With cyber attacks continuing to increase, it seems like most security teams are having to learn how to do more, and do it faster. Security Information and Event Management (SIEM) solutions help to efficiently identify and escalate critical security events, enabling a swift and effective response. SIEM use remained a popular security tool in 2019, and shows every sign of remaining prevalent for years to come. In fact, according to Cybersecurity Insiders’ 2019 SIEM Report, only 10% of those surveyed had no plans to use SIEM in the near future. So what lessons can be learned from SIEM? Read on as we revisit pieces from the past year that demonstrate why a SIEM could enhance your security posture in 2020 and beyond.
There aren’t too few alerts, there are far too many.
In the early days of cybersecurity, organizations may have had little to no warning systems for their IT environments. Now, it’s nearly impossible to have applications that don’t send alerts. Infrastructures, even for small organizations, are now made up of so many different parts that security teams regularly get thousands of syslog notifications every day—many of them benign, but some critical alerts that need immediate intervention. Unfortunately, both ends of the spectrum have the same result: malicious activity can take place unnoticed. The problem organizations face today is the need to quickly sift through notifications to find the ones that matter. A SIEM can consolidate any number of data streams, becoming your organization’s primary security monitoring tool.
Leave no device unmonitored.
When monitoring a physical location with security cameras, those looking to sneak in unnoticed attempt to stay in the blind spots. The same logic is used in cybersecurity monitoring. Standard datasources have no problems integrating into SIEM solutions. However, unusual or third-party applications are often incompatible. While the assumption is that these outlier datastreams will be monitored separately, a far more realistic scenario is that they’ll go overlooked. Without tailored integrations to ensure every type of device can be incorporated into a SIEM, these non-standard assets can serve as that blind spot for a threat actor to exploit. Since each IT environment is unique, it’s critical to make sure no device is left behind.
Context is critical when assessing internal threats.
While SIEM solutions can detect both internal and external attacks, it’s important to differentiate and account for these different types of threats and how they may present themselves. While external threats can trigger alerts for things like intrusion detections, insider attacks are often a bit more nuanced. Internal threats are often hard to spot at first glance, because the activity that occurs may not initially seem malicious.
For example, a user logging is perfectly normal and expected. But a user logging in from an atypical location or during odd hours may indicate that a user’s credentials have been hacked or stolen. A SIEM can be tailored to escalate this and other abnormal behavior like changes to user profiles and system values, invalid login attempts, or changed or deleted objects. From there, an analyst can investigate for additional context to determine if further action is needed.
There is no one size fits all SIEM solution.
Organizations of all different sizes from various industries can benefit from a SIEM solution. That said, it’s important to take the time to consider your particular needs to find a SIEM that’s the best solution for you.
For example, many SIEM solutions are intended for large organizations, with price points that far exceed the means of a small business. They may be better served with a free version of an enterprise solution that gives you time to get to know a tool before you commit to the enterprise version, all while enjoying the same ample features. There are also a few solutions designed to serve and scale with smaller and mid-sized organizations, which are better suited for their budget and won’t overwhelm with more functionality than needed.
Ultimately, before you get too far, create a requirements list. In addition to scalability and budget, this list should also factor the number of assets you need monitored, what compliance requirements you have, the types of assets your environment has and would like integrated, and any other features needed to best protect your infrastructure.