An IT Briefing produced by

SIEM 3.0: The Next Generation of Security and Compliance Monitoring

Sponsored By:

SIEM 3.0: The Next Generation of Security and Compliance Monitoring

By Rick Caccia

2008 TechTarget
Rick Caccia is Vice President of Product Strategy of ArcSight. Caccia spent 15 years designing and managing infrastructure systems with a focus on security and identity management. Prior to ArcSight, he led product management at Symantec for e-mail and Web security products. Prior to Symantec, Caccia was at Oblix, leading product management and marketing for identity management, access control, and Web services policy. He has a master's degree in marketing and technology management from U.C. Berkeley.

BIO

This IT Briefing is based on an ArcSight/TechTarget Webcast, SIEM 3.0: The Next Generation of Security and Compliance Monitoring. This TechTarget IT Briefing covers the following topics: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 The Evolution of SIEM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 SIEM 1.0 - Protecting the Perimeter . . . . . . . . . . . . . . . . . . . . . . . 1 SIEM 2.0 - Protecting the Network. . . . . . . . . . . . . . . . . . . . . . . . 2 Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Impacts of These Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 SIEM 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Protecting the Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Example Involving a Contractor. . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Example Involving Compliance Violation . . . . . . . . . . . . . . . . . . . 5 Example Involving Account Takeover . . . . . . . . . . . . . . . . . . . . . . 5 Evaluating SIEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Broad Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Normalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Auto-Learning in SIEM 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Auto-Response in SIEM 3.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Scale in SIEM 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Applications in SIEM 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Beyond SIEM 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 ArcSight SIEM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Event Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Asset and User Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 New Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 IdentityView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Deploying the Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Common Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Copyright 2008 ArcSight. All Rights Reserved. Reproduction, adaptation, or translation without prior written permission is prohibited, except as allowed under the copyright laws. About TechTarget IT Briefings TechTarget IT Briefings provide the pertinent information that senior-level IT executives and managers need to make educated purchasing decisions. Originating from our industry-leading Vendor Connection and Expert Webcasts, TechTarget-produced IT Briefings turn Webcasts into easy-to-follow technical briefs, similar to white papers. Design Copyright 20042008 TechTarget. All Rights Reserved. For inquiries and additional information, contact: Dennis Shiao Director of Product Management, Webcasts dshiao@techtarget.com

SIEM 3.0: The Next Generation of Security and Compliance Monitoring

Introduction
This paper discusses some of the more interesting trends in the security information and event monitoring (SIEM) industry. First, as shown in Figure 1, by monitoring the perimeter security devices, SIEM 1.0 informed us whether these devices were working, answering the question about whether any sort of junk was getting through to the network. Second, if something did get through, as Figure 2 illustrates, because SIEM monitors were spread from node to node, IT administrators relied on the SIEM system to tell them which desktops needed quarantine, a rebuild, and so forth. SIEM 1.0 was about protecting the perimeter and many organizations still use it for their first phase of SIEM deployment. In practice, though, we have seen many organizations move beyond that stage to what can be called SIEM 2.0.

The Evolution of SIEM

This section describes the evolution of SIEM technology, from its first phase to the current one, and includes a look at its future.

SIEM 1.0 - Protecting the Perimeter

Phase I SIEM was quite straightforward. SIEM 1.0 companies deployed many firewalls and IDS or IPS devices to protect the network perimeter from hackers, worms, or other malware. SIEM implementations serve two purposes in this phase.

Figure 1

IT Briefing: SIEM 3.0: The Next Generation of Security and Compliance Monitoring

Sponsored By:

Figure 2

SIEM 2.0 - Protecting the Network

Phase 2 SIEM still protects the perimeter but adds compliance initiatives, so the mandate is to protect the network in addition to the boundary. In this phase it is important to ask questions like those shown in Figure 3. Are the patches installed? Are antivirus definitions updated on every desktop? So SIEM 2.0 tells the IT admins that the network protection processes are working and they can pass that along to the auditors. As with SIEM 1.0, this phase has a similar second purpose, as shown in Figure 4. If a virus invades a users laptop over the weekend and starts to spread across the network on Monday morning, the SIEM product can tell the admin which machines are affected and which ones need to be rebuilt and so forth. The interesting fact about this layer is that, for malware scanning, the AV vendors play up the signatures, definitions, an so on, but in fact much of the malware prevention comes from the behavioral analysis of those tools, used to eliminate the outbreaks. SIEM 2.0 can also help here because it analyses the spreading behavior of a virus or worm and can pro-

vide an early alert for IT as well as indicating which machines need repair.

