Identifying known and unknown threats is becoming a major challenge for organizations. Time for a look at the importance of implementing a SIEM system to guarantee the security of the IS…
The growing number of attacks and the increasing level of damage inflicted continue to take up several column inches in the media. That clearly explains why organizations are increasingly alert to cybersecurity issues, which has led to a paradigm shift: the question is not to know if an organization will be hit by a cyberattack but… when.
According to the latest “Data Breach Investigations Report“, it takes companies an average of 191 days to identify a data breach. In other words, the time taken to detect and seal a breach has become a mission-critical issue. This is a good reason for taking a closer look at SIEM solutions (Security Information and Event Management).
A new approach to security management
This abbreviation conceals a new approach to security management. The basic concept involves combining information management (SIM: Security Information Management) and event management functionality (SEM: Security Event Management) into a single security management system.
Therefore, a SIEM solution offers real-time collection, monitoring, correlation and analysis of events to improve identification of threats in real time.
SIM + SEM = SIEM
What that specifically means is that a SEM system centralizes log storage and interpretation in real time for subsequent analysis. Cybersecurity experts can therefore put defensive measures into action even faster. Meanwhile, a SIM system collects and places data in a repository, so that users can analyze trends. In this particular case, the process of generating compliance reports is automated and centralized.
Since the SIEM combines both systems, it ramps up the identification and analysis of security events, mitigates the repercussions of any attacks and simplifies the ensuing recovery procedures. To achieve that aim, it collects and stores events (with normalization) and aggregates relevant but unstructured data from several different sources. Identifying any deviations from the standard / norm allows for informed decision-making. In addition, the dashboards generated enable the company to fulfil its legal compliance obligations.
In other words, the operational security teams can bring event monitoring into mainstream use with a SIEM system while simplifying the process of analyzing multiple security event feeds (antivirus, proxy, Web Application Firewall, etc.). The system also makes it easier to correlate events from a wide range of applications and devices, which improves the organization’s ability to sniff out advanced threat scenarios.
In practice, there are three types of SIEM:
- Internal SIEM
- Cloud-based SIEM
- Managed SIEM
Confession time: adopting a SIEM solution requires a significant investment from the company, since such systems are anything but straightforward to implement. Having said that, SIEM systems offer a wealth of advantages to all types of businesses, despite being initially designed for large organizations:
- Proactive incident detection
A SIEM is capable of detecting security incidents that might otherwise slip under the organization’s radar, and the reason is simple: the scores of hosts logging security events are not equipped with incident detection functionality.
SIEM solutions can sense incidents due to their ability to correlate events. Unlike an intrusion prevention system that pinpoints an isolated attack, SIEMs tend to look at the big picture. Correlation rules allow the system to identify an event that has spawned several other events (hacking the network, tampering with a specific network device, and so on).
In such cases, most solutions have the ability to take indirect action against the threat. The SIEM talks to the other security solutions implemented inside the company (e.g. firewall) and pushes for changes to prevent the malicious activity from penetrating the company’s defenses.
As a result, any attacks that would have gone unnoticed within the company are thwarted.
To raise the security bar even higher, organizations can interface their SIEM with a Cyber Threat Intelligence solution (CTI).
Gartner defines Cyber Threat Intelligence (CTI) as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging threat or hazard to assets that can be used to inform decisions regarding the subject’s response to that threat or hazard.”
Therefore, CTI involves collecting and organizing all the information relating to threats and cyberattacks for the purpose of building up a picture of the hackers and highlighting the trends (sectors of activity at risk, attack methods used, etc.). The bottom line is that organizations can take greater pre-emptive action at the first sign of a large-scale attack.
- Compliance and reporting
Given the massive influx of cybersecurity standards and certification schemes, SIEM solutions are fast becoming a key component of any information system. They offer a relatively simple way of addressing several security requirements (e.g. log generation and tracking, security reports and alerts) and providing evidence of their good faith to certification authorities and supervisory bodies, especially since SIEM systems can generate highly customizable reports geared towards the stipulations in the different regulations.
This advantage alone is enough to convince organizations to roll out a SIEM, and rightly so because producing a single report covering all relevant security events, irrespective of the log source (too often generated in proprietary formats) can save precious time.
- Improved incident management activities
SIEMs also allow organizations to address incidents with greater speed. Implementing a SIEM gives companies every peace of mind that they can quickly identify threats and accelerate the speed of response with minimal resources. Once again, the system identifies attacks and potential breaches by taking an overarching view of the security events fed in from the applications, operating systems and various security devices.
Note that SIEM solutions also include UEBA functionality (user and entity behavior analytics). These invaluable features can help organizations track down threats originating from people and software.
(INTER) The flip side of SIEM solutions
It takes more than a SIEM to surround the organization with impenetrable defenses. SIEM systems have their limitations that render their use ineffective without high-level support and third-party solutions. Unlike an IDS or firewall-based security approach, SIEMs do not monitor security events, but instead use the log data they generate. In other words, the importance of installing such solutions cannot be overstressed.
- Sophisticated configuration
SIEM are complex products that require a certain level of support if they are to be successfully dovetailed into the company’s existing security controls and the many hosts in its legacy infrastructure.
When installing a SIEM, it is important to fine-tune the settings, since the default configuration is often inadequate. Parameter settings must be customized and dialed into the needs of the company’s users. Similarly, organizations are best advised to create their own analytical reports to suit the different types of threats identified. Otherwise, there is a very real risk that they will fail to harness the solution’s full capability.
- Investments: forearmed is forewarned
Collecting, storing and analyzing security events may seem to be relatively simple tasks. However, running compliance reports, installing patches and analyzing all security events occurring across a company’s network should not be taken lightly. The size of the data storage systems, the computer power required to process information, the time taken to integrate security devices and implement an alert system… the initial outlay may run into hundreds of thousands of dollars, on top of which comes the cost of annual support.
Integrating, configuring and analyzing reports is a job best left to experts. That is why most SIEMs are managed directly within what is often an outsourced SOC. SIEMs may promise a wealth of advantages, but a poorly configured system can cause pain and disappointment. According to a survey among 234 companies (source: LeMagIT), 81% of users blame SIEMs for producing reports containing too much “background noise”, while 63% complain that the reports generated are hard to understand. Using external providers with the necessary expertise is often the best solution.
- A large volume of alerts requiring regulation
SIEM solutions tend to use rules for analyzing all the recorded data. However, a company network creates a high number of alerts (an average of 10,000 a day), which may be either positive or negative. Consequently, identifying potential attacks is hampered by the sheer amount of irrelevant logs.
The solution involves defining specific rules (generally established by a SOC) and the scope that needs to be kept under close watch: What should be top of the monitoring list? The network edge? Inside the company? The network / system / application? Which technology should be prioritized? The list of questions goes on.
- Round-the-clock monitoring
To wring peak performance from a SIEM solution, logs and alerts must be monitored on a 24/7 basis. Trained personnel or dedicated team members are needed to pore over the logs, carry out regular analytics and extract the relevant reports.
That explains why it makes perfect sense to outsource monitoring activities to a security service provider, such as SECURIVIEW. This approach gives the organization the necessary expertise, greater budgetary visibility and SLAs. Fulfil these conditions and rest assured that your investment in a SIEM solution will herald a key step in shielding your organization against sophisticated threats.