In the first part of this 3-part series, we answered the question “What is SIEM?”. In part 2, we cover the detection, response and recovery process.
SIEM—or Security Incident and Event Monitoring—seeks to provide a holistic approach to an organisation's IP security. It processes collected log data to enable real-time analysis of security alerts generated by network hardware and applications (as well as advanced correlation for security and operational events).
Prevention and protection are the initial considerations for your security defence. Tools such as firewalls and AV software focus on blocking or stopping an attack. Ideally, one of those tools prevents a breach, and the environment remains intact and uncompromised.
However, if/when an attack is successful, the next focus stage is detection.
Firstly, it is perhaps worth noting that without a SIEM platform, it is not realistically possible to know whether you have suffered a cyber attack. Most organisations will operate oblivious to the fact that they have an ongoing security breach. The average time taken to detect a compromise is a whopping 175 days.
The priority is to identify the nature and characteristics of the attack so that you can prevent and neutralise the threat. Information such as what happened before and after the initial attack is critical.
This is where SIEM shines; it helps detect and properly identify threatening activity.
Many organisations have not considered how to recover from a cyber attack.
Quick remediation within the environment is important as an information security platform needs to be focused on cleaning up and repairing the environment, as well as determining how to prevent it from happening in the future. Malware removal tools, forensic analysis and backup and recovery type systems are all employed for remediation after an attack.
Finally, intelligence is gathered to increase knowledge and awareness regarding information security.
An organisation needs to be prepared for what might come from sophisticated attacks.
In the third and final part of ‘What is SIEM?’, we examine how SIEM works, processing and analysing log data to uncover potentially suspicious security events.
» What is SIEM? (Part 1): Cyber Security 101
» What is SIEM? (Part 2): Detection, response & recovery
» What is SIEM? (Part 3): How does SIEM work?
As we’ve seen, SIEM platforms can seem complex. The capabilities and intelligence built into a SIEM are impressive, but this does mean a skills investment and complexity… for the users, for support teams and for the organisation.
While businesses rely more and more on IT teams to deliver core business projects, day-to-day IT operations and maintain security—with limited resources and budgets—it is no wonder that many organisations have realised it is not viable to build their own fully staffed and resourced 24/7 Security Operations Centre (SOC) to secure their critical business information.
Managing the complexities of a SIEM platform, keeping pace with the latest security threats, and managing people, processes, and associated technologies is a tall order. This includes factoring in the time and cost to build, train and retain your own 24/7 Security Operations Centre (SOC).
Whether fully outsourced Security or working in partnership with internal teams, an outsourced Security Operations Centre will help you quickly scale your security, keep pace with ever-changing threats, and ultimately ensure effective security outcomes at a lower cost than doing it yourself.