Changes
This section discusses some of the dramatic changes affecting the IT environment.

Data Changes
More data is online and exposed to the Internet. More and more paper documents have been digitized and more and more forms are online. So more data is exposed to the public network, resulting in more data breaches, which are happening more often with greater impact. More risk brings more regulations, which bring more penalties.

More Online Transactions

Another change is that more transactions take place online than ever before, whether they are banking transactions or purchases on eBay, Amazon, Google, or Craigslist. In many of these purchases people pay with PayPal, Google Checkout, or some other form of online payment.

IT Briefing: SIEM 3.0: The Next Generation of Security and Compliance Monitoring

Sponsored By:

Figure 3

Figure 4

IT Briefing: SIEM 3.0: The Next Generation of Security and Compliance Monitoring

Sponsored By:

Online transactions also include self-service stock trading and wire transfers. As a result of all these online transactions, more money is moving over the network, providing more opportunity for problems.

Disappearance of the Perimeter

The first impact is the disappearance of the perimeter. The notion of inside and outside changes when parts of the business are outsourced, where trusted outsiders access internal systems, and where key applications and data reside in the cloud.

More Data, Devices, and Events

Another change is simply growth in the network. More traffic comes from more users accessing more devices and generating more log events. This increased volume makes it more difficult to keep track of who is doing what. These are essentially technical changes but other changes are occurring as well.

Who Is on the Network and Who Should Be There?

When the wall around the business shrinks, new questions arise about who is trusted. It is difficult to know whom to trust unless there is information about the identity of everyone in the network. Also, deactivated individuals might still be generating activity. Besides understanding who is on the network, it is important to know who should be on the network. IP addresses are no longer enough; DHCP, mobile workers, and shared accounts are all increasing the need for real identity monitoring, not just knowing an IP address.

More Mergers and Acquisitions

More mergers and acquisitions are occurring, resulting in more heterogeneous systems in an organizations IT environment. This change provides more opportunities for things to fall through the cracks.

More Layoffs
More mergers mean more layoffs that, apart from the personal effects, bring increased potential for data loss. An IT World study indicates that 88% of IT administrators said they would take confidential information if they knew they were getting laid off. Even if this number were off by a factor of two, it would still be a serious problem.

SIEM 3.0
These changes and their impacts are causing many organizations to reconfigure their businesses. Security is becoming more challenging; to protect the business, monitoring becomes much more important. SIEM 3.0 can be a significant help with these new challenges.

More Outsourcing, Contractors, and Trusted Outsiders

Another change is more outsourcing, and not just to off-shore companies. More companies rely on contractors, partners, and so forth, and the result is that most organizations have more trusted outsiders than ever before. These people can access internal systems but are not company employees.

Protecting the Business

SIEM 3.0 is not just about protecting the perimeter of the network, but about protecting the business, as Figure 5 illustrates. It is still necessary to protect the perimeter and the network, but it is most important to protect the overall business. To protect the business, it is essential to understand who is on the network, what data they are seeing, and which actions they are taking with that data, known as user monitoring, data monitoring, and application monitoring. SIEM 3.0 is about monitoring and understanding users, monitoring the information they look at, and monitoring the applications they touch.

More Software as a Service

Software delivery as a service is a relatively new change. For example, many companies use www.salesforce.com to manage customer data. More and more are using Google Docs or Gmail for corporate IT. More applications like these mean more data outside the firewall, less control over security, and less control over data storage.

Example Involving a Contractor

SIEM 3.0 can perform correlation on a transaction to help determine whether it is fraudulent. For example, an IT contractor is completing his work at a company. Analyzing his activities raises several

Impacts of These Changes

All these changes have a significant impact on businesses.

IT Briefing: SIEM 3.0: The Next Generation of Security and Compliance Monitoring

Sponsored By:

Figure 5
flags. First he has been using his badge to access the workspace after hours. His role in the identity management system is a contractor and generally it is against policy for this customers contractors to come in after hours. Correlating file system logs indicates that he has copied some confidential files from the NetApp filer. Finally, using firewall logs, correlating that information helps determine that he has uploaded files to an unknown site. This monitoring has enabled this customer to identify a contractor engaged in improper activity.

