and event management, the economic downturn has not had a major affect. The last quarter of 2008 and first quarter of 2009, at the height of all this, the number of incoming calls has actually increased. The number of deployment projects, if anything, has grown. The affect of the downturn though, we suspect, will be in the scope of those deployments. So, if your organization has a compliance issue or audit issue to resolve, something will be done. What is done, we're hearing more and more, is the bare minimum required to support the issue. The scope of deployment is as narrow as possible and the functions that are deployed may be just enough to meet the regulations. That means that some of the additional capabilities that we talked about would be deployed in subsequent phases in other years after the initial requirement is resolved.
Scott: Earlier you referred to log management as a base capability for security efforts. Where does it fit overall into a security strategy?
Mark: Log management is a functional capability that, in and of itself, doesn't really provide or describe the capabilities that it supports. It's a set of functions that allow an organization to monitor user activity and monitor resource access. This capability is important for a variety of reasons. We talked about compliance and auditors expect it, but from a security perspective, if you think about the threat environment and how it's changed over the past four years or so, we've moved from an environment where there was noisy, mass attacks, to an environment that is much quieter, but also much more dangerous. We have a large number of narrow, targeted attacks and the goal is to either steal customer data or steal proprietary data that is strategically important to a company. In many cases, the only signal that you have that there is an attack underway or an attempt or that you've been breached is a change in resource access or a change in user behavior. So, in many cases, the monitoring technologies may be your one and only chance to circumvent or minimize the impact of one of these attacks.
Scott: Mark, you've cited security information management and event management as an area that more and more companies are moving toward. What recommendations do you have for companies that are looking to invest in these areas?
Mark: Companies that are looking to invest in security information and event management need to approach a project in a way that delivers quick benefits, especially in this economic environment, but also lays the foundation for additional capabilities that can be implemented in the future. That means that an organization needs to, yes, focus on the tactical issue at hand, but also involve the areas that will eventually use the capabilities and to consider the ultimate scale of the deployment and scope of the deployment so that when you get to Phase II or Phase III a year or two later, the foundation that you put in place initially serves that purpose as well. So, it's an issue or an exercise in understanding the requirements at hand, but then also involving the eventual set of stakeholders to understand the entire scope of requirements and then crafting an initial deployment that gets the primary issue resolved, but resolved in a way that can be used moving forward in these other phase.
Scott: As we move to bolster our security efforts, what trends or pitfalls should we especially take note of?
Mark: If I was going to describe the pitfalls of deployment, it's not doing that ground work up front to understand the ultimate scope of deployment. We've seen clients that have done a tactical, narrow deployment - and there is nothing wrong with that, as I mentioned earlier - but they did it in a way that they weren't well positioned to, for example, go from log management to real time monitoring or the initial deployment resulted in infrastructure that was running at 100% and didn't have the headroom to enable additional capabilities. The caution is to do enough of that scoping upfront and involve the different areas that will eventually be using the technology and to actually do some upfront analysis so that the organization understands things like the event rates, storage capacities needed and the type of reporting and analysis that they will ultimately have to support so that they can engineer something that meets long term needs and lays the foundation for future requirements. It also means you have to talk to different areas. You have to talk to people involved in compliance, obviously, and the security operations and network operations and perhaps the legal department as well to make sure you have the full requirements at the outset.
Scott: Mark, thank you very much. Mark Nicollett is a distinguished analyst for security and privacy research at Gartner. Mark talked about the importance of determining the right strategy and solutions to address your security needs. Our next guest helps companies do that every day. Tracy Hulver is the Executive Vice President of Marketing and Products at netForensics, a leading edge provider of security solutions. He joins us now from his office in Winchester, Virginia. Tracy, thanks for being here.
Tracy: Thank you.
Scott: Mark Nicollett of Gartner just gave us some great insights of the security issues that companies face and you're, of course, out there helping companies address these issues. Do you agree with Mark's assessment?
Tracy: On all the major points, absolutely. I think that the problem has cropped up over the past 2-3 years in that there is a lot of confusion between log management and security information management. It's been lumped together and it really shouldn't be. Log management and security information management should be a part of a single security solution, but because you have different vendors doing different things, log management has become almost a separate discipline that people look at. That's created problems because if you look at the regulatory requirements, many of them, in fact most of them, very specifically say you have to keep data retention for a specific time. The whole point of the regulation though is to secure and prevent data leakage. Having something that you can go back after the fact is important, but the intent of the regulatory requirements is to prevent the data breach from happening in the first place. Therefore, it has to be married with a security information management real-time threat identification and remediation process. So, I absolutely agree with what Mark was saying in that log management is a basis to build a better security response system on top of and it really requires both.
