Keep your business secure with the proper SIEM solution
With traditional preventative measures, such as firewalls and antivirus software, no longer enough to keep out the latest security threats, SIEM solutions have become key to helping businesses achieve visibility of attacks inside the network.
SIEM stands for Security Information and Event Management and is a technology that facilitates the detection of breaches and other suspicious activity through the collection, correlation and analysis of log data from firewalls, intrusion detection systems and network infrastructure.
There are a huge range of different SIEM solutions available, each with a different set of features and functionality. This means it is vital to select the platform that is right for the needs of the organisation. Here we identify some of the main things you need to consider when investing in SIEM technology.
Which assets are most important to protect?
Before your business invests money and resources into SIEM, it is a good idea to identify the assets within your infrastructure that are of the highest priority to protect. It may be tempting to opt for a system that is able to ingest a wide number of log types. However, for a variety of reasons, this is often unrealistic. Ingesting logs from a range of data sources can be very complex and expensive, especially in terms of cost of storage. It makes sense, therefore, to focus on monitoring the assets that are at most risk and ensure that your preferred SIEM solution supports these.
Taking in network information such as DHCP and DNS data into as SIEM, is relatively straightforward, but application data and less structured forms of information can be more challenging. Another key consideration should be data governance as you will often need explicit consent from its owner(s)to process data for security purposes.
Your decision over the most important assets to safeguard may also need to be driven by industry requirements. For example, if your business processes card payments you may be required to proactively monitor assets within its card holder data environment to comply with the PCI DSS.
Can a solution ingest more than just security events?
Making a decision as to which SIEM to choose should also be driven by a possible need to ingest more than just security logs. Legacy SIEM systems analyse data based solely on security events – something that makes it difficult to understand what’s occurring across the rest of an IT environment, such as actions related to users and applications. If your business uses infrastructure and services hosted across cloud and on-premises environments, traditional SIEM systems could leave you exposed.
When choosing a SIEM system, consider your organisation’s need to collect and analyse the types of data that will help obtain the visibility you’re looking for.
What type of analytics is required?
Deciding on what logs to collect and store should also be heavily influenced by a SIEM tool’s ability to analyze them. It’s no good having an ability to ingest lots of logs if the solution is not able to extract actionable intelligence from them.
Traditional SIEM solutions use relatively simple analytics, such as pattern matching and statistical modelling, to recognize suspicious activity. And while these methods remain effective for the most part, many SIEM vendors are now focusing on the use of AI and deep learning to identify attacks. To help improve detection of insider threats, many SIEM vendors are now investing in User Entity and Behavior Analytics (UEBA) technology.
What level of response capability is required?
Cyber security threats are now more damaging and destructive than ever. This means that having the ability to not only detect, but also quickly respond is increasingly important. As a result, many SIEM vendors are also focused on improving their technology’s Security Orchestration Automation and Response (SOAR) capabilities.
SOAR is a growing cyber security trend that developers are using to help better aggregate threat intelligence and automatically contain and disrupt threats.
Do you need to monitor the cloud?
More than 96 percent of businesses now use cloud computing solutions in one way or another, and if you count yours among them, it is essential to ascertain whether a solution can ingest data from platforms such as AWS, Office 365, and Google Cloud Platform. With attacks increasingly targeting cloud environments and services, having blind spots in the cloud could leave your organisation exposed. Indeed, cloud customers faced more than 681 million cyberattacks in 2018 – demonstrating the huge importance of the issue. Also consider whether SIEM system itself can be deployed in the cloud. Many SIEM providers now have SaaS applications that offer fast, scalable deployments and usage-based billing.
Could you benefit from a managed SIEM service?
If you think your business would benefit from a SIEM solution, but you’re not sure about how to go about leveraging the technology you might want to consider a managed SIEM service.
A managed SIEM service delivered by cyber security specialists will not only help you to select the best SIEM for your business, it will also remove much of the hard work associated with deploying, managing and monitoring it 24/7/365.
Written by: Mike James, BOSS Contributor