Example Involving Account Takeover

This is a real situation involved a client of a bank who asked to wire funds from her account using the banks Website and her iPhone. At first the bank was pleased about the cost savings that come with selfservice, but some correlations showed possible issues. We examined the timing and saw that her account was only recently established. We also saw that it was a single-custody account so she could wire funds without a second signature and that the wiring address changed very recently. This banking customer found that their back-office employees were using newly established customer accounts to wire money out of the country and steal from customers. They did it by changing addresses and executing transactions in the period between when the accounts were established and when the new account paperwork was sent out.

Example Involving Compliance Violation

We investigated the computer activity of another companys well-respected senior business analyst. Correlating identity information in the access directory with application access in the mainframe and the Oracle financials application shows some potential problems. This analyst has violated separation of duties restrictions and it is necessary to sort out the access rules to make sure this company is still in compliance with Sarbanes-Oxley.

Evaluating SIEM
This section discusses how you can evaluate SIEM products against the issues we have discussed.

IT Briefing: SIEM 3.0: The Next Generation of Security and Compliance Monitoring

Sponsored By:

Broad Collection
First, you need to address the impacts on the business caused by recent changes. Look for software that can collect information from a broad range of sources. Relatively simple sources include firewalls, routers, and switches. More expensive sources include phones, badge readers, servers, and laptops. Even more expensive sources include the identity management and access control systems, the file servers, and the data leakage prevention products, as well as packaged applications. It is important to be able to examine the event information from all those systems.

be automatic, or through some kind of guided workflow, or the administrator can be helped along, but you need to shorten the time between problem detection and resolution. For example, when the SIEM system determines that a companys sales rep is copying confidential data and is about to leave to go to a competitor, it should be able to automatically shut that rep out of the key systems immediately to prevent more loss. It is useful to find the problem, but it is also useful to contain the problem.

Scale in SIEM 3.0

More data and devices means that the SIEM really needs to scale up to be able to process large numbers of events. Tens or hundreds of millions of events per day will be the norm in a SIEM 3.0 world. This is already the norm for many organizations and will become more widespread as people begin to analyze more of the data that moves through their networks.

Normalization
When you collect information from all those systems, you will notice that the events are logged in a variety of formats, which makes them very difficult to correlate. The login from the firewall, the login from the mainframe, the login from Windows, and the login from the phone systemnone of these events looks the same, so you are comparing apples to oranges to strawberries to something else. Until you normalize the formats, you cannot compare them, so you cannot analyze them to determine whether you have an issue. You need to convert all these formats to a common format, essentially making everything look like an apple. Now you can compare them.

Applications in SIEM 3.0

The evolution of the iPhone demonstrates the value of how a platform increases value by supporting applications. The same rule applies to the SIEM, and especially to SIEM 3.0. You want your SIEM 3.0 solution to run many kinds of correlations and be able to support a level of analysis on top of the basic platform. Many organizations are trying to do this today by piecing together solutions from a variety of products, a log management product from one vendor, business intelligence or business analysis from a different vendor, while using different types of technologies to collect data. Unfortunately, these pieces tend not to talk to each other. You need a platform where the components are tied together, where they share tools, and where they share formats, so it is easy to analyze the collected data.

Auto-Learning in SIEM 3.0

The next challenge is being able to define good rules that can be applied to resolve these sophisticated issues. A key function of SIEM 3.0 is the ability to learn automatically and to create new rules. This ability to auto-learn means that the SIEM can look at historical data and activities and process that information, teaching itself about the observed patterns, which are often difficult to detect by visual examination. By creating new rules, the system gets smarter as it works. Moving from finding a worm coming through the firewall to detecting a trusted insider or outsider taking various actions over time that lead to a data breach, the analysis becomes very different. You want a system that can learn on its own, one that does not rely solely on the administrator who is on a console from 9 to 5.

Beyond SIEM 3.0

Beyond the 3.0 examples described earlier, some leading organizations have moved beyond user, data, and application monitoring. In the area of logistics monitoring, one company is using its SIEM to do correlation of shipping and weather and other information, performing a kind of optimized logistics. Another company is correlating stock trades to monitor trades for fraud. A pharmaceutical company cor-

Auto-Response in SIEM 3.0

Once you do auto-learning and create those rules and start finding issues, you want your SIEM 3.0 solution to have automatic response. When it finds a problem, it should help you solve that problem, too. This can

IT Briefing: SIEM 3.0: The Next Generation of Security and Compliance Monitoring

Sponsored By:

relates information from medical devices during drug trials to learn about drug interactions. Another organization is using the SIEM for biohazard monitoring by correlating shipping manifests and cargo scans and other useful information to discover any issues. The monitoring platform that comes with a good SIEM product can solve a variety of problems beyond just catching worms sneaking past the firewall.

