In this 3-part series, we will not only answer the question "What is SIEM?" but also cover the detection, response and recovery process, plus how a SIEM platform processes and analyses log data.
What is SIEM?
SIEM – or Security Incident and Event Monitoring platform - seeks to provide a holistic approach to an organisations IP security. A SIEM platform represents a combination of services, appliances and technologies, performing real-time collection of log data from devices, applications and hosts.
Your SIEM processes collected log data, enabling real-time analysis of security alerts generated by network hardware and applications, as well as advanced correlation for security and operational events – and will include real-time alarming and scheduled reporting.
Why is SIEM now essential?
» Security strategy to protect traditional IT infrastructure
The internal IT environment consists of servers, network equipment, applications and other components that you will want to defend and protect. Around this environment, there will be protection in the form of firewalls and AV applications, and possibly Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS). And you should also try to shore up one of the most vulnerable components of their corporate network – the human element – through awareness and training.
Hardware and software of a security platform
1. At the edge:
There are Firewalls, designed to block unauthorised access.
Intrusion Detection Systems monitor for malicious activity or policy violations.
Intrusion Prevention Systems monitor for well-known characteristics of attacks.
And Anti-Virus (AV) tools, prevent, detect and remove malware.
At the server-level, attention should be given to the principle of least privilege, allowing access only to the resources that are necessary.
Application monitoring observes what applications are being used, or approved for use, virus scanning is employed, and email analysers search for suspicious behaviour.
On the network, network monitors watch activity across the network. Flow analysers gather information around value sets. And traffic capture tools monitor log traffic over the network.
2. At the endpoint:
AV tools are used to prevent, detect and remove malware.
Locked accounts enable lockdown on individual hosts.
Data Loss Prevention (DLP) can be employed to control what data end users can transfer.
File monitoring observes what files and directories are being accessed.
And process monitoring keeps an eye on the connections processes are making.
How does SIEM work?
A SIEM platform taps into all of this activity, continually receiving thousands of logs per second from all of the devices and systems within your IT environment. The SIEM processes and analyses log data to make sense and meaning of what is actually happening on a device. And analytics are used to analyse data activity providing more input to understand what is really happening.
The importance of SIEM
As we’ve seen all too often on the news, it has become increasingly difficult to defend against the complex and varied cyber attacks we see today.
Despite all of the systems and efforts put into your security solutions, hackers – or those trying to breach your environment - will get in. Once they are in, detecting and responding to their attack is time-critical – and impossible without SIEM technology.
As we’ve seen, a SIEM solution is incredibly important, as it centralises log data within IT environments, augmenting security measures and enabling real-time analysis of event occurring within your environment.
Real-time security monitoring
This holistic view of security events allows a SIEM platform to identify ‘signals’ of suspicious activity, such as a change in account permission.
This constantly watching, monitoring and analysing events and alerts within the environment provides visibility of security events WITHIN their organisation… You’ve secured the doors and windows – But you need a security patrol to monitor within the grounds of your castle.
Security, compliance and GDPR
A SIEM solution also provides the ability to log security data and generate reports for compliance purposes – particularly the requirements of GDPR – as well as providing digital forensics, fulfilling additional parts of the overall information security strategy.
In part 2 of 'What is SIEM?', we take a look at the detection, response and recovery to a cyber attack.
SIEM is complex – and everyone knows it
As we’ve seen, SIEM platforms can seem complex. The capabilities and intelligence built into a SIEM is impressive – but this does mean a skills investment and complexity… for the users, for support teams and for the organisation.
Any while businesses rely more and more on IT teams to deliver core business projects, day-to-day IT operations AND maintain security – with limited resources and budgets – it is no wonder that many organisations have realised it is not viable to build their own fully staffed and resourced 24/7 Security Operations Centre (SOC), to secure their critical business information.
Outsourced SOC (and SIEM)
Managing the complexities of a SIEM platform, keeping pace with the latest security threats, as well as managing people, processes and associated technologies is a tall order. As well as factoring in the time and cost to build, train and retain your own 24/7 Security Operations Centre (SOC).
Whether fully outsourced Security, or working in partnership with internal teams, an outsourced Security Operations Centre will help you to quickly scale your security, keep pace with ever-changing threats – and ultimately ensure effective security outcomes, at a lower cost of doing it yourself.
- Pros and cons of outsourcing your Cyber Security - In-house, MSSP, or Virtual SOC?
- Is Ransomware really the biggest threat to your IT security?
- On-demand webinar: How to develop security vulnerability management programmes
- WSUS, SCCM and third-party patch management
- How to create a BYOD Security Policy in 9 simple steps
About Comtact Ltd.
Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact's state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK's leading organisations.