SIEM Solutions for Managed Security Service Providers

Business White Paper SECURITY MANAGEMENT www.novell.com

Selecting the Right Security Information and Event Management Solution

3 picas (0.5 in) (12.5 mm)

1 2 3

Novell Logo 1 The registered trademark, ®, appears to the right and on the same baseline as the Logo.

Clear-space Requirements 2 Allow a clean visual separation of the Logo from all other elements. The height of the "N" is the measurement for the minimum clear-space requirements around the Logo. This space is flat and unpatterned, free of other design elements and clear from the edge of the page.

Minimum Size Requirements 3 The Novell Logo should NOT be printed smaller than 3 picas (0.5 inches or 12.5 mm) in width. Choosing a Solution that Strengthens Your Competitive Position

Most MSSPs are not As IT becomes more complex and threats environment over to a third party could also software companies at to important information assets grow more be cause for concern when you consider the their core. They should persistent, outsourcing security management MSSP is not familiar with your environment, rely on SIEM vendors to becomes increasingly attractive. From legacy and you are relying on a service level agree- build their technology mainframe applications to social networking, ment (SLA) to protect your system. platform. all systems and applications need to be safeguarded from emerging threats and To deliver reliable security services, MSSPs critical vulnerabilities. need powerful security technology platforms. While some choose to build their own, many A few years ago, most organizations could MSSPs have been leveraging packaged SIEM have survived by deploying simple firewalls technology for their operations. This paper and anti-virus solutions. Today, a dizzying helps MSSPs choose a SIEM technology array of security technologies—intrusion platform that garners customer trust, opti- prevention system (IPS); unified threat man- mizes operations and improves the MSSP’s agement (UTM); data leak prevention (DLP); competitive position. network access control (NAC); security information and event management (SIEM); SIEM Unveiled governance, risk and compliance (GRC); SIEM solutions collect, aggregate, normalize to name just a few—is essential for survival. and retain relevant logs; collect context data; All of these technologies require skilled analyze data, including correlating and priori- security personnel to manage and operate tizing it; present findings, including reporting them. Yet the cost of acquiring and maintain- and visualization; manage security-related ing security personnel and technology has workflows; and manage relevant security been rising dramatically. content. SIEM solutions focus on information security, network security, data security and These trends have driven the emergence regulatory compliance. This functionality can of and high demand for managed security be found in most commercial SIEM products service provider (MSSP) solutions. Many on the market today. organizations have no chance on their own of developing mature security monitoring Below we will discuss SIEM product features capabilities that will cover their expanding IT that are specific to an MSSP and illustrate how landscape and deal with increasing attacker only select SIEM tools fit the needs of today’s sophistication. MSSPs, however, provide a sophisticated security service providers. solution. At the core of every MSSP offering is a security management platform. Given how MSSP Unveiled complex and uncertain the task of securing today’s organizations has become, outsourcing Organizations choose to outsource security to to an MSSP seems like an obvious solution. an MSSP for multiple reasons. Primarily, the MSSP offerings may help organizations reduce decisions are made based on the perceived costs, make internal security processes cost effectiveness of contracting for MSSP more efficient and even help with increasing services compared to using the in-house regulatory burdens. Turning your complex security department to provide the services,

p. 2 SIEM Solutions for Managed Security Service Providers www.novell.com

the organization’s culture regarding out- What sets MSSPs apart from each other is sourcing the control of its security, security requirements, regulatory responsibilities their service reliability, breadth of technology and other business and technology factors. coverage, global reach, pricing flexibility Some organizations trust their MSSP partners to make better security decisions while and even their experience with technology others want to retain both responsibility and platform interfaces. control over their security decisions.

