April 23, 2021
The current global scenario has forced most companies to take their businesses online. However, as more businesses and devices move to the cloud, they become increasingly more susceptible to online threats. In fact, this sudden and significant shift towards cloud computing and online transactions over the past year and a half, as a result of the global pandemic, has led to a number of businesses and their IT staff being woefully unprepared to handle the onslaught of hackers, malware, and other such online threats.
While standard security features such as firewalls, anti-SPAM systems, antivirus software, DDoS protection, and more and go a long way in keeping you protected, they mostly do so from known threats. This is why information and knowledge are the most powerful tools in your fight against cybercrime. Real-time information of ongoing attacks as well as their sources or causes, can not only help you act quickly to address them, but can also provide you with a way to assess user, device, and software behavior and patterns, allowing you to proactively act before any damage is done. This is exactly what Security Information and Event Management (SIEM) solutions are designed to do and also why they can be an invaluable addition to your business.
What is SIEM?
As the name implies, Security Information and Event Management (SIEM) software is a security information solution that provides a centralized view of the security posture of an IT infrastructure. It analyses security alerts and data generated by any devices connected to the network in real-time, allowing IT security professionals to identify any security incidents, log security data, manage incident response, and generate any required reports, all from one centralized control point.
Modern-day SIEM is effectively a combination/evolution of two older solutions – Security Information Management (SIM) and Security Event Management (SEM). SIM was a first-generation solution that was used to collect, analyze and report on log data. SEM, on the other hand, was a second-generation solution that used to analyze log and event data, providing real-time threat monitoring, correlation of events, console views, and incident response.
By combining these two, SIEM can provide users with near real-time visibility of the organization’s entire network security system, via simple dashboards and visual aids. Furthermore, it utilizes event correlation and statistics to convert event logs and raw data into actionable threat intelligence. Moreover, the solution analyzes any security events in real-time and sends automated alerts as necessary.
However, as powerful as SIEM can be, its improper implementation of the use of older SIEM solutions can cause unwanted problems. Most of this stems from the sheer amount of data generated by cyber threats and security information that then needs to be analyzed. In fact, on average your tools for managing this data should be able to process between 10,000 – 500,000 events per second. As a result, older solutions are not always capable of scaling up to meet the demands of growing businesses. In fact, over 56% of IT professionals report that their systems suffer from coverage gaps for this reason. Such coverage gaps can lead to overwhelming numbers of false positives, which leads to time wasted and poor visibility across the network. Reports have shown that infosec professionals – those people responsible for information security in your organization – waste about 25% of their time chasing such false positives.
That being said, the implementation of proper, modern, and scalable SIEM solutions is not necessarily as complex or expensive as one might think. However, before we get to that, let’s first take a look into the history of SIEM and how it came about.
The History of SIEM
SIEM was first introduced sometime in 2005. However, these initial versions were nothing more than a combination of log management and event management solutions. Furthermore, as can be expected in early versions of any software, they were somewhat limited in what they could do, providing users with a very limited amount of data, alerts, and visualizations.
The second generation of SIEMs came a short time thereafter in 2010. This new generation was better designed to handle big data, including historical logs. In doing so, it could better correlate this log data with real-time events to provide proper threat intelligence.
The third generation of SIEMs only came about relatively recently, being proposed by Gartner in just 2017. This new generation SIEM combines two key technologies – User and Entity Behavior Analytics (UEBA) and Security Automation, Orchestration and Response (SOAR). UEBA is the process of gathering insight into behavioral baselines or IT systems using machine learning and then analyzing this data to identify any anomalies, including but not restricted to compromised credentials, lateral movement, and other malicious behavior. SOAR, on the other hand, is a solution that helps analysts collect the aforementioned data and then, leveraging a combination of human and machine power, quickly investigate incidents and activate security tools to automatically respond to said incident.
However, as helpful as these technologies are, they have always been prohibitively expensive to implement and extremely difficult to scale, with only the largest of organizations being able to implement in their fullest capacity. However, new technology advancements and the growing popularity of cloud computing have managed to address the majority of these challenges. In fact, with modern internet speeds and cloud computing, implementing SIEM via managed security service providers has become the norm, especially given the cost benefits, scaling opportunities, the multiple deployment options they offer, and the ease with which it can be implemented.
How SIEM Works
While SIEM is an incredibly complex piece of software, its actual execution, on the surface at least, is surprisingly simple. It starts by collecting and aggregating log data from across the organization’s entire IT infrastructure. This includes everything from systems and devices, the applications they are running, cloud systems and related applications, network data, and even data from security devices and applications such as antivirus filters and firewalls.
This data is then carefully analyzed and any incidents and events identified are then categorized and reported, such as login data, including failed logins, malware incidents, and any security or malicious activity. Furthermore, and perhaps more importantly, if any such activity runs against the predetermined rulesets, a real-time alert is then sent to indicate a potential security issue. In addition to these real-time alerts, SIEM solutions also deliver the aforementioned reports and dashboards to several critical business and management units. As mentioned before, third-generation SIEM solutions also incorporate unsupervised machine learning to further augment their anomaly detection capabilities using UEBA and response automation through SOAR.
