In this three-part series, we will answer the question, “What is SIEM?” and cover the detection, response and recovery process and how a SIEM platform processes and analyses log data.
» What is SIEM? (Part 1): Cyber Security 101
» What is SIEM? (Part 2): Detection, Response & Recovery
» What is SIEM? (Part 3): How Does SIEM Work?
SIEM—or a Security Incident and Event Monitoring/Management platform—seeks to provide a holistic approach to an organisation’s IP security. A SIEM platform represents a combination of services, appliances and technologies, collecting real-time log data from devices, applications and hosts.
Your SIEM processes collect log data, enabling real-time analysis of security alerts generated by network hardware and applications. It will also include advanced correlation for security, operational events, and armed and scheduled reporting.
The internal IT environment consists of servers, network equipment, applications and other components you will want to defend and protect. Around this environment, there will be protection in the form of firewalls, AV applications, and possibly Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS). And you should also try to shore up one of the most vulnerable components of their corporate network – the human element – through awareness and training.
There are Firewalls designed to block unauthorised access.
On the network, network monitors watch activity across the network. Flow analysers gather information around value sets. And traffic capture tools monitor log traffic over the network.
A SIEM platform taps into this activity, receiving thousands of logs per second from all devices and systems within your IT environment. The SIEM processes and analyses log data to make sense of and understand what is happening on a device. Analytics analyses data activity, providing more input to understand what is happening.
As we’ve seen all too often on the news, it has become increasingly difficult to defend against today’s complex and varied cyber attacks.
Hackers—or those trying to breach your environment—will get in despite all the systems and efforts put into your security solutions. Once they are in, detecting and responding to their attack is time-critical and impossible without SIEM technology.
As we’ve seen, an SIEM solution is incredibly important. It centralises log data within IT environments, augmenting security measures and enabling real-time analysis of events occurring within your environment.
This holistic view of security events allows a SIEM platform to identify ‘signals’ of suspicious activity, such as a change in account permission.
This constantly watching, monitoring and analysing events and alerts within the environment provides visibility of security events within their organisation… You’ve secured the doors and windows, but you need a security patrol to monitor the grounds of your castle.
A SIEM solution also provides the ability to log security data and generate reports for compliance purposes, particularly the requirements of GDPR. It provides digoffersensics, fulfilling additional parts of the overall information security strategy.
Part 2 of ‘What is SIEM?’ examines the detection, response and recovery from a cyber attack.
» What is SIEM? (Part 1): Cyber Security 101
» What is SIEM? (Part 2): Detection, Response & Recovery
» What is SIEM? (Part 3): How Does SIEM Work?
As we’ve seen, SIEM platforms can seem complex. The capabilities and intelligence built into a SIEM are impressive, but this means a skills investment and complexity… for the users, support teams, and the organisation.
While businesses rely more and more on IT teams to deliver core business projects, day-to-day IT operations and maintain security—with limited resources and budgets—it is no wonder that many organisations have realised it is not viable to build their own fully staffed and resourced 24x7 Security Operations Centre (SOC) to secure their critical business information.
Managing the complexities of a SIEM platform, keeping pace with the latest security threats, and managing people, processes, and associated technologies is a tall order. This includes factoring in the time and cost to build, train and retain your 24x7 Security Operations Centre (SOC).
Whether fully outsourced Security or working in partnership with internal teams, an outsourced Security Operations Centre will help you quickly scale your security, keep pace with ever-changing threats, and ultimately ensure effective security outcomes at a lower cost than doing it yourself.