Event Collection
The first strength of the ArcSight SIEM involves event collection, illustrated in Figure 7. ArcSight believes it offers the most comprehensive event collection and normalization on the market, collecting from just under 300 types of data sources out of the box. Each of these is normalized to our common event format. For example, a failed login from Windows, a failed login from a mainframe, and a failed login from a Linux server generate event data that is converted to the same format, allowing for some interesting analysis. The key point of this normalization is that, besides providing a better analysis, it gives you analysis that is future-proof. Many IT organizations want to upgrade pieces of their environment. They want to be able to normalize the data in their analysis even when some equipment has been upgraded. Rip out Cisco and put in Check Point; rip out Check Point and put in Juniperthe ArcSight analysis still works.

ArcSight SIEM Overview

ArcSight sells a SIEM platform and is a leader in the market, offering a centralized platform made of multiple products for centralizing security. Figure 6 shows the layers in the platform. Starting at the bottom of the figure, an integration layer provides our connectors. Those are deployed and collect data from a large variety of devices, normalize the data to a common format, then send it to the real-time correlation engine and to the historical logging engine. These engines perform real-time analysis and reporting. If they find an issue, our auto-response engine can take action. These engines support a set of modules at the top of the platform for regulatory purposes or business purposes.

Asset and User Model

As Figure 8 illustrates, a key strength related to correlation is the notion of the asset and user model. ArcSight monitors and models are the assets on the network. For every asset, server, and firewall device,

Figure 6

IT Briefing: SIEM 3.0: The Next Generation of Security and Compliance Monitoring

Sponsored By:

Figure 7

Figure 8

IT Briefing: SIEM 3.0: The Next Generation of Security and Compliance Monitoring

Sponsored By:

these monitors and models understand severity, susceptibility to attack, and attack history. This allows you to identify the high-impact assets on the network and enables you to write rules and, when appropriate, raise a warning. In addition to modeling assets, you can also model users, enabling you to relate multiple accounts to understand a users true identity and examine his or her activity. You can do profiling to understand historically what this users patterns are and the result is that you can identify who the highimpact users are. You can now write correlation rules that enable you to know when a high-impact user touches a high-impact asset that may be a risk, and you can take a specific action.

multiple accounts to a unique ID, do compliance reporting and access violation alerts, and perform activity profiling for automatic machine learning. The result is that you get much more in terms of security and compliance.

Deploying the Platform

As Figure 10 describes, organizations looking at SIEM products have a range of deployment needs. ArcSight can be deployed along a spectrum of these needs. At one end of the spectrum, organizations just want occasional alerting if a problem arises. These organizations want historical compliance reporting to satisfy basic audit compliance. The next level, which can be thought of as the virtual Security Operation Center (SOC), is suitable for organizations that want their SIEM to do some real-time monitoring and correlation. They want to monitor what users are doing but they dont have a full-time person watching this, sitting in front of a dashboard. If something goes wrong, they want something like e-mail notification. Organizations at the other extreme have a fully staffed, 24/7 SOC. When something goes wrong, the security staff can take immediate action.

New Applications
New applications can run on top of the ArcSight platform.

IdentityView
As Figure 9 shows, ArcSight IdentityView is a privileged user monitoring application, which does many of the things described above. IdentityView is a specialized SIEM 3.0 application that can auto-synchronize with identity management systems, roll up

Figure 9

IT Briefing: SIEM 3.0: The Next Generation of Security and Compliance Monitoring

Sponsored By:

Figure 10

Summary
Figure 11 lists several major points. First, although some organizations look at SIEM just to monitor the perimeter, SIEM has evolved from the perimeter to the firewall to the network for compliance. Many organizations have moved all the way to monitoring the business, users, data, and applications, because that is where the biggest risk-reward is. A worm coming through a firewall causes problems, but not as significant as the theft of customer data. No product can monitor the users, data, and apps alone, so the notion of ecosystem becomes impor-

tant. Ecosystem considers not just the SIEM product but related monitoring products, such as database activity products and identity management or identity audit products. Choose a SIEM platform and monitoring products that are compatible. Finally, many organizations have spent money on systems that do not work. Over time the network changes but related technologies need to change with it, so the notion of future-proofing needs to be a key evaluation criterion. Ask whether this product will work in the future. It is difficult to predict what your network will look like in two or three years, but you will certainly want to monitor it, so you want an architecture that allows you to do that.

