Intelligent use of security information and event management (SIEM) and log management products strengthens security, facilitates compliance and produces enormous business efficiencies, according to a survey.
The survey has strong implications for resellers, consultants, integrators and service providers: More than with most technologies, successful SIEM and log management programs depend on the continuing integration of business goals, policies, processes and use of standards.
The Aberdeen Group survey, "Leveraging Logs, Information and Events," was underwritten by Vigilant and SIEM vendors Intellitactics Inc. and TriGeo Corp. Aberdeen surveyed 120 diverse companies, mostly in the Americas, ranging from $1 billion to $50 million and below in annual revenue.
Conversely, a point-product approach is a sure formula for failure and a lost opportunity for a strong, long-term relationship with their sales and service providers.
"One of the biggest mistakes is to take technology on faith," said Alison Andrews, CEO of Vigilant. "You install the product; connect up a whole bunch of source devices and expect magic to happen."
The report identified how best in class, average and "laggard" companies leveraged data from logs and other sources.
Two of the biggest differences separating the best companies from the rest of the pack are the drivers for leveraging log, information and event data: 43 % identified adherence to industry standards and best practices, such as COBIT, ISO and ITIL, and their own internal policies as driving pressures, more than double the percentages for the survey respondents as a whole.
SIEM/log management vendors support this in part by mapping correlation rules and reports to these standards.
How effective are best in class programs? The proof is in the pudding.
Companies in the top fifth of the survey group reported year-over-year decreases in security-related incidents (-5.8%); non-compliance incidents, such as audit deficiencies (-10.1%), and total management costs leveraging security data (-5.7 %).
By contrast, half the respondents showed slight increases in each area, while the "laggard" bottom 30% showed significant increases.
The findings tend to point the way for channel partners -- typically integrators for large enterprises and resellers for smaller companies-- to support their clients.
"Vendors want to do two things -- get laggards to the middle and get middle companies to the top," said Rick Caccia, vice president of product management for SIEM vendor ArcSight.
For channel partners, that means advising clients on the low end how to monitor the basics, such as monitoring for malware, failed logins and issuing essential reports. One approach for helping companies with moderately effective programs reach best in class status, Caccia said, is benchmarking successful enterprises in their vertical -- banking, for example -- and showing how their policies and practices can be applied.
Vigilant, which is principally a consulting company focusing on solution design and integration, has developed a sophisticated vendor-agnostic SIEM practice around what it calls "use case libraries." These are collections of successful and, in some cases, innovative practices for leveraging security data, as well as vendor-specific configuration settings for actual implementation.
Channel companies best be prepared to service companies according to their level of SIEM/log management maturity.
"You have to meet people where they are," said the report's author, Derek Brink, Aberdeen vice president and research fellow. "The top 20% are best in class, so, by definition, 80% are somewhat earlier; you can help those who are just getting started, and even the best can do better.
A company's over-arching goals should be security, compliance and optimizing operations, in that order, Brink said. The first two are essential to protecting the business and meeting its obligations, but the third will produce additional cost savings and unlock the log/information/event management program's -- and the supporting technologies' -- potential.
The survey show best in class companies well ahead of their laggard counterparts in leveraging their programs to reduce the costs of security, compliance and ongoing management; implement standards and best practices, and optimize network performance.
Specifically, best in class companies:
- Prioritize security control objectives as a function of risk, audit and compliance requirements.
- Centralize the collection, normalization and correlation of security and compliance information.
- Standardize their response for exceptions, security events and incidences of non-compliance.
- Standardize audit, analysis and reporting.
- Regularly review log, information and event data.
- Assign a responsible executive or team with primary ownership for leveraging this data.
There are tremendous efficiencies to be found with regard to security operations and potentially well beyond that," said Vigilant's Andrews. "There's a demonstrable ROI come in tens of millions in cost savings."
SIEM and log management products serve these practices by automating processes that are otherwise very labor-intensive.
Interestingly, 17% of the best in class companies are on the low end of the spectrum, organizations with $50 million or less in annual revenue, proving that you don't have to be big to be good. Aberdeen's Brink notes that although smaller organizations do not have the resources of enterprises, they can still follow best practices and may be small enough to get the job done without a lot of expensive technology. Smaller companies looking for log management and/or SIEM help can turn to companies like TriGeo, which focuses on the midmarket, or managed service providers.
While both start with log data, SIEM and log management tools perform complementary functions. Log management can help fulfill a number of security and compliance requirements, especially generating reports and aggregating log information for efficient analysis. SIEM adds a layer of sophisticated, multidimensional reporting. SIEM is also incorporating more and more data sources beyond traditional logs, moving up the stack to include application data and directories for user tracking.
Vendors are also starting to integrate with other tools, such as database activity monitoring and data leakage prevention.
The markets are merging as well. Most SIEM vendors have either played up their log management capabilities or spun out separate products/modules. Similarly, log management vendors are moving up the food chain with more SIEM functionality. Notably, LogLogic recently incorporated a SIEM module using Exaprotect technology, then acquired the SIEM vendor.