SIEM systems: are there any prospects for OpenSource?
I want to greet everyone who reads this note.
Initially, I wanted to comment on the article “OSSIM security management system” in the sandbox ( habrahabr.ru/post/157183 ), but the comment was very large. The main question is what type of SIEM is OSSIM?
Now a lot of people are interested in SIEM, but the idea of them is formed mainly from beautiful marketing flyers. In most cases, these flyers respond rather sparingly to the question “Why do we need a SIEM?”, Paying more attention to advertising a particular “modern” SIEM product.
And what can now be considered a "modern" SIEM product? Let's see what kind of SIEM systems there are. At the moment there are systems of 2 generations. The 2nd generation in most cases is called “Next-Generation SIEM”.
Let's see what the first generation SIEM consists of:
But what the Next-Generation SIEM think is:
As you can see, the second generation of SIEM is characterized by a greater number of sources and they were able to respond to "abnormal" situations: for example, if the user suddenly changed activity (he used to simply browse pages using HTTP, and now he begins to actively drive traffic "outward" through other protocols, for example) - this is a reason to generate an "event". In addition, Next-Generation SIEM is able to analyze traffic passing through the network without using additional hardware or software (by transferring the free network card of the SIEM server to “illegible” mode of operation), monitor application activity — and this is in addition to the main function “collecting logs from sources "and" analysis of events. " Next-Generation SIEM can also track virtual infrastructures, which is not always a good thing for first-generation SIEM.
And the analysis itself has become more intellectual - the number of “crimes” that need to be considered by a specialist, when using the second generation SIEM, decreases by about 25-30%, this is achieved due to the fact that some statistics of routine operations has been accumulated, a certain threshold for “atypical” operations (say, user user1 usually deals with editing and sending documents via smtp, but if he suddenly starts using a different protocol for sending, then the event requiring attention will not be generated immediately And only when overcoming a certain frequency threshold (or amount) of such events. Of course, recorded data network activity, etc.).
But! Many managers claim that if you have SIEM% siem_name%, then there is no need to install DLP, IDS, vulnerability scanners, etc. In fact, it is not. Next-Generation SIEM can track some anomalies in the network flow, but it cannot carry out a normal analysis. SIEM, in fact, is useless without other security systems. The main advantage of SIEM - the collection, storage and analysis of logs - will be reduced to 0 without the sources of these logs.
The frequent phrase in the leaflets is “SIEM% siem_name% - ease and speed of implementation, a minimum of false positives, does not require reconfiguration of existing security tools ...”. This is not true. You can, of course, get by with the minimum of reconfigurations — simply redirect the entire flow of events from security devices and systems to the SIEM. On a properly configured SIEM, this will not cause a significant increase in the number of false positives, but it will seriously load the database server (and cause the database to grow). What ultimately will result in an increase in the database maintenance time and, possibly, in the omission of some really important security incidents. Therefore, to think about what exactly to send to the SIEM from the already existing devices, and what should be left at the mercy of the existing security system, it will be necessary. Example - you can redirect all the logs of the anti-virus installed on the user's PC directly to the SIEM — including database update events — but do you need it? Especially when you consider that some sources may generate the same type or repeated events. Of course, in most cases SIEM provides for the possibility of combining them, but this again causes excessive loads on the SIEM server.
Special attention should be paid to the ability to collect flow-streams (NetFlow, sFlow, etc.) - to cut off unnecessary information about traffic on the network and, at the same time, to obtain additional useful information about the state of the network obtained directly from the network. devices.
Just like there is no easy implementation. Before starting, you need to conduct a lot of analytical work, determine which events are important, which are not, etc.
Ultimately, the question is - who needs systems of this class? We need these systems, in the opinion of the author, for those who have a large network infrastructure and who want to somehow streamline events and be aware of incidents. But at the same time it is ready for big expenses, the recoupment of such systems is not instantaneous, the benefits, at first glance, are not obvious. In addition, these systems are demanding on the "hardware". Although, there was a successful phrase in one leaflet: "SIEM allows CIO to explain IT problems in the language of business." In addition, these systems are demanding on the "hardware".
The phrase is not without reason: the reports created by modern SIEM, not only that in various formats, also customized for the needs of a particular organization, often allow you to get all the necessary data on two or three A4 sheets, presented in clear and visual graphs or numbers
In conclusion, I would like to summarize: SIEM (or products that call themselves such) is a lot. But, since they afford mostly only large customers - they will pay attention to the leaders. Absolute leaders for today only 3: ArcSight ESM, QRadar SIEM (from IBM Q1 Labs), McAfee ESM (formerly NitroView ESM). To them it is still possible to attribute the rather interesting development of LogRhythm and NetIQ - according to Gartner.
In light of this, it is not entirely clear what prospects for open source SIEM systems, which for the most part belong to the first generation, in my opinion, this is not a product that can be easily replaced with open source ones without the risk of losing benefits in the form of regular updates. and qualified support. On the other hand, there is a positive example of OpenBSD ...
Do you think that open source SIEM has any prospects now?
PS> Until recently, I thought that there were no simple and clear articles on SIEM, it is gratifying to see that this situation is slowly being corrected - on Securitylab.ru in the “Analytics” section there is a series of articles on SIEM, in my opinion - articles from the category of mandatory reading before work. They well explain the theory of the work of systems of this class.
