Steps to Security Success
A Best-Practice Approach to Security Management
Written by Ken Baker
Add Security Information and Event Management
Once you’ve deployed your log management product, how do you know when it’s time to add the near real-time monitoring and management capabilities provided by a security information and event management (SIEM) product? In his white paper, The Complete Guide to Log and Event Management, Dr. Anton Chuvakin, a recognized security expert in the field of log management and PCI DSS compliance, offers the following three criteria that can serve as a guide to when you’re ready to graduate from log management to SIEM:
- Response capability: You have the ability to respond to alerts soon after they are generated.
- Monitoring capability: You already have or have started to build security monitoring capability through the creation of a security operation center or a team dedicated to ongoing periodic monitoring.
- Tuning and customization ability: Your organization is willing to accept the responsibility to tune and customize your SIEM product once it’s deployed. This is a necessity since so-called out-of-the-box SIEM deployment rarely succeed or manage to reach their full potential.
In talking about adding SIEM to your log management foundation, Dr. Chuvakin says, “Organizations that graduate too soon will waste time and effort, and won’t realize any increased efficiency in their security operation. However, waiting too long also means that the organization will never develop the necessary capabilities to secure themselves.”
When you’re ready to deploy a SIEM product, you want to choose a product that lets you build on and leverage your log management investment. This reinforces the need to also choose a log management product that can integrate or at least forward events to a SIEM product. This integration lets you naturally evolve your capabilities from reviewing periodic reports on log events to looking at those logged events in real-time and even receiving immediate alerts on suspicious activity.
One of the features that you want to look for in your SIEM selection is true real-time correlation. Some products might claim to provide real-time correlation, when in reality they’re just providing an event stream that shows events as they come in with some rudimentary alerting. True real-time correlation uses correlation rules to look for similarities between individual events that should raise warning flags.
For example, a user logging into one of your systems from an IP address in California probably won’t draw your attention. However, if a few minutes later that same user logs in from an IP address originating in Europe you should have cause for concern. But it’s unlikely you’ll ever notice that event if your SIEM product only streams individual events across a dashboard without spotting the correlation between these seemingly innocuous events. Correlation rules in your SIEM product should be able to determine that such activity is not normal, and then automatically take appropriate action such as blocking the login attempt, notifying you of the activity, or putting that user or IP address on a watch list.
Novell Sentinel has a correlation engine that lets you create and customize rules that can identify such events and then take the appropriate action to mitigate the situation. This adds intelligence to your security event management by automating the analysis of incoming event streams to find patterns of interest, identify critical threats and complex attack patterns, prioritize events and initiate effective incident management and response.
Novell Sentinel also has a graphical control center interface that provides a real-time, holistic view of security and compliance activities across your IT environment. (See Figure 2.) Novell Sentinel also leverages the same architectural foundation and technologies as Novell Sentinel Log Manager, including its communication bus, log connectors, data log collectors and event management system. Not only does this facilitate communication between all Sentinel Log Manager components and Novell Sentinel, but it provides you an efficient, streamlined solution that can scale to meet your needs.
While it’s important to extend your security management reach through further integration of your SIEM with your various systems, one of the most powerful and important integration points for SIEM is with identity and access management systems.
Integrate Identity and Access Management
Once deployed, your goal should be to continually improve the depth and breadth of your SIEM capabilities. Part of this depth and breadth improvement can come from growing the number of systems in your environment that you proactively monitor and report. Novell Sentinel has data collectors for nearly a hundred different systems from vendors including Apache, Checkpoint, Cisco, HP, IBM, McAfee, Microsoft, Nortel, Novell, Oracle, Red Hat, SAP, Sun and more, as well as generic connectors that can be customized to work with nearly any other system. (See Figure 3.)
While it’s important to extend your security management reach through further integration of your SIEM with your various systems, one of the most powerful and important integration points for SIEM is with identity and access management systems. Integrating identity and access management into your SIEM environment lets you tie specific events back to specific users. This enables proactive user activity monitoring across multiple systems, as well as monitoring individual users with different user names and accounts. It also makes it significantly easier to differentiate between authorized, legitimate login attempts and unauthorized logins through a backdoor.
Achieving active user monitoring can be difficult and expensive if your SIEM product doesn’t inherently support this level of identity and access management integration. However, Novell has already done the work for you by providing this integration in Novell Sentinel. If you already have Novell Identity Manager, it’s as simple as flipping a switch to have it start feeding the necessary fine-grained identity information into the Novell Sentinel framework.
One Step at a Time
In truth, you might never need to reach the level of fine-grained security management provided by the integration of SIEM and identity access management. In fact, the whole concept might seem a bit overwhelming. That’s okay. If you follow this phased approach to security management, you can start small with the simple-to-deploy, easy-to-use and fast ROI log management provided in Sentinel Log Manager. And as your security management needs and capacity increase, you can easily grow your capabilities and reach with the real-time monitoring of Novell Sentinel, and then if desired you can move up to active user monitoring with Novell Identity Manager integration when you’re ready.
By taking this phased approach, you can ensure your success every step along the way while making small incremental investments that improve your security and decrease your compliance costs and complexity. To find out more about Novell Security Management solutions visit www.novell.com/solutions/security-management. If you want to see firsthand how easy it is to use and deploy Novell Sentinel Log Manager as your first step toward security management, you can download a free 90-day evaluation version of it at download.novell.com.