I was recently interviewed by an editor, Brian Wall, for a publication titled, Computer Security. Brian had asked me to provide my expertise and perspective for an article focusing on security information and event management (SIEM). SIEM is a technology solution developed with the goal of introducing greater intelligence and automation into the collection, specifically correlation and analysis of log and alert data, which, in turn, should allow security analysts to focus on what is most important – or find that intrusion that would have otherwise slipped though the net.
Brian believes that the need for advance detection, better diagnosis and automated response capabilities are paramount. He said that, “security teams should argue for governance and process efficiency, ensuring that not only are they compliant, but also that processes and tools are effective. Just as surely as traditional perimeter security is not built to protect against today’s advanced persistent threats alone (since many business applications now cross security boundaries), it is now equally certain that attackers will get through perimeter software like firewalls, antivirus and intrusion detection system (IDS) / intrusion prevention system (IPS) tools.”
And I could not agree more. Today, more than ever, there needs to be a focus on proactively identifying intruders. Whether threats are external or internal, this can be achieved through the use of advanced forensics and analytics that raise the alarm early and send alerts to those responsible for IT, data or network assets. And at the end of the day, it is also the only way to make sense of big data created for security in real-time.
Now, this is not to say that SIEM is the only answer. SIEM is not a security silver bullet, and must be combined with good processes for reacting and dealing with threats. That is the critical part. Shutting down firewalls in a panic is not ideal practice. In fact, the 2014 Target hack in the U.S. was detected by SIEM, but the security team did not have the selective tools available to stop the threat; the only tools they had at their disposal would have severely disrupted checkout devices in all stores.
The most effective method of securing your business is through combining already implemented solutions to form a gigantic cross-organisation detection sensor. Besides collecting event data from firewalls, data on security incidents must also be combined from applications, servers, mainframes, vulnerability scanners and antivirus software, as well as pulling in feeds from specific threat providers like Symantec. By taking this approach, the CISO can detect, identify and take timely action against threats and intruders, whether inside or outside the organisation. By incorporating a SIEM platform, businesses can reap a number of benefits including:
However, the biggest advantage is reputational; the ability to say after an attack: “we detected it and took immediate action”.
All of these factors will save the organisation time and money, and allow today’s increasingly hard-pressed CISO to build a business case justifying the investment back to the board.
Remember all the good arguments for firewalls, anti-malware software, IDS, DLP and other threat protection tools over the years? Add them up and that is the value of SIEM! And don’t forget to add a 100% bonus, if you’ve built an outstanding correlation capability. Customized correlation rules significantly enhance the native rules that come with the tool. Read the full article at Computing Security.