Elevate your security posture with centralised SIEMBy Dónal Munnelly,
Over the past few years cyber threats have become a lot more complex. Responding to these threats has also become an arms race, mostly led by good visibility and data from your systems in real time.
Security Information and Event Management (SIEM) is the approach that emerged. As the name suggests, it combines security information and event management in a single management system. This means that you can quickly see patterns that are out of the ordinary across your entire estate.
Really, it’s about centralised control, a response to the hacker mantra that they only have to get it right once, while organisations have to protect multiple vulnerabilities 24/7. The way SIEM gathers and analyses data doesn’t exactly eliminate the risk, but it does provide a better way to spot patterns of attack across your IT systems and flag this to your staff.
Looking at the big picture
By comparing event and log data, SIEM can provide real-time analysis and a better understanding of threats and an organisation’s security status at any given time. Instead of your IT staff looking through log files post incident, SIEM can alert and highlight any issues in real time via a dashboard or automated alert. In the event of an incident your staff will have all the information to hand and be able to respond much quicker.
When setting up a SIEM, the first step is to recognise normal baseline behaviour, familiar and expected traffic activity that you can build rules around to make anomalies stand out. This will define things that happen every day on the network that you don't need to worry about and draw attention to suspicious activity that you do – an unexplained change in access privilege, for example, or user behaviour that is uncharacteristic. An effective SIEM will watch for patterns, identify new threat feeds, and alert you to new rules to counteract them. Having a managed SIEM means that a dedicated security expert is looking at the data and acting based on the rules you agree to either mitigate the threat or notify you. The advantage of the managed service is that you get the benefit of intelligence feeds for known attack patterns, as well as round the clock security monitoring from a Security Operations Centre (SOC)
Company size is not the challenge when devising a SIEM. It’s more about understanding what you’re trying to protect, the things of most value inside your organisation to outsiders (crown jewels), and the potential vulnerabilities that risk exposing them. This isn’t as straightforward as it seems. You need to ask yourself, what are my crown jewels? Is it intellectual property, customer data, manufacturing systems, research data or some other system or data that your business can’t function without?
The best approach for any organisation is to pursue best practice. Don’t assume anything about your security position. Event and log management are part of what’s needed to be certified to the ISO 27001 standard. So it’s a useful stepping stone toward best practice and proves to your clients and other stakeholders that you are managing the security of your information as effectively as you can.
Changing with the times
Like every other aspect of IT, the concept of SIEM has had to move with the times, which means embracing virtual servers and routers, and being able to identify potential threats when there is no physical hardware on site. All the exact same things apply, the same risks countered by the same processes, it just happens it's in the cloud or a data centre and you have to have SIEM capabilities that reflect that.
On premise, IT teams take care of it all, but lines are blurred in the cloud. What’s crystal clear, however, is that organisations have the same responsibilities over their data in the cloud as they do on premise, always check with your cloud provider to ensure you know what their security policies are.
We provide both a Managed SIEM and Cloud SIEM solution to support security initiatives that can be a major draw on in-house resources, the time, people and capital that many organisations would prefer to focus on core business. We also provide a SIEM takeover for companies that have already made the investment but lack the resources or expertise to manage and act on the SIEM intelligence. Like our other managed service propositions, this is core to what we do and it’s backed up with a depth of knowledge and global experience that businesses would struggle to replicate.
Our accredited security team will design threat detection services that are right for your business. We tap into the latest technology from our partners, be it AI or collaborative threat intelligence, to deliver round the clock protection of your most important assets.