In this three-part series, we will answer the question, “What is SIEM?” and cover the detection, response and recovery process and how a SIEM platform processes and analyses log data.
» What is SIEM? (Part 1): Cyber Security 101
» What is SIEM? (Part 2): Detection, Response & Recovery
» What is SIEM? (Part 3): How Does SIEM Work?
What Is SIEM?
SIEM—or a Security Incident and Event Monitoring/Management platform—seeks to provide a holistic approach to an organisation’s IP security. A SIEM platform represents a combination of services, appliances and technologies, collecting real-time log data from devices, applications and hosts.
Your SIEM processes collect log data, enabling real-time analysis of security alerts generated by network hardware and applications. It will also include advanced correlation for security, operational events, and armed and scheduled reporting.
Why Is SIEM Now Essential?
Security Strategy to Protect Traditional It Infrastructure
The internal IT environment consists of servers, network equipment, applications and other components you will want to defend and protect. Around this environment, there will be protection in the form of firewalls, AV applications, and possibly Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS). And you should also try to shore up one of the most vulnerable components of their corporate network – the human element – through awareness and training.
Hardware & Software of a Security Platform
1. At The Edge:
There are Firewalls designed to block unauthorised access.
- Intrusion Detection Systems monitor for malicious activity or policy violations.
- Intrusion Prevention Systems monitor for well-known characteristics of attacks.
- Anti-Virus (AV) tools prevent, detect and remove malware.
- At the server level, attention should be given to the principle of least privilege, allowing access only to necessary resources.
- Application monitoring observes what applications are being used, or approved for use, virus scanning is employed, and email analysers search for suspicious behaviour.
On the network, network monitors watch activity across the network. Flow analysers gather information around value sets. And traffic capture tools monitor log traffic over the network.
2. At The Endpoint:
- AV Tools are used to prevent, detect and remove malware.
- Locked Accounts enable lockdown on individual hosts.
- Data Loss Prevention (DLP) can be employed to control what data end users can transfer.
- File Monitoring observes what files and directories are being accessed.
- Process Monitoring keeps an eye on the connections that processes are making.
How Does SIEM Work?
A SIEM platform taps into this activity, receiving thousands of logs per second from all devices and systems within your IT environment. The SIEM processes and analyses log data to make sense of and understand what is happening on a device. Analytics analyses data activity, providing more input to understand what is happening.
The Importance of SIEM
As we’ve seen all too often on the news, it has become increasingly difficult to defend against today’s complex and varied cyber attacks.
Hackers—or those trying to breach your environment—will get in despite all the systems and efforts put into your security solutions. Once they are in, detecting and responding to their attack is time-critical and impossible without SIEM technology.
As we’ve seen, an SIEM solution is incredibly important. It centralises log data within IT environments, augmenting security measures and enabling real-time analysis of events occurring within your environment.
Real-Time Security Monitoring
This holistic view of security events allows a SIEM platform to identify ‘signals’ of suspicious activity, such as a change in account permission.
This constantly watching, monitoring and analysing events and alerts within the environment provides visibility of security events within their organisation… You’ve secured the doors and windows, but you need a security patrol to monitor the grounds of your castle.
Security Compliance & GDPR
A SIEM solution also provides the ability to log security data and generate reports for compliance purposes, particularly the requirements of GDPR. It provides digoffersensics, fulfilling additional parts of the overall information security strategy.
Part 2 of ‘What is SIEM?’ examines the detection, response and recovery from a cyber attack.
» What is SIEM? (Part 1): Cyber Security 101
» What is SIEM? (Part 2): Detection, Response & Recovery
» What is SIEM? (Part 3): How Does SIEM Work?
SIEM Is Complex & Everyone Knows It
As we’ve seen, SIEM platforms can seem complex. The capabilities and intelligence built into a SIEM are impressive, but this means a skills investment and complexity… for the users, support teams, and the organisation.
While businesses rely more and more on IT teams to deliver core business projects, day-to-day IT operations and maintain security—with limited resources and budgets—it is no wonder that many organisations have realised it is not viable to build their own fully staffed and resourced 24x7 Security Operations Centre (SOC) to secure their critical business information.
Outsourced SOC (and SIEM)
Managing the complexities of a SIEM platform, keeping pace with the latest security threats, and managing people, processes, and associated technologies is a tall order. This includes factoring in the time and cost to build, train and retain your 24x7 Security Operations Centre (SOC).
Whether fully outsourced Security or working in partnership with internal teams, an outsourced Security Operations Centre will help you quickly scale your security, keep pace with ever-changing threats, and ultimately ensure effective security outcomes at a lower cost than doing it yourself.