The security information and event management (SIEM) tool is one of the lynchpins of a robust security framework for many an Indian organization. While these solutions have been around for a long time, increasing maturity of solutions, aided by compliance and regulatory requirements is finally resulting in an increasing number of Indian organizations getting on to the SIEM bandwagon.
Earlier, it took considerable technical expertise from an organization’s part to implement and manage SIEM tools — lengthy sales and training cycles added to the adoption woes. As a result, the cost and effort that went into this exercise could not be justified for most businesses. In recent times, trends like the availability of SIEM tools as managed security services is putting them within the grasp of organizations.
Drivers of the Indian SIEM cart
Over the last two years, regulatory drivers have played a major role towards SIEM adoption in India. Measures mandated by the Unified Access Service License (UASL) security amendments in the telecom sector and the Reserve Bank of India (RBI) guidelines for the banking vertical, have spurred growth in the SIEM market. Organizational push towards initiatives like ISO 27001 certification, as well as compliance requirements like HIPAA, PCI DSS and GRC initiatives has also contributed to the demand.
As A R Vijay Kumar, the VP and global information security leader at Indian BP major Genpact points out, SIEM tools are critical for organizations because of the constantly evolving threat landscape. With cyber threats like advanced persistent threats (APT) and botnets, organizations are starting to rely on the in-depth analysis mechanisms provided by SIEM tools. “An SIEM tool helps when it comes to understanding the root cause of an incident better and faster,” saysSatish Das, the chief security officer and VP (Enterprise Risk Management) at Cognizant.
Eye On SIEM Systems:
Editor’s Note: This news story is part of SearchSecurity.com's "Eye On" series that brings together various perspectives on security topics throughout the year from SearchSecurity and its sister sites. In the month of March the series examined SIEM systems.
In addition to businesses that opt for SIEM tools to meet their regulatory requirements, many organizations have now matured to a level where they require an SIEM tool, says Sumeet Singh, a security consultant and SIEM expert. Kumar agrees on this front, as he points out that maturity levels have gone up — at the organizational as well as for SIEM solutions.
Cognizant and Genpact have been using SIEM tools for many years, given the high level of technical expertise available in-house —since 2002 and 2004, respectively. Cognizant has its home-bred SIEM tool based on open source frameworks, as well as a commercial off-the-shelf product acquired two years ago. However, Das takes a contrarian view as he opines that the market for SIEM products is set to decline with the advent of cloud computing and managed services.
India Inc’s view of SIEM
Many Indian companies look at SIEM tools as a point-in-time solution, even as the global focus is on deriving business value from these solutions. Since SIEM tools can be expensive, Indian organizations still need to determine how it can contribute to the business in RoI terms. As a result of this expectation mismatch, large scale SIEM adoption is still at a nascent stage.
Different industry verticals approach SIEM requirements in their own ways. Large PSU banks which typically tend to be conservative go for captive security operation centers (SOC) with in-house expertise to manage SIEM tools for complete control. “Until two years ago, people didn’t have much confidence in Indian managed service providers for SIEM, since they were not able to cater to volumes, or weren’t as dependable,” says Singh.
It must be mentioned at this point that many Indian companies seem comfortable outsourcing SIEM tool implementation and operation to managed service providers (MSP). Outsourcing is the trend in verticals like IT/ITES and telecom, since it is difficult to build all capabilities required to manage complex SIEM tools in-house. There is a shift in the way SIEM tool implementation is approached in India, with focus on SLA based delivery rather than reliance on in-house expertise.
A case in point is Axis Bank, one of India’s largest private banks, which uses ArcSight as its SIEM product. The SIEM tool is run out of a remote SOC managed by Paladion, the bank’s managed security provider (MSP). The MSP owns SIEM licenses and manages the 24x7 operation. ”It is better to outsource a specialized function because it is difficult to acquire and upgrade in-house skills to keep pace with the constantly evolving threat landscape,” says Nabankur Sen, the CISO of Axis Bank. Sen prefers to depend on domain experts for such critical functions. Another advantage of going for an MSP is the basket of services. Axis benefits from add-on services like phishing monitoring, log referral and watermarking, which accompanies the bank’s three year SLA with Paladion.
Post SIEM tool implementation, analysis and monitoring at Axis have become comprehensive and structured, with daily reports. The situational awareness brought by this solution helps Sen assure the business in a tangible manner, when it comes to the bank’s infosec posture. “Whether in-house or outsourced, log analysis is a critical function that everybody has to implement — the sooner, the better,” says Sen.
From the governance perspective, Indian companies are seeing benefits from implementing SIEM tools. These include gains like accountability, better incident and fraud handling, forensic capabilities, non-repudiation, and calculation of essential security metrics. “For an organization like Genpact, dealing with multiple compliance requirements, maintaining different frameworks and managing audits requirements will be impossible without SIEM tools,” says Kumar.
What Indian Cos. want from SIEM
The requirements from SIEM solutions across Indian industry segments aggregate around ease of integration and autonomous detection of anomalies. Autonomous detection will reduce manpower involvement and decrease reaction time. The next SIEM trend is toward tighter integration of SIEM tools with technologies like workflow management and data loss prevention (DLP). While an SIEM solution was just another bullet item in the security space earlier, it is now moving to focal point for the integration of other security tools.
According to Singh, most vendors still think of requirements as product features, and fail to understand the requirements of an SIEM tool from an organizational perspective. This creates bottlenecks for practitioners like Kumar who expect consolidation and simplification of SIEM tools for easier implementation and maintenance. On this front, Kumar cites the example of how Genpact has to deal with separate clients for different OS platforms. Rather than have third-party add-ons, Kumar requires converged solutions focusing on usability.
At the moment, many Indian organizations approach SIEM as a product, and this needs to change. Organizations today need to start looking at an SIEM tool as a solution for monitoring, accountability and proactive incident monitoring. Many Indian companies have now begun performing quality assessments of their SIEM environments as a result of this realization. This is essential to get a business return on SIEM investments.
This was first published in March 2012