Beyond logging: Using SIEM to combat security, compliance issues

As connectivity grows, so do threats to the IT infrastructures under your care—and, by extension, your organization’s ability to profit and serve its customers. Security strategies that worked fine in the not-so-distant past have grown woefully inadequate as the technology terrain shifts.

You’ve probably heard the acronym SIEM being thrown around a lot these days and for good reasons. As security experts, we know that perimeter defenses simply aren’t enough anymore, and we need a holistic view of our IT infrastructures.

SIEM (Security Information and Event Management) provides that insight, arming us with a holistic view of our IT infrastructure and greater visibility into its patterns and inner workings.

Gartner, the global research firm, explains SIEM as technology that does the following:

  • Supports threat detection and security incident response through the real-time collection and historical analysis of a wide variety of data sources
  • Supports compliance reporting and incident investigation through historical data analysis
  • Is capable of broad-scope event collection and correlating and analyzing events across disparate sources

The major benefit of SIEM, as described by TechTarget, is that “SIEM combines SIM (security information management) and SEM (security event management) functions into one security management system.”

In a piece for Tripwire, tech security expert Joe Piggée Sr. simplifies it further, summing up key SIEM capabilities:

  • A bird’s-eye view into the IT infrastructure
  • Centralized security event management
  • Reporting on all ingested data
  • Ability to take in data from virtually any vendor or in-house applications

Uses of SIEM can span various categories, but we’ll focus on two mission-critical functions: Security and Compliance.

Security

“Malware has become an unavoidable evil that every environment will interact with at some point,” notes Mason Vensland, a security ops and digital forensics expert, writing for Tripwire.

The old time-tested model of using a Syslog collection point with a few alerts configured is no longer sufficient. By comparison, a well-implemented SIEM system makes it fairly easy to detect, respond and prioritize malicious attacks or requests because of the holistic view.

Intrusion activity, on the other hand, has always been one of the more difficult risks to handle because it’s hard to tell what’s legitimate or not. With SIEM, you can identify what’s noise and what needs your attention.

Beyond logging: Using SIEM to combat security, compliance issues
Beyond logging: Using SIEM to combat security, compliance issues

Compliance

SIEM can be a lifesaver for IT admins. By collecting logs into a common repository, SIEM allows for automated reporting for compliance, making it easier come audit time. Plus, by having implemented SIEM, you can identify potential issues before they become a problem, enabling you to be proactive instead of reactive.

Evaluating SIEM solutions

SIEM systems come in a variety of forms: cloud-based, hardware appliances, virtual appliances and traditional server software. Each has similar capabilities and differ primarily in cost and performance, says Karen Scarfone, principal consultant at Scarfone Cybersecurity in a TechTarget article.

When evaluating SIEM solutions, Scarfone advises considering the following criteria as a starting point:

  1. How much native support does the SIEM provide for the possible log sources?
  2. Can the SIEM supplement existing logging capabilities?
  3. How effectively can the SIEM make use of threat intelligence?
  4. What forensic capabilities can the SIEM provide?
  5. What features does the SIEM provide that assist in data examination and analysis?
  6. How timely, secure and effective are its automated response capabilities?
  7. For which security compliance initiatives does the SIEM provide built-in reporting support?

Granted, SIEM is expensive to implement. For that reason, it’s been mostly adopted in the enterprise market, now trickling down to small and mid-sized businesses. Because every cloud offering has to have it, and no business is exempt from hosting some of their data on the cloud anymore, internal IT departments are realizing they, too, must have SIEM in place. Any PCI-compliant or FedRAMP-authorized cloud offered HAS to have a SIEM implemented as well.

Implementing SIEM in every organization is on the horizon and will eventually become mainstream. For small and mid-sized businesses that can’t afford a large-scale SIEM implementation, they would do well to consider finding ways to outsource that cost.


This article was originally featured on Network World. To see the original post, click here.

Rich Banta

Rich Banta

Managing Member at Lifeline Data Centers
Rich is responsible for Compliance and Certifications, Data Center Operations, Information Technology, and Client Concierge Services. Rich has an extensive background in server and network management, large scale wide-area networks, storage, business continuity, and monitoring. Rich is a former CTO of a major health care system. Rich is hands-on every day in the data centers. He also holds many certifications, including: CISA – Certified Information Systems Auditor CRISC – Certified in Risk & Information Systems Management CDCE – Certified Data Center Expert CDCDP – Certified Data Center Design Professional