What Is a SIEM and Why Does My Business Need One?
In today’s digital world, keeping your business secure is a moving target.
Cyber threats occur 24 hours a day, seven days a week. It is not a matter of if you will be attacked, but when. Advanced threats have increased over 250% since 2017 and insider threats have increased through spam emails. Sixty-two percent of security experts expect hackers will use AI (Artificial Intelligence) within a year.
That’s why your business needs an advanced SIEM (Security Information and Event Management) solution. Here’s what that looks like and how it works:
SIEMs provide real-time analysis of security alerts.
A SIEM combines log and event data analysis with security information management. Events are described as any activity on the network performed by event sources. Event sources can be anything from routers, switches, and applications, or anything that communicates across the network. SIEM software is designed to scan all events on the network and aggregate data in the form of logs. In short, a SIEM is a log aggregation tool that:
- Generates appropriate compliance reports and gets them to the appropriate people.
- Looks for hidden security issues.
- Generates notifications when changes occur.
- Determines if notifications are actionable or if they are false positives.
From there, it is up to the company to determine what to do with that data.
Why yesterday’s SIEM solutions aren’t enough.
There was a time when a basic SIEM would have provided the appropriate information for an analyst to determine threats. But now, while getting the security logs to the SIEM is important, it’s not enough. In fact, it’s really only the first step.
For example, let’s say you’ve ordered a SIEM product from your provider and you feel good believing it’s doing everything a SIEM is capable of. The reality is that many SIEMs are simply glorified log aggregators, and, as stated above, merely having the information won’t keep your company safe. You still haven’t filtered through the data, weeded out false positives, assigned threat levels to events, notified and escalated as appropriate within your organization, and so on–24 hours a day, seven days a week.
A stand-alone IDS/IPS won’t cut it, either.
Some people also believe their IDS/IPS (Intrusion Detection System/Intrusion Prevention System) does the same thing as a SIEM, but it doesn’t. A SIEM aggregates the data and cross-correlates it with other systems data, other threat feeds, and configuration information to determine if there is a threat. An IDS is a single device with a single view of the system and network. The IDS as a single data feed by itself is full of false positives and erroneous information. Relying on your IDS system is the same as watching a single frame of a movie and thinking you know the entire plot. While they can be useful, machine learning systems can’t replace a customized SIEM.
The value of a SIEM is in the cross-correlation of data from all devices, including machine learning devices. Also, as technology advances, new devices are required to be placed on specific areas of the network, or use a network tap, to ensure all traffic flows go through the box. This is acceptable, but all the traffic that is encrypted will not be seen by the box, and today more data is encrypted than ever.
An advanced SIEM solution keeps your company secure in 3 ways.
Today’s businesses are using analytics-driven SIEMs that combine a big data platform that is optimized for machine data with advanced analytics, threat detection, monitoring tools, incident response tools, and multiple forms of threat intelligence. The following are the three main benefits of this kind of system.
1. Centralized security notifications. The primary reason for getting a SIEM is to centralize all the security notifications from your various security technologies. Your firewall, IDS/IPS systems, anti-virus console, wireless access points, and active directory servers all generate an overwhelming amount of security alerts every day. A SIEM allows you to collect these in a central location with a single set of reports and a single system for creating notifications. This is typically referred to as a log aggregation solution. Remember, this is where many SIEM solutions stop.
2. Logging and reporting. The second main function of your SIEM is to provide logging and reporting for compliance purposes. For almost every compliance regulation there are requirements to log user access, track system changes, and monitor adherence to corporate policy. A good SIEM solution will make these tasks much easier by collecting this data from all your systems. Then, when it is time for an audit or exam, you can simply generate the appropriate compliance reports and send them to the appropriate people. Just keep in mind that your SIEM must have the needed compliance functionality and reports built in to be effective.
3. Automated cross-correlation and analysis of raw event logs. The third–and maybe most important–function that a SIEM performs is the automated cross-correlation and analysis of all your raw event logs from across your entire network. This is where your SIEM looks for hidden cybersecurity issues that would otherwise go unnoticed by combining data from several different sources.
Effective SIEM solutions take all data into account.
All data must be visible to your SIEM for it to be completely effective. For example, let’s say your SIEM receives an alert from your IDS stating it has detected a sequel-injection attack against one of your servers. That sounds scary and may have you waking up at night thinking you have to do something. But do you have sequel server? Or are you freaking out over nothing?
Many SIEM solutions do not consider the types of servers you are running, which can lead to false positives. A complete SIEM solution understands what the servers are, what applications they are running, and what the configurations are. This intelligent context is how you eliminate false/positives and ensure you are only awakened at night when absolutely necessary.