Security Information Management (SIM) is dead
| Topics: | Log Analysis, Splunk |
|---|---|
| Tags: | |
| Share: |
Pretty much exactly 5 years ago, in June 2003, Gartner declared Intrusion Detection Systems to be dead. Before Gartner can do so, I will state that SIM is dead.
The crime landscape has shifted. We used to be worried about network layer attacks, TCP/IP attacks where funky flags were crashing your systems. This is gone. We really don’t worry about them anymore. We have systems to stop these attacks. The crime has shifted up to the application layer. There are attacks over instant messaging, there are SQL injections, there are application layer attacks. You have to start monitoring the application layer. Compliance requirements are shifting too. For example, the PCI DSS 1.1 requires the usage of application layer firewalls by June 2008. Applications need to be verified for vulnerabilities and not just the platform.
Some of the problems I see with Security Information Management are (the first four are adapted from the Gartner IDS press release):
- False positives in correlation rules
- Burden on the IS organization by requiring full-time monitoring
- A taxing incident-response process
- An inability to monitor events at rates greater than 10.000 events per second
- High cost of maintaining and build new adapters
- Complexity of modeling environment
However, the biggest problem lies in the fixed event schema. SIMs were built for network-based attacks. They are good at dealing with firewall, IDS, and maybe vulnerability data. Their database schema is built for that. So are the correlation rules. Moving outside of that realm into application layer data and other types of logs can get hard. Fields don’t match up anymore and the pre-built correlation rules don’t fit either.
We need a new approach. We need an approach that can deal with all kinds of data. An approach that deals with multi-line messages, with any type of fields, even with entire files as entities. There is a need for a system that can collect data at rates of 100.000 events a second and still perform data analysis. It needs to support large quantities of analytical rules, not just a limited set. The system needs to be easy to use and absorb knowledge from the users.
The solution is called IT search.
June 24th, 2008 at 8:26 am
Dude,
Why are you so bitter on SIM? Security Information Management is just name. The best solution behind SIM is the correlation engine. A strong correlation engine and rich schema provide for numerous solutions regardless of the layer.
MS
June 24th, 2008 at 8:31 am
You rock … standby for my follow-up later today!
June 24th, 2008 at 3:40 pm
[...] This is what Raffy is saying: [...]
June 25th, 2008 at 8:45 am
As a Splunk partner, I certainly appreciate Raffy’s enthusiasm for Splunk - it’s a fine a product, but Gartner’s position on SIEM remains bullish and they’re forecasting a nearly $2B market by 2012. Forrester’s take on SIEM is similar, building on an annual growth rate of more than 50%, they’re predicting the market will be over $1.1B by 2011. Forrester’s analysis also noted that companies with fewer than 1,000 employees account for only 1% of the market today, but are expected to account for nearly 30% by 2011. Certainly, our own experience, targeting the mid-market (up to 5,000 employees), echoes both the growth and the rapid adoption by these companies.
Raffy’s post does specifically mention “SIM”, which as Gartner defines it is the more forensically focused end of the business while SEM is the more real-time analysis and correlation end of the business and SIEM is a balance of the two. One certainly can argue that the original SIM vendors, with a purely forensic approach to event analysis, are the dinosaurs of this market. Those that haven’t evolved will certainly die. On the other hand, those products that were built to focus on real-time event analysis, correlation, notification and automatic response - coupled with forensic and reporting capabilities, are doing quite well and delivering real value to their customers.
June 27th, 2008 at 9:59 am
As I expected, my post raised quite some discussions. I think I have to clarify some things:
1. When I talk about SIM, I am talking about any technology that uses connectors / parsers / agents to normalize the data and store it in a relational database. Whether you call that SIM, SEM, SIEM, or anything else, that’s what I mean. You can have as “rich” of a schema as you want. I will always find data sources that do not fit into that said scheme. That’s why you need to work with unstructured data and possibly dynamic schemas.
2. When I say that IT search is the solution, I mean that you need a way to collect unstructured data. You need a capability to quickly load application data that spans multiple lines, you need to also collect files to correlate against. And most of all, you need a capability to collect data without knowing its structure a priori. The model of building parsers for each data source - before collecting the data - does just not scale.
3. I believe that SIM (see comment number 1) makes a huge mistake of spending a lot of time processing data even if that processing is never needed. This has an impact on collection performance and yields scalability problems.
4. I believe that some of the features of the current SIM implementations are useful for specific use-cases. Real-time correlation, for example, is a fine thing if you are doing automatic and instantaneous mitigation. There are many other features that these products offer that are very useful. However, whether you are attributing those features to SIM or log management or IT search does not matter.
5. The topic of correlation is a completely different one. You can correlate even if you have dynamic or no schemas. (See SEC which is an open-source correlation engine that does not use schemas.
Maybe this clarifies some of my points.
June 27th, 2008 at 5:35 pm
To points 1, 2, 3, and 5; these seem to be about performance more than function. Splunk has cheap writes because there’s little/no upfront parsing of event data, unlike what a SIM does. And in fairness, the event parsers and correlation engine are typically performance bottlenecks in a SIM. But when it comes to searches, it is far cheaper to perform an exact search against an indexed field in a database than it is to do pattern searching of unformatted log data. And I’m not saying one model is better or worse, but I am saying that they don’t matter. Performance can be gained in either environment just by throwing hardware at it. And hardware is cheap.
Also, as far as declaring SIM dead, I think Mike Rothman beat you to it.
June 30th, 2008 at 10:48 am
I’m surprised that you failed to address the fact that Gartner was wrong about IDS being “dead”. I can’t think of an enterprise I have visited that has stopped using IDS.
I’m not sure how that relates to SIM, but my guess is that they are probably wrong about that too.
July 14th, 2008 at 5:51 pm
SIM is not dead. Long live SIM.
It is simply not perfected. For that matter, show me one technology that IS! You will get out of it what you invest in it. It is not a silver bullet for all of your security were-wolves. It will provide interesting and potentially useful information that may aid in discovering the start, traversal and end-points of an event or incident.
It is just another tool in our security tool chest, as is Splunk. Unless I am mistaken, and Splunk really *is* a magic silver bullet. In that case, I’d better brush up on my Project Management skills and prepare for yet another career change…
Cheers,
MadMark