Posted by John Verry on Mon, Oct 12, 2009 @ 09:08 AM
One of the hotter areas today is the integration of IAM and SIEM. When Identity & Access management (IAM) and Security Information Event Management (SIEM) are optimally integrated, user access compliance monitoring capabilities are increased significantly beyond what either SIEM or IAM can provide alone.
This is because IAM provides a context to user activity event data (e.g., role, entitlements, cross-referencing of multiple user IDs, account status) that can be directly leveraged by the SIEM to identify exceptions in real-time and initiate a workflow to remediate the issue. For example: triggering a suspension of all of a user's IDs and the initiation of a security incident after detecting that an individual attempted to access critical data using multiple user IDs, after access to said data had been terminated.
To this point the challenge has been getting IAM & SIEM to integrate (dynamically share information and allow processes to be remotely initiated). Fortunately, this has become much easier as those vendors that have both an IAM and SIEM offering (Novell, CA, IBM) have included the required integration into both IAM and SIEM on our behalf. I have had the opportunity to see the Novell Sentinel IAM/SIEM integration in action at a client site. It absolutely changes the way you think about security and compliance.
Click here for an excellent Gartner technical brief on the subject.
Posted by John Verry on Tue, May 05, 2009 @ 11:16 AM
If you have read our white paper "Five Best Practices for Security Information Event Management (SIEM)" you are already familiar with SIEM Best Practice # 4 "Commit the Resources Required on a Go-Forward Basis". Failure to adequately resource a SIEM post initial deployment is one of the greatest risks to successful SIEM deployments. Resourcing is closely coupled to the SIEM model that you choose:
- In-Sourced (Buy & Operate) - this model is best where SIEM is mission critical, there is a larger security team, 24/7 operations, and a higher risk profile (e.g., US Navy). The Good: full control, intellectual capital development, wow/buzz for team. The Bad: Sourcing/managing multiple talented (expensive) resources.
- Out-Sourced (Buy (or Monthly) & Delegate) - this model is best where compliance is focus (e.g., perimeter security for Regional Bank). The Good: Reduced capital costs, buy SME at a bargain price, lowest total cost. The Bad: Pure outsourcing results in a lack of event contextualization/understanding, risk (monitor the monitor).
- Co-Sourced (Buy (or Monthly) & Joint Operation) - this model is best where requirements are complex (e.g., Enterprise wide compliance with multiple regulations). The Good: Reduced capital costs, buy SME at a bargain price. The Bad: Internal stakeholders are needed to provide event contextualization/understanding.
No matter the model -- the key is ensuring that you have appropriately qualified folks with sufficient time on their hands to optimize the return on your SIEM investment.
 |
Don’t miss our white paper – available for download – to optimize SIEM deployment. |