Because MSSPs focus on security, they are management can quickly build security Many SIEM products usually in a better position to train and retain monitoring and log management capabilities would not fare well with good security personnel, and they have the that can later be integrated with their existing MSSPs, because MSSPs advantage of learning from security threats device management offerings. Valued-added use SIEM solutions they observe across their client base. As a resellers (VARs) and consulting firms can very differently from result, their clients benefit from deep security build their own MSSP divisions or provide enterprises. expertise and improved security safeguards. outsourced security operations consulting (SOC) services by building their platforms on What sets MSSPs apart from each other is top of commercial SIEM tools. Hosting and their service reliability, breadth of technology cloud providers can leverage the technology coverage, global reach, pricing flexibility for selling additional security services to their and even their experience with technology current customers. SIEM tools can improve platform interfaces. MSSP monitoring capabilities as well as provide more opportunities to offer new services. Whatever the exact MSSP service bundle looks like, there is a technology platform under SIEM tools can also serve the foundation for the offering. A scalable security monitoring MSSP monitoring technology and help other and management platform takes years to businesses to further expand in the MSSP build and even more time and resources to market. Even existing MSSPs with their own maintain. Such technology platform should be proprietary platforms can leverage SIEM able to support the MSSP’s current and future solutions and log management tools to offer service offerings, grow with their customer new services such as cloud SIEM or cloud pool and address evolving IT regulations for log management. MSSP global customers. To achieve MSSP cost advantages over internally sourced IT Key Business Criteria security, such platforms should automate Before we address technology criteria for routine tasks and enable MSSP analysts to selecting a SIEM product, we need to address perform most investigations without leaving the broader business constraints that MSSPs their monitoring positions. face in their business. These directly apply to SIEM Solutions for MSSPs their process for selecting a SIEM solution.

SIEM is a strategic technology that allows MSSPs are not software companies at MSSPs to deliver more value to their cus their core. They have limited resources for tomers and develop more business. SIEM developing new services, and whenever technology can boost MSSP service efficiency, they develop new services or replace their reduce costs and improve service flexibility, main monitoring platform, their engineering all key competitive factors for MSSPs. and operations teams must dedicate For example, MSSPs that focus on device resources. Most MSSPs will minimize any

p. 3 upfront engineering work constraining such customers. Hauling in expensive and heavy work to just a few full-time employees and appliances to demonstrate the service only for a few months before a service severely decreases its attractiveness launch. This is not sufficient to develop and perceived value. a security monitoring platform but might be enough to customize the right SIEM Overall, SIEM technology should enable solution for a job. MSSPs to run better and win more deals over MSSPs have limited development other MSSPs and over software vendors that resources once their service is in routine are set in the in-sourced security model. operation. Tuning and updating their tools requires full-time commitment by both Key Technology Criteria their engineering and operations teams. MSSPs use SIEM solutions differently from To better compete, the MSSP needs to enterprises. Many design decisions that focus these resources on expanding the MSSP’s services and not on maintaining SIEM developers have made over the years the system. Many MSSPs have only a are perfectly logical for enterprise customers, few full-time engineering employees for but they might cause problems for globally ongoing operations, and they need to managed security providers. Below are the optimize those employees’ time. main differences. MSSPs need to incur little or no costs to start up a new service for a customer. 1. SIEM tools. MSSP customers and MSSP Ideally, the service should require no personnel use the same SIEM tools but in significant hardware purchases. Although two different ways. The enterprise security there will likely be some costs, most MSSPs team is likely the only entity deploying and seek to minimize these costs by avoiding operating the SIEM tool for monitoring its expensive hardware purchases for each own environment—an environment the new customer. team knows well. With an MSSP involved, MSSPs must leverage existing SIEM many enterprise security teams will use the infrastructures for most customers to be SIEM product to monitor threats against profitable. Thus, their SIEM platform should its data. The team will work alongside never require in-person visits to a customer the MSSP team in a multi-tenancy model. environment to manage on-premise The difference in the way these two organi components. Such troubleshooting visits zations use SIEM solutions should affect quickly destroy any margin the MSSP earns. such product designs as user interfaces, The offering must compete with the access controls, privilege delegation and solutions from other MSSPs, including resilience against instabilities across one the early adopters that have spent years or more customer networks. developing and perfecting their security 2. Data segregation. Data segregation is platforms. They must also compete with important to many enterprise customers. enterprises using SIEM solutions in-house Enterprise SIEM will always contain the or via a co-sourced arrangement with a enterprise’s data. An MSSP SIEM platform consulting firm or VAR. While customers will contain data from many different entities, seldom outsource security based on the and most of these entities will use the SIEM strength of the MSSP portal, most providers tools to guarantee their data is never seen by prefer to use SIEM technology that is anybody but their team. Some enterprises competitive in the marketplace. will also request that data be physically The MSSP must be able to demonstrate separated, preventing the possibility of their service quickly to new and existing storing cross-enterprise data in the same

