Find out why the key question to ask your SIEM provider is: Will I have access to all of my SIEM data?
6/26/2019
What Does a SIEM Tool Do?
The dramatic increase in integrated technology over the past several decades has provided an operational boon; complex systems can be made to work together to help businesses and organizations do more, faster, and at lower costs.
Yet, this efficiency exposes hidden threats.
Each new integration – be it a custom integration with a partner or supplier, or simply using off-the-shelf tools like Dropbox or Zapier – exposes a window into the organization that can be exploited by hackers. SIEMs watch those windows and alert organizations when something doesn’t look right.
Your Digital Monitoring System
Imagine you own a nice home.
You love it. You want to protect it. It’s valuable. The things inside it are valuable.
Yet, you aren’t always home and, when you are, sometimes you’re sleeping.
So, you invest in a security system.
This system monitors windows, doors, and has motion detectors.
When the alarm is set and a door or window is opened (and shouldn’t be), the alarm goes off, alerting you (and the security monitoring company) that unauthorized activity has taken place. If it’s really bad activity, the authorities are called.
Or, imagine you’re home, all is well, but your teenager decides to try and sneak out. This unauthorized activity is captured by your motion sensors, which alert you (and your security monitoring company) that, again, unauthorized activity has taken place.
In many ways, your organization isn’t much different.
It’s information, resources, and activities are valuable. And many of them are digital. And many involve digital assets being transferred from one person or system to another.
Yet, in the digital world, where many of these assets reside, many companies go unprotected. They’re like the homeowner with a nice home who doesn’t invest in a security system.
Could everything be ok while he or she is at work?
Absolutely.
But, if a burglary takes place while they’re away…well, the cost & headache associated with solving the problem after-the-fact dwarfs the cost & headache associated with preventing the problem from occurring in the first place.
Yet, in the digital world, where many of these assets reside, many companies go unprotected. They’re like the homeowner with a nice home who doesn’t invest in a security system.
What Does a SIEM Tool Do?
Security Information and Event Management (SIEM, pronounced “sim”) tools function as your digital home security system. These systems manage the security of an organization’s Information and Communication (ICT) systems by combining Security Event Management (SEM) with Security Information Management (SIM) into a single, integrated security system.
Often this happens through monitoring an organization’s logs, which reflect the activity captured by each component of the system.
SIEM tools watch your digital doors and windows, aggregating log information from all the prospective entry points, identifying strange patterns or behaviors, and providing alerts to a security operations team in order to prompt action. In some cases, SIEM software may even “lock down” the open door or window until an “all clear” is given by a security expert.
In general, SIEM triggers can either be rules-based or derived from a statistical correlation engine that deciphers the kind of relationships existing between different entities and event log entries.
More advanced modern SIEMs may incorporate entity and user behavior analytics (UEBA) as well as security orchestration and automated response (commonly known as SOAR).
How SIEM Tools Work
Most SIEM tools in use today work via concerted effort by several collection agents. They act as digital “auditors,” gathering information from your security context; i.e., the different systems that comprise your technical infrastructure.
These agents are then deployed in a systematic manner to gather information from various end-user devices, servers, network equipment, and/or specialized security equipment.
The information gathered is forwarded to an integrated management console where security analysts can monitor the output. Analysts sift through the raw data sets, analyze them, identify relevant connections, and handle security incidents as they arise.
Its similar to the way your nervous system transmits sensory information from your body back to your brain. Information is gathered, transmitted and monitored. When something is abnormal, an alert is triggered and a person decides how to respond.
For some SIEM systems, some level of pre-processing may happen at the edge collectors’ stage. If this process is successful, only some events will be passed through to the integrated management node. This type of operation significantly reduces the volume of data being stored and/or transmitted to the security team.
Advancements in machine learning are helping SIEM systems work faster and more accurately when flagging anomalies, while reducing the cost of adoption.
Evaluating a SIEM Tool
For a long time, only large companies had to manage integrations. Only large companies had to worry about cybersecurity. And only large companies could afford SIEM solutions.
Not anymore.
Now, even one-man-shops might use Gmail for email, Dropbox for file storage, Hubspot for a CRM, and Zapier to link them all together.
Larger companies using a mix of cloud technologies, Microsoft products, Google products, Apple products, Salesforce products, Amazon products- to say nothing of employees with their own devices- yields a much more complex picture. Even if those companies have high-caliber security teams (they do), they aren’t responsible for watching the points between their technologies, where your organization’s information lives.
The point is that integrations are the rule, not the exception.
Every organization has more windows and more doors than ever.
Thankfully, as the technology has gained adoption, it’s been easier for small and mid-size organizations to be able to take security into their own hands and responsibly protect themselves.
Still, choosing a SIEM is particular to an organization’s technology stack, budget, and industry. When evaluating SIEM tools, it’s important to consider several factors:
- Integration with other controls: How many and how complete are the integrations with other systems?
- Artificial intelligence: Is the system capable of improving its own functional and control accuracy, for instance, via machine and deep learning?
- Threat intelligence feeds: How does the SIEM get its information?
- Compliance reporting: Does the SIEM offer the compliance reports needed?
- Forensics capabilities: What information is gathered by the security events recorded?
- Support: Having a good partner is essential to successful implementation and support.
Not sure where exactly to begin for your tech stack? Why don’t you reach out and contact us? One of our experts would be glad to provide you a free assessment of your environment.