Scott: You just used the term 'married' when it comes to log management and real-time threat identification and remediation. So, let's play marriage counselor, as it were. How does netForensics address this issue?
Tracy: One of the pitfalls that I think customers want to avoid is to have two different solutions doing two different functions unnecessarily because that creates complexity in your environment and it also usually costs a lot more because you're not more having to purchase two different solutions, but having to manage two different solutions ongoing. So, we've taken the approach to say there is no need for that. As the events are coming in, they really need to do one of two branches. The events can certainly be taken and compressed, encrypted, and then sent to offline storage for the data retention purposes. Then, the events also need to be mined. You need to be able to take these events that are coming in (and by the way, most of these events are flooding in at thousands of event per minute or per second), boil that down, show me the events that are highest priority, and let me take some kind of remediation to prevent an attack, make sure that I am having a complete view of what my security posture is at any particular point in time. Having one product do that, that does both branches, is certainly preferable and that is what netForensics offers. We have an appliance that does full log management as well as security information management and remediation in one solution that typically costs half of a single solution with another vendor.
Scott: Wow, that's a high opening number and it leads me right into my next question. What separates netForensics from other vendors in this area?
Tracy: There are a few key differentiators that we offer that other vendors don't. Number one, we invented the SIM space and we have the patents to prove that. We've been doing this longer than anyone else out there. What that allows us to do is have a broad customer base and to be able to take the knowledge that we've gained over the past 10 years and continuously update our solutions with that knowledge that we've gained. We have the most wide range of customers in the industry. We're specifically the market leader with managed security service providers. If you think about that, we are securing companies that are securing everyone else and that gives us a tremendous advantage. Not only as a proof point that our technology is the best out there in the industry for real time security threat analysis and remediation, but it allows us to take the information and the lessons that we've learned from all these disparate environments and apply that and roll it back into our product. If you're a company between $5 million and $1 billion dollars, you are getting the best in class security solution out there that some of the largest government organizations and the largest corporations in the world are using. Another key point is that we have both a security information management SIM solution for the enterprise and we have a SIM solution for companies that are sub $1 billion, yet the security knowledge and security process that's used to secure those large organizations is also made available through this appliance to the mid-tier companies. The third thing that we differentiate is our scalability and some people will say, 'If I'm a $400 million company, why do I need to be concerned with scale?' You have to be concerned with scale because you have to really look at what the solution will cost over the long term, not only in hidden costs like hardware, but also in resources to manage that. Any SIM solution is only as good as the information that it's providing and the people that are using that information. The information that we're providing needs to be given to customers in a very easy to understand way and it also needs to guide them into how do I prevent, how do I take this attack and mitigate against it? Of course, under all of that is the logging piece, which we don't view as two separate functions; we view that as one function, which again is the final differentiator that netForensics has.
Scott: One thing that really struck me there, especially as you went through that example of a $400 or $500 million company that may not be looking strongly enough at the issue of scalability, is the wide range of issues that companies need to consider here. As you go in to help a client or prospect, what do you recommend they consider in a log management and/or SIM solution to, in fact, meet their needs?
Tracy: Well, you hit the nail on the head Scott, 'in a log management or SIM solution,' what do they look for? They look for both. You have to be able to solve both of those problems. As you look at the mandates, whether it's HIPAA or Sarbanes-Oxley or Basel II or whatever compliance regulation you're being governed by, not only is there a data retention piece, but there is a real-time threat piece. Again, the regulations were written to prevent data leakage from happening and to prevent attacks from occurring into critical infrastructure. So, logging because it's an after the fact is one piece, but the goal is to have something that sits on top and takes those events and correlates and tries to uncover patterns of attack, things that a human would not normally, in isolation, view as necessarily a threat but a true security information management system underneath, taking all these disparate events, and tying it together to give the complete story can give a layer of defense you can't get any other way. In fact, one of the most recent reports that came out, the Verizon report on data breaches, showed that almost 80% of all of the data breaches could have been found in the firewall logs. That asks the question, 'Well then, why did the data breaches happen if they're in the firewall logs?' Because a group of human beings cannot go through 1 million events per day looking for those 1-2 events that are identified as problematic. The customers need to understand and look for a solution that does both of those. They also need to look at a solution for their environment. 'Do I need an appliance? Do I need something that is a plug and play appliance that requires very little management, or do I need an enterprise class solution that I can go in and continuously tweak? I have security operators that need tremendous amounts of analytics to solve my problems.' Whatever the customer needs, netForensics can certainly provide a solution for that.
