Securing the SIEM
system: Control access,
prioritize availability
Contents
Securing the SIEM
system: Control access,
prioritize availability
The prospect of a SIEM system crash or compromise
should scare any enterprise given the role it plays in an
organization’s security infrastructure. This expert E-Guide
discusses the implications of a compromised SIEM system
and explores defenses available for managers looking to
secure it.
Securing the SIEM system: Control access, prioritize
availability
Given the role a properly implemented, managed and utilized security information and event management (SIEM) system plays in an organization's security infrastructure environment, it’s clear that compromising SIEM activities could be a successful strategy for an attacker looking to avoid detection or undermine management of the environment's security.
What are the potential implications of a compromised SIEM system, and what defenses are available for enterprises looking to secure their SIEM systems? Those are questions we'll seek to answer in this tip.
Treat the SIEM system as a high-priority enterprise resource
It should be recognized that while a SIEM system is the infrastructure's nerve center from a security operations point of view, it is also one of many
systems within the managed enterprise environment. For this reason, the SIEM should be polled regularly to ensure it is running and fully operational. Part of the SIEM deployment plan should be to ensure the SIEM system is identified as a critical system in the enterprise landscape, and the hardware and software systems on which it runs are configured and managed as high-risk areas.
It is also necessary to consider the SIEM system's resilience. Future SIEM system designs will focus on attributes like adaptive routing to ensure that if one path for security event delivery cannot be traversed, another path is
Contents
Securing the SIEM
system: Control access,
prioritize availability
followed, and out-of-band signaling to the central node, where alternative communication channels may be used.
Practical steps for achieving SIEM system security today
While these next-generation SIEM protections will be incorporated into future SIEM system products, a lot can be done now to ensure SIEM security. By ensuring a typical security review approach is applied to the SIEM system itself, the security event-collection process can be implemented effectively:
• From an authentication and access control point of view, SIEM system access should be carefully set up and managed. Integration with the enterprise's LDAP directory services could be a way to ensure the SIEM system is seen not as an island, but rather as part of the managed environment. Access to the system should be limited, and privileged access in particular should be carefully controlled, possibly within a "separation of duties" type of approach whereby no single individual or administrator is able to act in isolation.
• The confidentiality and integrity of the security information must be considered, specifically with respect to how information travels between the collection agents/aggregation points and the central management node. Where information is stored -- for example, a database at the central node -- confidentiality needs to be considered. Privacy could also be an issue to consider, depending upon where and how security events are being used.
• In some instances, anonymization is applied to security events so general trends can be determined -- especially if conducted off-site or across multiple clients -- with only limited scope to reverse this to reconstruct the actual event, under the control and policies of the organization.
• Nonrepudiation could be considered to ensure actors, authorized or otherwise, cannot repudiate event evidence of particular actions. How SIEM events are stored, both centrally and in the originating systems, needs to be considered to ensure sufficient evidence can be gathered. • Finally, the availability of a system is considered a security issue, and
Contents
Securing the SIEM
system: Control access,
prioritize availability
future SIEM products will have self-healing, adaptive-type capabilities from an architectural perspective. In the interim, the disaster recovery aspects of a business should ensure the SIEM system is also
implemented on a high-availability type infrastructure and that, along with recovery of other mission-critical systems, the SIEM is prioritized to ensure orderly monitoring and insight. After all, depending on what has caused an outage or disaster, having the security systems running first could be most important, ensuring any unexpected patterns, alerts, events or incidents are visible, that they can be investigated, and that responses can be deployed.
Through careful deployment, the security of SIEM systems can be enhanced. While it will take more time to create architectures that increase the resilience of SIEM products, treating them as high-availability, critical systems within the overall management landscape can be done immediately.
About the author:
Andrew Hutchison is an information security specialist with T-Systems International in South Africa. An information security practitioner with 20 years of technical and business experience, his technical security work has included secure system development, security protocol design and analysis, and intrusion detection and network security solutions. He has held executive responsibility for information security in a large enterprise, establishing its chief security officer role and initiating an ISO27001 security certification program. As business sponsor for large SIEM rollouts, he has experience in deploying and operating SIEM systems in a managed service provider environment. He is an adjunct professor of computer science at the University of Cape Town in South Africa.
Contents
Securing the SIEM
system: Control access,
prioritize availability
Free resources for technology professionals
TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web’s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more —drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts.
What makes TechTarget unique?
TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers—all to create compelling and actionable information for enterprise IT professionals across all industries and markets.