Initially, I wanted to comment on the article “OSSIM security management system” in the sandbox ( habrahabr.ru/post/157183 ), but the comment was very large. The main question is what type of SIEM is OSSIM?
Now a lot of people are interested in SIEM, but the idea of them is formed mainly from beautiful marketing flyers. In most cases, these flyers respond rather sparingly to the question “Why do we need a SIEM?”, Paying more attention to advertising a particular “modern” SIEM product.
And what can now be considered a "modern" SIEM product? Let's see what kind of SIEM systems there are. At the moment there are systems of 2 generations. The 2nd generation in most cases is called “Next-Generation SIEM”.
Let's see what the first generation SIEM consists of:
But what the Next-Generation SIEM think is:
As you can see, the second generation of SIEM is characterized by a greater number of sources and they were able to respond to "abnormal" situations: for example, if the user suddenly changed activity (he used to simply browse pages using HTTP, and now he begins to actively drive traffic "outward" through other protocols, for example) - this is a reason to generate an "event". In addition, Next-Generation SIEM is able to analyze traffic passing through the network without using additional hardware or software (by transferring the free network card of the SIEM server to “illegible” mode of operation), monitor application activity — and this is in addition to the main function “collecting logs from sources "and" analysis of events. " Next-Generation SIEM can also track virtual infrastructures, which is not always a good thing for first-generation SIEM.
And the analysis itself has become more intellectual - the number of “crimes” that need to be considered by a specialist, when using the second generation SIEM, decreases by about 25-30%, this is achieved due to the fact that some statistics of routine operations has been accumulated, a certain threshold for “atypical” operations (say, user user1 usually deals with editing and sending documents via smtp, but if he suddenly starts using a different protocol for sending, then the event requiring attention will not be generated immediately And only when overcoming a certain frequency threshold (or amount) of such events. Of course, recorded data network activity, etc.).
But! Many managers claim that if you have SIEM% siem_name%, then there is no need to install DLP, IDS, vulnerability scanners, etc. In fact, it is not. Next-Generation SIEM can track some anomalies in the network flow, but it cannot carry out a normal analysis. SIEM, in fact, is useless without other security systems. The main advantage of SIEM - the collection, storage and analysis of logs - will be reduced to 0 without the sources of these logs.
The frequent phrase in the leaflets is “SIEM% siem_name% - ease and speed of implementation, a minimum of false positives, does not require reconfiguration of existing security tools ...”. This is not true. You can, of course, get by with the minimum of reconfigurations — simply redirect the entire flow of events from security devices and systems to the SIEM. On a properly configured SIEM, this will not cause a significant increase in the number of false positives, but it will seriously load the database server (and cause the database to grow). What ultimately will result in an increase in the database maintenance time and, possibly, in the omission of some really important security incidents. Therefore, to think about what exactly to send to the SIEM from the already existing devices, and what should be left at the mercy of the existing security system, it will be necessary. Example - you can redirect all the logs of the anti-virus installed on the user's PC directly to the SIEM — including database update events — but do you need it? Especially when you consider that some sources may generate the same type or repeated events. Of course, in most cases SIEM provides for the possibility of combining them, but this again causes excessive loads on the SIEM server.
Special attention should be paid to the ability to collect flow-streams (NetFlow, sFlow, etc.) - to cut off unnecessary information about traffic on the network and, at the same time, to obtain additional useful information about the state of the network obtained directly from the network. devices.
Just like there is no easy implementation. Before starting, you need to conduct a lot of analytical work, determine which events are important, which are not, etc.
Ultimately, the question is - who needs systems of this class? We need these systems, in the opinion of the author, for those who have a large network infrastructure and who want to somehow streamline events and be aware of incidents. But at the same time it is ready for big expenses, the recoupment of such systems is not instantaneous, the benefits, at first glance, are not obvious. In addition, these systems are demanding on the "hardware". Although, there was a successful phrase in one leaflet: "SIEM allows CIO to explain IT problems in the language of business." In addition, these systems are demanding on the "hardware".
The phrase is not without reason: the reports created by modern SIEM, not only that in various formats, also customized for the needs of a particular organization, often allow you to get all the necessary data on two or three A4 sheets, presented in clear and visual graphs or numbers
In conclusion, I would like to summarize: SIEM (or products that call themselves such) is a lot. But, since they afford mostly only large customers - they will pay attention to the leaders. Absolute leaders for today only 3: ArcSight ESM, QRadar SIEM (from IBM Q1 Labs), McAfee ESM (formerly NitroView ESM). To them it is still possible to attribute the rather interesting development of LogRhythm and NetIQ - according to Gartner.
In light of this, it is not entirely clear what prospects for open source SIEM systems, which for the most part belong to the first generation, in my opinion, this is not a product that can be easily replaced with open source ones without the risk of losing benefits in the form of regular updates. and qualified support. On the other hand, there is a positive example of OpenBSD ...
Do you think that open source SIEM has any prospects now?
PS> Until recently, I thought that there were no simple and clear articles on SIEM, it is gratifying to see that this situation is slowly being corrected - on Securitylab.ru in the “Analytics” section there is a series of articles on SIEM, in my opinion - articles from the category of mandatory reading before work. They well explain the theory of the work of systems of this class.
')
Source: https://habr.com/ru/post/159929/
All Articles