Scott: My next question might seem a little bit redundant to what we just talked about, but your answer really highlighted how many moving parts are involved here - from the technology to the people and so on. So, Tracy, what advice do you have for companies looking at log management and/or SIM?
Tracy: First, they need to understand what their requirements are. That sounds simplistic, but in reality, it's not. I've talked to many customers over the years that set out to solve their security problems to be able to shrink and reduce the amount of time that it takes them to respond to a security incident and to respond effectively. Yet, because there are so many vendors in this space, because there is this blurring of, 'is this a log manager or is this a security information manager,' because there are conflicting controls in the different requirements, that process of understanding what my end goal is a lot of times, much more difficult than it would appear on the surface. So, understanding what is the end goal. The second thing then is to be able to fit a solution to what that goal is. So if I want log management and some level of real-time threat to prevent the attacks from happening and processes in place to mitigate those attacks, then you shouldn't have to make a choice between, 'I only have budget for log management or log management is easier to deploy or I don't have the resources to manage and configure an ongoing security information management system.' The next thing is long term, what is the cost of deployment going to be? Many times, the ante set at the table is one figure, but then 12-18 months later because they're growing, because they want to pull more data into the security information management solution, now they have to add more hardware and now they need more redundant software for it. The cost can easily double over what their initial cost was. So, understand long term what the ROI triggers are going to be for this deployment. I think the last thing, which again is common sense, but because there are so many vendors in this space, it's challenging, understand the vendor. Who am I dealing with? What is their history? What solutions do they have? Will they be able to grow as my organization grows? Do they have flexible pricing options that can fit my budget, especially in these economic times? References are a very good way to validate what the vendor is saying. Do they have deployments that fit my model that I can talk to and reference? So, all of these things are just some of the pitfalls that we've seen customers have and there are things that, going into any solution you're going to deploy, you should make sure you're managing through these.
Scott: You just mentioned these tough economic times. How do we make sure we can get these solutions through the door? I mean, budgets are tight, so we have to make a stronger case for spending money on any solution, even security. Even though we want to make our security stronger, I wonder if IT might be hesitant for fear of the business folks thinking, 'Weren't you doing enough to secure us in the first place?' With those concerns in mind, what is the pitch we need to make here to our business folks?
Tracy: That's a great question. Historically security has been very difficult to put an ROI around because it's hard to prove a negative. How do I prove, because I haven't had a data breach in 2 years, that I need additional security measures to prevent that? Certainly the cost of a data breach, once that happens, a SIM solution is small potatoes compared to the cost that an organization is going to end up having to follow through and cleanup after that data breach. With that said, I think that the easiest way to justify the cost of a SIM solution is through the compliance mandates. Every company, just about, I can't even think of one that isn't governed by some regulatory mandate right now. Every single mandate has something in there about data retention, real-time threat, preventing data leakage, the ability to have security process to mitigate and respond to a security incident when it happens. Typically there are dollars associated with becoming compliant. So, certainly using the compliance budget to justify the security spend is one level of ROI. Another level of ROI is going to management and saying, 'The cost of a data breach, even a minor data breach, is this.' Typically that figure can range anywhere from $100 to 300 dollars per record in the database if it gets breached. It's very easy to say, 'We have 100 million records in our database. If I get breached, it's going to cost somewhere in the neighborhood of $100 million to cleanup between fines, security deployment, customer goodwill by having to reissue credit cards, etc.' Once they see those figures, the cost of a SIM solution certainly justifies that cost. I think that another good way to justify is really, because the question becomes how much more secure can I be, look at best practices. Look at the companies in your industry that have been breached or haven't been breached. The ones that have been breached, and a lot of this is public information, did they have a SIM solution? Chances are, they didn't. If they had a SIM solution, did they have people monitoring it and did they have security policy? For the people that haven't been breached, and there are reports out there and Gartner has some as well, what are the best practices for customers that are the most secure? Typically you'll find instant response, log management, security information management in there. Again, a justification to say, 'We need this layered defense.' Finally, we as a vendor can help with that. If you feel that you need to help justify the cost of either our appliance or our enterprise class SIM solution, SIM One, simply talk to us. We have the tools, we have ROI calculators, we can understand your environment and put together a business plan that you can take back to your manager or management team to say, 'This is a slam dunk because the protection that I'm getting through these few tens of thousands of dollars that I'm going to spend certainly outweighs the cost of not doing it.'
Scott: Tracy, thank you. Tracy Hulver is the Executive Vice President of Marketing and Products at netForensics. And thank you again to Gartner Research Vice President, Mark Nicolett, for his insights and advice. To find out more, go to www.netForensics.com.