A firewall, intrusion prevention system (IPS), and endpoint protection software are security weapons that almost every organization has in its arsenal to defend against cybercriminals. But when it comes to pulling out the big guns to help protect the network and the enterprise data assets stored on it, an increasing number of organizations of all sizes are turning to incident management systems and security events (SIEM).
This is because SIEM systems offer functionality that goes beyond more traditional security devices. According to Gartner, the key roles of a SIEM system are:
- Collect security event logs and real-time telemetry for threat detection and compliance use cases.
- Analyze telemetry in real time and over time to detect attacks and other activities of interest.
- Investigate incidents to determine their potential severity and impact on a business.
- Report on these activities.
- Store relevant events and logs.
Automated Threat Responses
In the short to medium term, the additional functionality that is most likely to become commonly available is automated security response capabilities. Today, automated responses to detected threats are relatively rare due to concerns about the disruption that could be caused in a production environment if a false positive is triggered. For this reason, automated responses tend to be used only by organizations that want to adopt the highest security posture. But in the future, it is likely that automated responses will become the norm in the face of sophisticated attacks from cybercriminals using automated attack tools.
Artificial intelligence (AI) and machine learning capabilities are also likely to become increasingly important features of SIEM systems in the future, as they can enable automated responses much faster, appropriately, and with greater efficiency. less risk of unexpected disruptions.
Read also : Security management in multicloud environments
SEM and SIM
Two important subsets of SIEM are Security Event Management (SEM) and Security Information Management (SIM). Typically, SEM takes care of real-time monitoring of logs and correlation of events, while SIM involves data retention and subsequent analysis and reporting on log data and security records. . This is often done as part of a forensic analysis to establish how a security breach occurred, what systems and data may have been compromised, and what changes need to be made to prevent a similar breach. Most modern SIEMs can be used to perform both SEMs and SIMs.
SIEM for midsize businesses
In the past, SIEM systems were only used by very large companies, but in recent years they have also become accessible to midsize organizations, according to Oliver Rochford, cybersecurity expert and former research director at Gartner. . He says one of the problems with SIEM systems is that to make them work, organizations need one or two people to oversee them 24/7. In most cases, only large organizations have the security resources available to do this on their own, but a solution for midsize businesses is to use a managed service or monitor the SIEM system during business hours and to rely on a managed service to deliver “out of hours”.
Threat Detection Driving Adoption
Another reason why the appeal of SIEM has grown is that previously the main driver of adoption was compliance, an issue that is more likely to affect large enterprises. While compliance is still an important factor, threat management (and especially the detection and response to threats) is now a more important factor. According to Gartner, many new deployments are being undertaken by organizations with limited security resources but in need of improved monitoring and detection of breaches, often at the urging of larger customers or business partners.
“Look at ransomware: this is a threat that midsize businesses are very interested in detecting,” explains Rochford. “Ransomware is usually very compact and then connects to a C&C (command and control) center. Thus, you may be able to detect a phishing email that delivers it, or its communication, or indicators of a compromise such as the start of new processes. A SIEM will allow you to centralize and review this information and possibly detect ransomware.
At the end of last year, the SIEM market was worth some $ 3.58 billion, up from $ 3.55 billion in 2019 according to Gartner. This is very similar to the value of the global network security firewall market, which was worth some $ 3.48 billion in 2020, according to Allied market research.
Read also : Combating the Rise of Ransomware-as-a-Service (RaaS)
What SIEM brings to the fight against network security
So what exactly can a SIEM system do to help organizations get the better of cybercriminals? Here are some of the most important ways a SIEM system can help you:
- Ingestion and interpretation of network hardware and software logs. A key differentiator of SIEM tools is the number and variety of log sources they can connect to out of the box for data aggregation purposes. While it is usually possible to create a connector to an individual device or application, it can be expensive and time consuming and therefore impractical for more than a handful of log sources. Some vendors, such as Splunk, are distinguished by the large number of applications from which they can ingest data.
- Ability to connect to regularly updated threat intelligence feeds. Many companies only use feeds included with the SIEM product or service they are purchasing, but third-party trade feeds and open source threat intelligence feeds are also available. These can be valuable because research shows that their contents do not overlap to a large extent, and the more information a SIEM has about security threats, the more likely it is to detect them.
- Correlation and analysis. It’s the bread and butter of SIEM technology, and it involves linking different occurrences reported in the logs to spot indications of a compromise – for example: a port scan followed by user access to certain types of data, or user entity behavior that may indicate an insider threat.
- Advanced profiling. All SIEMs perform correlation and analysis, but advanced profiling is less common (although it is increasingly common). It works by establishing a baseline or “normal” behavior for a number of characteristics on a network. He then performs behavioral analyzes to identify deviations from the norm.
- Provide alerts. Perhaps the most important feature of a SIEM tool is the ability to use the features described above to quickly alert security personnel to possible security incidents. Alerts can be displayed on a centralized dashboard (see below) or delivered in several other ways, including automated emails or text messages.
- Data presentation. An important function of a SIEM is to facilitate the interpretation of data from multiple sources by presenting it as easily understandable graphs on a security dashboard display.
- Compliance. SIEM technology is commonly used to gather events and logs and generate compliance reports to meet specific compliance requirements, thereby eliminating tedious, costly and time-consuming manual processes. Some offer integration with the Unified Compliance Framework, enabling a “collect once, comply many” approach to compliance reporting.
Read more : Best Data Governance Tools for Business 2021