p. 4 SIEM Solutions for Managed Security Service Providers www.novell.com

database. An MSSP can also host a 7. Access to system logs. Many organi dedicated SIEM installation for a particular zations that use MSSP services also customer. This solves data segregation request direct access to their system logs. challenges but also removes many of the This is in addition to accessing traditional advantages of relying on an MSSP. service provider portals. Many organizations 3. Data collection. Traditional customer- would prefer to use a log management owned SIEM solutions usually collect data service from a trusted service provider from the entire environment using agent or rather than deploy log management agentless collectors deployed in various products in their own environment. This segments of the organization’s network. encourages managed service providers The MSSP relies on dedicated hardware or to deploy additional log management software, sometimes in the form of virtual services alongside their SIEM platforms. machines, deployed in each customer As a result, tight integration between SIEM environment for data collection. In this and log management become another case, massive amounts of log data are critical requirement for the MSSP. likely moving across the Internet from the customer environment to the service Because of these differences, MSSPs face provider data center. In most enterprise serious challenges with some enterprise SIEM scenarios, local security teams SIEM tools. Thus not every SIEM solution or system administrators manage the fits the MSSP bill. collectors. With an MSSP platform, MSSP personnel must manage the collectors Key Questions MSSPs Should and other components remotely. Ask SIEM Vendors 4. Performance and reliability. SIEM In addition to the broader technical and framework performance and reliability are business requirements outlined above, essential to both enterprises and MSSPs. MSSPs must consider additional issues The MSSP likely has specific SLAs with its when selecting a SIEM solution. Here are customers and any SIEM platform must some of the questions MSSPs should ask be able to operate under such conditions to gain assurance that the SIEM product will without requiring ongoing support from fulfill the MSSP’s needs for current and future SIEM vendor engineers. service offerings. 5. Scalability. MSSPs require scalability and an ability to handle huge volumes of Which log sources does the vendor data. As new customers come online and support for compliance reporting and other as each customer’s data volume grows, advanced features today? What constitutes the SIEM tool must grow with it—without a supported log source and how is such expensive hardware upgrades. support maintained over time? 6. Support. MSSPs handle support for Does the solution include a custom custom and vertical applications differently. integration kit that includes a wizard, If a SIEM customer requires support for a software development kit (SDK), specific applications, the product manage- application programming interfaces (APIs), ment team can develop support on short etc.? Can the MSSP use the kit to integrate notice. If an MSSP customer requires such log sources at no extra charge? support, the MSSP must petition its SIEM What will the SIEM product do when technology provider. This additional step unknown or custom application logs are can sometimes mean the difference fed into its collectors? between using an off-the-shelf tool and How difficult is creating a new report or a homegrown framework. data view? What skill level is required?