10

IT Briefing: SIEM 3.0: The Next Generation of Security and Compliance Monitoring

Sponsored By:

Figure 11

11

IT Briefing: SIEM 3.0: The Next Generation of Security and Compliance Monitoring

Sponsored By:

Common Questions
Question: What else is required to do things that you have described? Can SIEM do it all? Answer: Thats a good question. I think SIEM is a good platform for analyzing data. We have customers who dont want to constrain this to the SOC but want to use it for general business analytics. To do those kinds of things you need other technologies. I would be remiss if I said that your SIEM product can do it all. Some vehicles mentioned earlier are the database activity monitoring products and the identity audit products. Also, the data-leakage prevention products can render some interesting verdicts around confidential data. So, if we have learned anything in this market it is that customers have many kinds of moving parts in their networks and the SIEM product needs to be able to work with all of those. Question: Which identity management systems do you support? Answer: We have connectors today for Oracle and Microsoft, and we are just finishing up the phone connector. When I say connectors, these basically synchronize with the user and role modeling in the IT management system, so that you manage your users there. We are able to pull the data out and use it to do identity correlation and then use account correlation and relay all the activity for a rolled-up account. Question: Which is better, SIEM that uses agents for monitoring or agentless monitoring? Answer: That depends on what you are trying to do. In general most organizations look for something that is agentless. They would like to have less of that. And so the way most of the SIEM products work is to pull data out of the log files for the various systems and then convert it to normalized format. Wherever possible we try to do that without agents. In some cases, such as Windows monitoring, specialized agents give you more data than is normally in the log file. So I think it depends on your needs, but I would say the market trend is to try not to use agents. Question: A question about acronyms: Sometimes you use SIEMs, sometimes SEMs or SIM. Which is right? Answer: These acronyms have evolved. Once there was the notion of log management, which involved two separate markets, one called SIM, the other SEM. Then over time, people figured out that these were not really separate. Vendors began combining them and the SIEM acronym came into being. People just pronounce it sim. Question: Do we need an identity manager platform to correlate users or can you do it with Active Directory in Windows alone? Answer: I would say a large portion of the customers I talk to have not yet installed an identity management application. Instead, they use Active Directory and you can actually do quite a bit with that. In Active Directory you have a user, you have perhaps multiple accounts, if you keep them in AD, you have the groups to which that user belongs. We actually have an Active Directory user model import connector, so we can pull that in and with that you can now produce a kind of authoritative list of users and their groups. We can augment that with data we extract from other systems. It is common to do an extract from products like PeopleSoft or SAP and in ArcSight combine the PeopleSoft HR extract with the information we pull out of Active Directory. Now you have a pretty good view of users that you dont have in any of the individual apps and you can start to do some pretty interesting correlations. So, you definitely do not need an IEM system. Probably more than half the customers manage with just Active Directory plus ArcSight. Question: Does ArcSight allow opening Remedy tickets as part of the corrective action? Answer: Yes, we do have an integration with Remedy. So if you have an alert you can have a built-in action to kick off a Remedy ticket and later a follow-up action.

12

IT Briefing: SIEM 3.0: The Next Generation of Security and Compliance Monitoring

Sponsored By:

Question: Does ArcSight have a native mainframe connector? Answer: Yes, we have a couple of different mainframe connectors and work with other ones. Some customers have their own to pull out log files. Some partner products are focused on that and have more functionality than our connectors, but we do have a basic mainframe connector. Question: Is your event data stored in a format that can be verified as not having been tampered with, in case you need to use a collection of events in a court case? Answer: Yes, we have had the product certified as audit-ready or as litigation-quality. I think there is a white paper that addresses that. We also have a variety of different training classes. These are described on our Website. Question: Do you have a new version coming out that has faster processing? Answer: Yes, we do have some product changes coming that have some significant improvements in processing. We have not released anything publicly, so stay tuned. You will see some pretty interesting changes coming. Question: Does ArcSight have an appliance or is it software-based? Answer: All the products are available as appliances now. Some of them are also available as software. For example, our correlation product ESM was originally available as software and still is. We have recently added it as an appliance version. Question: What is the best way to collect real-time events and audit data from DBMS systems? Answer: Great question. I touched on the database activity monitoring products a couple of times. Those are excellent products for pulling data, both audit data and event data, out of DBMS systems. One of the common issues with monitoring databases in particular is the way they are often deployed. An application server may have a Web application running on top of it. The application server multiplexes a lot of requests through a single connection and runs a bunch of database queries so the app server knows who all the users are. But according to the database, there is only one user called App Server, or some-

