Home / Blog / General / What is SIEM? (Part 2): Detection, response & recovery

October 13, 2018

In the first part of this 3-part series, we answered the question “What is SIEM?”. In part 2, we cover the detection, response and recovery process.

» What is SIEM? (Part 1): Cyber Security 101
» What is SIEM? (Part 2): Detection, response & recovery
» What is SIEM? (Part 3): How does SIEM work?

What is a SIEM?

SIEM – or Security Incident and Event Monitoring – seeks to provide a holistic approach to an organisations IP security, processing collected log data to enable real-time analysis of security alerts generated by network hardware and applications (as well as advanced correlation for security and operational events).

Detection, response and recovery from cyber attack

Prevention and protection are the initial consideration for your security defence. Using tools such as firewalls and AV software, the focus is on blocking or stopping an attack. Ideally, one of those tools prevents a breach and the environment remains intact and uncompromised.

However, if/when an attack is successful, the next stage of focus is with detection.

What is SIEM? (Part 2): Detection, response & recovery

Defending against cyber attacks

Firstly, it is perhaps worth noting that without a SIEM platform, it is not realistically possible to know whether you have suffered a cyber attack. Most organisations will operate oblivious to the fact they have an on-going security breach. In fact, the average time taken to detect a compromise is a whopping 175 days.

The priority is to identify the nature and characteristics of the attack, so you can prevent and neutralise the threat. Information such as what happened before and after the initial attack is critical.

This is where SIEM shines as it helps in the detection and proper identification of threatening activity.

Recovering from a cyber attack

Many organisations have not considered how to recover from a cyber attack.

Quick remediation within the environment is important as an information security platform needs to be focused on cleaning up and repairing the environment, as well as determine how to prevent it from happening in the future. Malware removal tools, forensic analysis and back-up and recovery type systems are all employed for remediation after an attack.

Finally, intelligence is gathered and aimed at increasing knowledge and awareness regarding information security.

An organisation needs to be prepared for what might be coming in terms of sophisticated attacks.

Cyber Security 101: How does SIEM work?

In the third and final part of ‘What is SIEM?’, we take a detailed look at how SIEM works, processing and analysing log data to uncover potentially suspicious security events.

Other articles in the series:

» What is SIEM? (Part 1): Cyber Security 101
» What is SIEM? (Part 2): Detection, response & recovery
» What is SIEM? (Part 3): How does SIEM work?

SIEM is complex – and everyone knows it

As we’ve seen, SIEM platforms can seem complex. The capabilities and intelligence built into a SIEM is impressive – but this does mean a skills investment and complexity… for the users, for support teams and for the organisation.

Any while businesses rely more and more on IT teams to deliver core business projects, day-to-day IT operations AND maintain security – with limited resources and budgets – it is no wonder that many organisations have realised it is not viable to build their own fully staffed and resourced 24/7 Security Operations Centre (SOC), to secure their critical business information.

Comtact's UK Security Operation Centre (SOC)

Outsourced SOC (and SIEM)

Managing the complexities of a SIEM platform, keeping pace with the latest security threats, as well as managing people, processes and associated technologies is a tall order. As well as factoring in the time and cost to build, train and retain your own 24/7 Security Operations Centre (SOC).

Whether fully outsourced Security, or working in partnership with internal teams, an outsourced Security Operations Centre will help you to quickly scale your security, keep pace with ever-changing threats – and ultimately ensure effective security outcomes, at a lower cost of doing it yourself.

Related articles:

About Comtact Ltd.

Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).

Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.