This was the title of a recent NetworkWorld article that addressed a frequent question that companies ask when looking for solutions to network security, network management and regulatory compliance issues.
The one thing both Log Management and SIEM vendors agree on is that they’re not the same. Both sides are often competing for the same IT budget dollars and have a vested interest in convincing you that their solution is the one you need.
As the article points out, both technologies rely on first collecting the data, and there’s opportunity here to map collection methodologies to desired business objectives. For example, since Log Management tools have a primarily forensic and reporting focus, most are content to collect data in a batch mode or polling process and emphasize agentless models for collecting OS data. On the other hand, since modern SIEM products emphasize real-time analysis and correlation, they tend to focus on continuous collection methods often relying on agents to capture data at the source.
Naturally, there are exceptions in both camps, so you’ll need to examine how a specific product maps to your requirements. For example, while batch collection is common, it has questionable value when examining “chain of custody” issues for regulatory compliance. The simple fact that log data can be left unattended for minutes, even hours or days, represents a significant opportunity for tampering or even simple deletion, and this is an area where compliance audits are starting to look under the covers.
As the author Greg Shipley states:“SIEM products typically provide many of the features required for log management but add event-reduction, alerting and real-time analysis capabilities. They provide the layer of technology that allows one to say with confidence that not only are logs being gathered but they are also being reviewed.”
Greg’s comment about demonstrating that the logs are actually being reviewed is an important one, and here too, auditors we’ve spoken with are expressing concern that companies focused on log aggregation and management are missing the point. While you can print reports and search the data using virtually any product focused on log data collection, how do you demonstrate to the auditors that you are actually reviewing the reports and know what to search for in the raw data? This is the question and the challenge that brings many to the conclusion that SIEM is the better fit for their organization.
Greg sums it up this way: “In watching the market mature over the past 10 years we believe there is room for both traditional log management tools and the real-time analysis capabilities provided by SIEM tools, but we suspect that organizations would prefer to go to a single vendor for both. Clearly organizations have to solve the first problem (log management) in order to address the second (analysis and monitoring), but the wise purchaser will know that after the first problem is addressed the second will become immediately apparent. Plan accordingly"
No comments:
Post a Comment