thing like that. So the logs dont have the user information. Database activity monitoring products are very useful for backing out that information and understanding which users executed which queries. Theyre also good at understanding historical paths to the data. So if someone runs a query thats out of the historical norm, theyre good at understanding this. So, I definitely recommend looking at those products for database monitoring. I know we already have prebuilt integrations with several of the companies. I think Guardian announced a certification at a recent user conference and we have seen that in a lot of our accounts. Great partner. Question: With ArcSight, can you use a GUI to build rules and parsers or does it require professional services or programming? Also, a related question, theres the perception that ArcSight, while its a great product, can be difficult to design. Can you address this? Answer: Yes, I would be happy to do that. Customers run the gamut in their need for functionality. We have been working hard to tune the product to match different needs. So, for some customers wanting to collect logs, do real time alerts, and run reports, ArcSight Logger is a very straightforward way to do that. We have other customers, data financial services or the federal government, who do a very, very complex analysis and are doing fairly heavy programming on top of the system and ESM is great for that. One of the things that we want to do is make it easier to access all the functionality in ESM. We are working on some interesting things that you will see in a product coming up fairly soon, such as simplification in the correlation GUI and correlation technology, including specialized wizards, simplification of database management, and so forth. We are evolving the product to match different users needs. Question: To monitor specific files for changes, would you recommend using a product specialized for this purpose and then have this product monitored by the SIEM? Answer: That is a very interesting question. I would say it depends on what you are trying to do. In some cases we monitor the Windows logs and monitor the file system there, and for some customers thats good enough. For customers who want to see more detail, other products focus just on file system monitoring. They do some things that we wouldnt natively do. So it depends on what you are trying to do. I think in either case we either have a connector to do it or

13

IT Briefing: SIEM 3.0: The Next Generation of Security and Compliance Monitoring

Sponsored By:

we have partnerships with the people who focus on that. Question: Do you do antifraud today? Answer: A lot of our customers are in financial services and we have seen a trend in many of them, which was that they deployed ArcSight to do perimeter monitoring and network monitoring. In many cases they had a breach of some sort, so they tried to apply the correlation technology they are using for the perimeter to some of their fraud. And it was pretty interesting. In most cases they were able to discover the breach, discover the source of the fraud, and so forth pretty quickly. We had one customer say they basically prevented a $900,000 breach. So people are definitely doing it today. We have wrapped up a bunch of the rules and reports that we have built for these banks for antifraud into a package called the Antifraud Accelerator, which is available today.

Question: How does what you talked about compare to an identity management system? Answer: We dont see what we are doing as replacement for identity management at all; instead, its an adjunct. Identity management products are great for managing the user life cycle: adding new users, provisioning them to applications, managing their roles, managing user changesif someone changes departments or titles or buildingsthings that change access rights. Those products are well tuned to manage that. What SIEM products in general are good at doing is monitoring real-time user activity. And when you put those two products together, you can understand who the user is from the IdM system and what they do by connection to the SIEM tools.

About TechTarget We deliver the information IT pros need to be successful. TechTarget publishes targeted media that address your need for information and resources. Our network of technology-specific Web sites gives enterprise IT professionals access to experts and peers, original content, and links to relevant information from across the Internet. Our events give you access to vendor-neutral, expert commentary and advice on the issues and challenges you face daily. Our magazines give you in-depth analysis and guidance on the critical IT decisions you face. Practical technical advice and expert insights are distributed via specialized e-Newsletters, video TechTalks, podcasts, blogs, and wikis. Our Webcasts allow IT pros to ask questions of technical experts. What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events, the expert interaction of Webcasts, the laser-targeting of e-Newsletters, and the richness and depth of our print media to create compelling and actionable information for enterprise IT professionals.
ArcSight_10_2008_0004 Sponsor_01_2008_0001

14

IT Briefing: SIEM 3.0: The Next Generation of Security and Compliance Monitoring

Sponsored By: