Insider Threat Management

Getting the most of out your SIEM

Share with your network!

IT administrators are looking for ways to get more out of their SIEM deployments. While the initial deployment of a SIEM tool is not terribly difficult, reaching the point that it delivers clear and substantial ROI requires a lot of hard work: mapping how technical events relate to particular business risks, discovering (or creating) the relevant logs, creating all the rules and correlations and so forth. Even when this is all done, things remain difficult because of the following two unfortunate facts of IT life:

1. A huge difficulty in deriving clear value from a SIEM is the fact that extensive collections of disjointed log data do not become magically understandable because they have been correlated into a single system based on time stamps or other markers. While simple alerts can be defined using rules which look at one or two details, conducting root cause analysis or trying to prove regulatory compliance can be impossible (or at last extremely time consuming). It is usually extremely difficult – even when the organisation has dedicated SIEM monitoring staff – to figure out exactly who did what just by looking through long lists of system events in one or more logs.

2. One of the biggest roadblocks to SIEM success lies in the fact that many important applications simply do not generate log data that can be incorporated into the SIEM. In some cases, applications can be modified to provide the required log generation, but in most cases this will not be an option. Legacy, cloud, system and consumer-oriented applications are examples of big SIEM “blind spots.”

Fortunately, there is a straightforward, easy-to-implement solution which addresses both of these SIEM success barriers: the integration of user session video recordings into the SIEM.

User session video recordings provide any SIEM with three “magic wands” that dramatically increase the value of any SIM:

• User session video recording, when integrated into the SIEM, links log events to full video recordings of exactly what every user actually did. This is like the difference between watching surveillance video of a robbery versus collecting fingerprints! Any time a particular action of interest occurred (e.g., an account was created, a system setting was changed, an application was run, a file was accessed), administrators and compliance auditors can call up actual video of what was done with a single click from within the SIEM.

• The “metadata” that is captured by the user session video recording system is, in effect, a new type of user activity log. Metadata is searchable text representing every on-screen action performed by users. Names of applications run, windows opened, system commands executed, check boxes clicked, text entered (or edited, auto-corrected, shortcut-key-generated, etc.) and nearly every other on-screen event is recorded as video and logged as searchable text! This metadata stream is fed into the SIEM allowing an entirely new level of after-the-fact event searching and realtime SIEM alert generation rules. Furthermore, this metadata is correlated with all the other event logs processed by the SIEM, allowing a human-readable “user activity” narrative overlay, enhancing other system log events.

• User session recording captures video and generates text event logs of every user action in every application and system area, on all platforms (e.g., Windows, Unix, Linux) via all modes of connectivity (e.g., direct console, SSH, Telnet). The result is user activity auditing with no holes or gaps. This is a perfect solution for organisations running legacy, cloud or other applications which do not generate their own logs. This capability also obviates the need for time-consuming and expensive re-auditing and re-correlations every time an application is updated: because user session logging is external to the application, there is no need to determine if the new version (or new module) of an application provides the required level of logging.

The end result of incorporating user session recording and logging into the SIEM is a far more valuable SIEM deployment! This integration also makes it significantly easier to get compliant and stay compliant for security regulations (e.g., PCI, HIPAA, NERC, FISMA), while reducing security auditing costs. Most auditor requests can be instantly answered by searching for user actions or watching a portion of a recorded session video – without the need for complex research and correlation projects.

If this technology sounds like just the “SIEM boost” your organisation needs, visit our website to learn about Proofpoint, our user session auditing solution. Proofpoint ITM integrates with widely-used SIEM systems (e.g., Splunk, CA User Activity Reporting Module, HP Arcsight, RSA envision) – watch this video to see a demonstration of Proofpoint ITM integrated with Splunk.