When it comes to protecting your company’s data, it helps to be a little bit paranoid.
You’ve seen it in TV shows and movies: those office scenes in a large, dark room with seemingly hundreds of monitors showing graphs of the world with red and green lights, code scrolling by, flashing of alerts, graphs and tables showing seemingly incomprehensible information.
This is more than likely a SOC (Security Operations Center). In a SOC, your business’ network and system’s health and safety are monitored. This is through what’s known as Security Information & Event Management (SIEM), which consists of both Security Information Management (SIM) and Security Event Management (SEM).
Let’s look a little deeper into SIEM – what it is, why it’s important and how it relates to the success of your business.
What is Security Information & Event Management?
We now go back to our darkly-lit office, with all of the computer screens. Glancing at them, we see one with a flashing red symbol. One of the technicians who is monitoring the systems notices the alert, and gets to work.
The alert is showing that there is suspicious login activity. Now, one account trying to log in 10 times in 5 minutes may be acceptable, but this account has been trying to log in 30 times in the last 30 seconds! That’s definitely a red flag!
The technician quickly blocks the computer from the network, and then follows up with the employee to see if they’re still in possession of their laptop. If they are, the employee is instructed to bring it to the SOC for analysis.
If this hadn’t been caught, and if the perpetrator had been able to gain access, they could have had free reign throughout the system for however long it took you to find them. They could have stolen customer and financial data, or installed a back door, malware, or ransomware in your system to use later.
It could have potentially cost you your business.
To help manage potential security breaches at every step, Security Information and Event Management is the term used to describe how security threat events are managed, including detection, resolution, documentation, and Standard Operating Procedure (SOP) protocols.
What Does SIEM Consist Of?
A good SIEM program will give you a complete 360-degree view of your entire network, devices, and apps.
It will allow you to set up rules, alerts, and thresholds for common scenarios. SIEM software uses information gained from threat intelligence feeds. Some of these threats are widely known, coming in such forms as email phishing, malware, distributed denial-of-service (DDOS) attacks, and the like. This knowledge of what to look for and how to defend against these attacks comes from insights gained from attacker tactics, techniques and procedures (TTPs) and known indicators of compromise (IOC)s.
But as you know, threats are constantly evolving. The better security software companies have dedicated staff working around the clock to keep these threat definitions current, and they are constantly on the lookout for new trends.
Analytics, Log Management, and Compliance
A critical aspect of SIEM is analytics. Maybe someone logged into the network from their own device that has an unknown virus, or a laptop has been stolen and the password has been hacked. Analytics will look at user behavior to detect anomalies, which can indicate a compromised account or unknown malware.
Log management is another tool used in SIEM. Almost every application produces logs. Logs are useless unless they’re monitored. A good SIEM will aggregate log data, filter out the noise, and allow event correlation. This allows the software to quickly alert upon signs of a breach or attack.
And lastly, we get to compliance. Many companies operate under industrial and governmental regulatory compliance guidelines. Some of the more well-known guidelines are HIPAA, SOX (Sarbanes-Oxley), PCI DSS, and GDPR. With regulatory compliance regulations comes reporting requirements.
Here are a few of the features that a SIEM application gives you in regards to compliance:
- A SIEM is able to document and justify the use of an organization’s permitted services, protocols and ports, as well as document security features implemented for insecure protocols.
- SIEM’s log management, aggregation, normalization, and reporting feature can help you stay in compliance, and can help you stay up to date on reporting requirements.
- Some compliance regulations may require a DMZ (a layer where your internal network interacts with the internet; the DMZ manages connections between untrusted networks [e.g., the internet] and a web server). Another SIEM feature is the ability to inspect traffic flow across the DMZ and report on anomalies.
That’s a Lot of Information!
If all of this seems overwhelming, you’re right: it is.
There are many aspects to correctly building out a Security Information & Event Management solution. As each business will have its own unique challenges, there isn’t a one-size-fits-all approach to SIEM. And after it has been built, it needs to be maintained and monitored.
Instead of going it alone, many companies wisely choose to outsource their security needs to experts like the team at Mission Critical Systems. Learn more about how we incorporate SIEM in our security service offerings.
Call us or contact us online today to see how we can bring you peace of mind.