p. 5 Will reports and views be automatically solutions. The firm’s MSSP consultants updated when a new supported log source would then help operate and tune the is added? system. Can remote components such as 2. Build its own security monitoring platform appliances, software and virtual machines and offer services on top of this. To do this (VMs) collect all required logs at each the firm would have to hire and retain a customer site without additional software? dedicated engineering team. For example, some SIEM vendors require 3. Procure a commercial SIEM product and additional tools to collect Windows* logs, build a service on top of it. The firm’s which are not managed centrally. MSSP practice would integrate the SIEM Following the key technology requirements solution with an existing customer portal listed above, how complete is remote and a provisioning system. component and appliance management? How are configuration settings, parsing Careful analysis of options and their compara rules, application updates and operating tive costs led the service provider to choose system updates handled? the third option. This firm decided the cost Technology vendors often claim their of purchasing hardware appliances for each remote components and appliances are customer would be prohibitive and decided it low maintenance. What does that mean? was not in the hardware business; it was in the Can maintenance be performed remotely? services business. The firm thus purchased a SIEM solution from a major provider and MSSPs should start by determining their busi- deployed it at two data centers for redun- ness and technology requirements. Then use dancy, and it offered customers a choice of the questions above to select the right SIEM virtual systems or software for log collection. product that meets their needs and enables them to offer new services, such as log As a result, the new MSSP was able to run retention and compliance log review, a competitive service without developing to their customers. any expertise in such esoteric areas as log parsing or scalable log data storage. Case Study: An MSSP Goes Shopping for SIEM Later it realized that its SIEM platform allowed In this example case study, a consulting firm it to offer cloud log management and cloud decided to expand by building an MSSP SIEM services to its customers who were practice. While its consultants already per- willing to handle monitoring themselves but formed various security control deployments who did not want to operate a SIEM solution. and configurations, the company had no For these new services, customers paid for managed service for security monitoring. log management technology but retained the The firm faced the following choices: job of reviewing logs and monitoring security themselves, at a lower cost. 1. Provide monitoring services on customer equipment in a co-hosted model. The After the evaluation, the MSSP chose to customer would purchase all necessary deploy the following architecture based on hardware and software, such as SIEM a market-leading SIEM product.

p. 6 SIEM Solutions for Managed Security Service Providers www.novell.com

Most of the SIEM components were deployed should focus on their core competencies— at the MSSP site. Log and other data were offering high-value security services—and collected from customer environments and leave the platform development to SIEM securely transported to the provider data tool developers. center. The MSSP operated small, remotely managed collectors using customer premise To make use of commercial SIEM solutions equipment (CPE) in most customer environ- as beneficial as possible, select SIEM vendors ments. The collectors were deployed in the that have developed unique expertise in sup- form of small Linux*-based virtual appliances. porting their MSSP partners. Leading SIEM vendors such as Novell have already solved This architecture now enables the MSSP’s multi-tenant data storage, highly distributed own personnel to monitor the customer collection and remote management problems. environments and the customers to view their dashboards as well as access raw logs On the other hand, it is clear that not every using searches and reports. SIEM solution will work for an MSSP. Many of the SIEM players, even some that have been Conclusion in business for years, will fail on both the busi While it is clear that some managed service ness and technology criteria defined above. providers will choose to build their own security monitoring and log management platforms, As enterprises deploy more cloud applica- they face a very competitive environment tions, selecting the right SIEM solution will with well-funded players that have already allow MSSPs to offer cloud security services spent years building their own products. such as cloud log management, cloud com- As organizations outsource security to MSSPs, pliance log review and others. The MSSP it only makes sense for MSSPs themselves to can use these services to expand in the outsource software development to special- future to full security monitoring and device ists—in this case to SIEM vendors. MSSPs management services.

p. 7 www.novell.com

Contact your local Novell® Solutions Provider, or call Novell at:

1 800 714 3400 U.S./Canada 1 801 861 1349 Worldwide 1 801 861 8473 Facsimile

Novell, Inc. 404 Wyman Street Waltham, MA 02451 USA

462-002174-001 | 04/11 | © 2011 Novell, Inc. All rights reserved. Novell, the Novell logo and the N logo are registered trademarks of Novell, Inc. in the United States and other countries. 3 picas (0.5 in) *All third-party trademarks are the property of their respective owners. (12.5 mm)

1 2 3

Novell Logo 1 The registered trademark, ®, appears to the right and on the same baseline as the Logo.

Minimum Size Requirements 3 The Novell Logo should NOT be printed smaller than 3 picas (0.5 inches or 12.5 mm) in width.