While these next-generation SIEM protections will be incorporated into future SIEM system products, a lot can be done now to ensure SIEM security. By ensuring a typical security review approach is applied to the SIEM system itself, the security event-collection process can be implemented effectively:

• From an authentication and access control point of view, SIEM system access should be carefully set up and managed. Integration with the enterprise’s LDAP directory services could be a way to ensure the SIEM system is seen not as an island, but rather as part of the managed environment. Access to the system should be limited, and privileged access in particular should be carefully controlled, possibly within a “separation of duties” type of approach whereby no single individual or administrator is able to act in isolation.
• The confidentiality and integrity of the security information must be considered, specifically with respect to how information travels between the collection agents/aggregation points and the central management node. Where information is stored — for example, a database at the central node — confidentiality needs to be considered. Privacy could also be an issue to consider, depending upon where and how security events are being used.
• In some instances, anonymization is applied to security events so general trends can be determined — especially if conducted off-site or across multiple clients — with only limited scope to reverse this to reconstruct the actual event, under the control and policies of the organization.
• Nonrepudiation could be considered to ensure actors, authorized or otherwise, cannot repudiate event evidence of particular actions. How SIEM events are stored, both centrally and in the originating systems, needs to be considered to ensure sufficient evidence can be gathered.
• Finally, the availability of a system is considered a security issue, and this is no less of an issue for a SIEM system. It has been indicated that future SIEM products will have self-healing, adaptive-type capabilities from an architectural perspective. In the interim, the disaster recovery aspects of a business should ensure the SIEM system is also implemented on a high-availability type infrastructure and that, along with recovery of other mission-critical systems, the SIEM is prioritized to ensure orderly monitoring and insight. After all, depending on what has caused an outage or disaster, having the security systems running first could be most important, ensuring any unexpected patterns, alerts, events or incidents are visible, that they can be investigated, and that responses can be deployed.

Through careful deployment, the security of SIEM systems can be enhanced. While it will take more time to create architectures that increase the resilience of SIEM products, treating them as high-availability, critical systems within the overall management landscape can be done immediately.

About the author:
Andrew Hutchison is an information security specialist with T-Systems International in South Africa. An information security practitioner with 20 years of technical and business experience, his technical security work has included secure system development, security protocol design and analysis, and intrusion detection and network security solutions. He has held executive responsibility for information security in a large enterprise, establishing its chief security officer role and initiating an ISO27001 security certification program. As business sponsor for large SIEM rollouts, he has experience in deploying and operating SIEM systems in a managed service provider environment. He is an adjunct professor of computer science at the University of Cape Town in South Africa.