- Resource Reporter 1.0.2 (2012.05.07)
- Lost Events Content (2012.05.07)
- NetworkModelImporter-0.4.4.116.zip (2012.01.11)
- TweetLog User's Guide (2011.10.07)
- TweetLog 1.5.1 (2011.10.07)
Meta Blog
Blog about infrastructure, visibility, and people who make it possible.
Do Most Customers Underutilize ArcSight?
Whether or not most ArcSight SIEM customers underutilize their solutions is an excellent question, although the answer may be completely subjective. As information security consultants, we know that the InfoSec infrastructure has to adhere to Corporate Security Program objectives, which are driven by business priorities and the critical infrastructure, which supports business. Therefore, an answer to "Is the SIEM implementation leveraged to its full potential?" depends not as much on the incredible SIEM capabilities, but much on what were the original business drivers behind the deployment, or to put it simply, why was the solution procured? Reviewing the original goals and motivations may provide a direct answer to whether or not your organization's SIEM solution is used to its full intended potential.
Of course, these objectives may not always be clear due to organizational changes or complexity of internal decisions (or, let's face it, politics). So let us take a look at the most common scenarios which we have seen to drive customers to invest into enterprise-grade SIEM solutions, such as ArcSight in particular.
From our experience, the most common objectives seem to be the following:
1. Compliance: Deploy in order to address regulation and compliance requirements.
2. Log Management: Deploy as the initial step to log consolidation.
3. Correlation: Deploy in order to leverage SEM's correlation capabilities, and most frequently used for advanced threat monitoring, intrusion and malware detection techniques. Customers looking for help with "Advanced Persistent Threat" scenarios would fall under this category as well.
4. Security Infrastructure: Deploy in order to fulfill the objective defined under the Information Security Program, sometimes as a part of sweeping improvements to Information Security infrastructure or perhaps to drive the larger effort to design, build, and operate a fully functioning security operations center (SOC).
5. Event Management: Deploy the SIEM in order to improve event management capabilities, and as a next logical step from centralized log management (SIM solutions such as the Logger in case of ArcSight offerings). In this category we would also include customers who are looking for help with dealing or responding to high volumes of events they are already collecting (un-tuned IDS alerts, proxy log data, etc).
It is possible, of course, for an organization to have multiple drivers or they may be not as straightforward as described, but we hope that most organizations should be able to identify themselves with one or two of these groups. Let's take a closer look at these scenarios and discuss common realities and challenges associated with each one.
1. Compliance
A customer procuring a SIEM solution in order to fill in the gaps in compliance monitoring processes may or may not run a fully functional security operations team, but reaching information security objectives by the way of justifying compliance expenditures had been common since the early days of HIPAA and later, Sarbanes-Oxley.
Acquiring SIEM to help demonstrate compliance monitoring definitely puts such customer at an advantage. Unfortunately, we have also seen a number of examples where the solutions have been purchased and then shelved. Our recommendation would be to invest in a standards-based Content Pack (CIP), monitor event sources necessary to drive the content, and to spend a week or two on business integration and content tuning with assistance of an experienced ArcSight services provider. Demonstrating compliance should not be expensive or require extensive home-grown solutions today.
2. Log Management
A common problem in this scenario might be the fact that a full-scale SIEM solution is most likely an overkill for pure log management objectives. ArcSight's Logger, for example, would meet those needs well on its own. However, if ArcSight Express/ESM is on the table, our advice is to scale back on the use cases, and to leverage Trends for most periodic reporting. Taking your analysts through the appropriate Express / ESM training would also serve to ensure your teams are comfortable using the application for day-to-day functions. Unlike a lot of solutions out there, ESM/Express tends to have a tall learning curve.
3. Correlation
Commonly a customer interested in correlation capabilities would have a security guru or two who would like to expand on internal and external threat detection capabilities. Typically these guys run their own show and take any vendor recommendations (as well as stock content) with a grain of salt. We hope that the customization for such environment would include not only content developed to correlate the IDS / AV / proxy / DLP events, but would also include custom ("flex") connectors and content to support the fresh innovative security solutions new to the market and relied upon internally.
4. Infrastructure
Deploying SIEM as a part of the larger information security program shows a mature customer, continuously working on improving their processes and architecture. The organization would be looking at a sizable effort, which may take many months to deliver. Here again, experience of the trusted partner, specifically with expertise in large ArcSight infrastructure deployments and growing SOC organizations would make a key difference between a successful rollout versus months of headaches and abandoned architectures.
5. Event Management
Most commonly this decision is driven by the operational challenges, as opposed to be influenced by the threat analysts and CIRT needs (like in scenario 3). This is also a case where a typical customer would need most help.
Unlike the correlation-driven Security Event Management solutions, centralized log management (SIM or LM) tools are fairly easy to justify and scope. In fact, most IT organizations clearly cannot afford to function without some sort of log management in place. LM objectives are also fairly straightforward - gather as much as you can, and search through it when you need to.
However, introducing Security Event Management into the mix adds not only powerful capabilities, but also very unique technical and procedural complexities that most customers have not had an opportunity to deal with. And here is where the core of the issue is, which is particularly true with ArcSight:
A modern SIEM is a uniquely complex solution because it has the capabilities to solve complex technical and business problems. Approaching SIEM deployment as another security tool is a mistake, precisely because SIEM is not an information security tool, but an information technology platform.
And as a platform, SIEM can drive a wide variety of functions: anomaly detection, security policy enforcement, compliance monitoring, threat detection, event based workflow, statistical analysis, KPI/KRI trend reporting and many, many more. As a platform, SIEM can increase visibility into information security specific and non-specific IT functions, processes, and infrastructure.
For any SIEM deployment to be successful (and ArcSight in particular), the customer needs to be able to identify what specific functionality the solution should support and build the solution out by defining the technical and business requirements, developing content, and establishing the necessary processes and workflow. Identifying the specific objectives and catering the deployment specifically to meet them is the key to success here.
So what about the original question, "Do most customers underutilize ArcSight"? Based on what we've seen, the answer is "Yes, typically". And 'underutilizing' your SIEM is completely acceptable, as long as the SIEM platform well serves its intended potential.
Related Post
- High Volume SIEM Architectures As IT infrastructure demands grow, so does the increasing need to monitor and control the IT environment. Information security professionals are de...
- Integrating OpenVMS with ArcSight ArcSight supports a wide variety of “legacy” products out of the box, such as large parts of IBM, z/OS and others. ArcSight’s support of these older p...
- Integrating OpenVMS with ArcSight, Part II In the last part of this post we discussed the methods of extracting logs from OpenVMS systems for processing by ArcSight SmartConnectors. This insta...
- Is Your Infrastructure Preventing Visibility? Network configuration errors can prevent your log and event management solution from receiving all of its intended events. It's a common issue, and an...
- SIEM Report Recommendations Overview of recommendations for log reports.