User and entity behavior analytics (UEBA) is a relatively recent security solution that relies uses innovative technologies such as machine learning and deep learning to identify behavioral baselines for users, machines, and other entities on a network. It can then use these established baselines to detect any anomalies such as abnormal and risky behavior, which in turn could indicate a security incident.
The true advantage of a UEBA solution, however, is the fact that it is designed to analyze data spanning multiple systems and sources spanning the entire IT infrastructure of an organization, and the fact that it isn’t bound to any predefined rules or attack patterns. This means that a UEBA can detect security incidents, especially zero-day attacks, that easily fly under the radar of most traditional tools. While UEBA at its core is an independent solution, the very fact that it relies heavily on cross-organizational security data to perform its analyses, the very same data which is collected and stored by SIEM, makes it a perfect complementary solution. It is for this reason that most third-generation SIEM solutions include built-in UEBA functionality.
A relatively new security solution, SOAR is responsible for the collection of security threat data and alerts from various sources across the organization’s IT infrastructure, the analysis, triage, and automatic or manual prioritization of incidents, defining and enforcing the workflow for incident response, and the automation of some or all incident responses.
The solution as a whole has three key capabilities. The first of these is ‘orchestration’, referring to its capability of integrating with other security solutions and enabling them to automate proactive actions based on an assessment of risks. The second is ‘automation’, which refers to the capability of SOAR in allowing security teams to define standardized automation steps and a decision-making workflow in a ‘security playbook’; which is then utilized for the execution of machine-driven actions within security tools and IT systems in response to known threats, as defined in orchestration. The final capability is ‘Incident Management and Collaboration’. This relates to SIEM’s capability of adding contextual information and evidence to any security alerts generated; thereby helping security teams manage such incidents, collaborate, and share data to resolve the incident efficiently. They can even add their own insights or additional data that they discover about the incident along the way.
As more businesses move towards cloud or hybrid deployments, especially within the current business scenario and the ever-growing WFH culture, it is becoming increasingly important to be able to track behaviors and critical events across the business’ entire network. This is where SIEM solutions come in. If properly implemented and tuned, they offer unrivaled detection, correlation, and analysis capabilities, allowing your IT security teams to monitor and troubleshoot the entirety of your IT infrastructure in real-time. Here are just a few of the benefits and capabilities of SIEM.
- Real-time Data Collection and Analysis
Organizations the world over are generating more data by the day. Moreover, as businesses expand their IT infrastructure towards hybrid deployments, somewhere between cloud and on-premise, the data volumes and their complexity also increase, together with the threats. Such complexity and the dramatic increase in security incidents can overburden analysts and Security Operation Centers (SOCs). Modern SIEM solutions not only provide you with a centralized security solution to the issue, but it is also one that thrives on data. The more data the software ingests, the more visibility it is able to provide analysts with and, in turn, the more effective they get at responding to such threats.
- Machine Learning Powered Threat Detection
Threats today are getting increasingly more sophisticated with attackers often relying on coercion techniques to trick users into compromising their credentials or performing actions that could damage their organization. Advanced machine learning solutions such as UEBA can, using established behavioral baselines, monitor the IT infrastructure for suspicious user behavior from both, internal as well as external threats.
- Reduction of False Positives
Solutions such as UEBA not only boost a SIEM’s capability of tracking and identifying threats, it also dramatically decreases the number of false positives generated. In doing so, it ensures your SOC focuses its limited time on threats that actually matter, drastically increasing its efficiency.
- Optimized Logs
On a similar note, to eliminating false positives, SIEM solutions are also capable of filtering out the noise from security logs; only retaining the data most pertinent to your security posture. In fact, third-generations SIEMs are efficient enough to whittle down the millions upon millions of log entries to just a handful of actionable security alerts. Thereby reducing the overall load on your SOC and its personnel.
- Effective and Immediate Incident Response Tools
SIEMs are a step beyond just basic security monitoring and reporting. Not only do they filter out the majority of noise and false positives, but it also notifies them of a security incident is taking place, triages the event, as well as offers its recommendation of steps to be taken for the remediation of the incident. This helps your team effectively manage the event in a timely manner.
By utilizing systems such as SOAR, modern SIEM solutions can now incorporate unsupervised machine learning and enhanced automation for both, threat detection as well as to better orchestrate responses to said threats. In doing so it greatly reduces the burden on your security analysts, directing them towards only those threats that truly require their attention; going so far as to even provide them with enhanced context and situational awareness to effectively deal with it.
- Flexibility, Scalability, Value, and Predictable Pricing
Modern SIEM solutions are not only capable of being deployed within virtual environments, on-premise, or in the cloud, they are also capable of handling a vast amount of increasingly more complex data. Modern SIEM solutions also have significantly shorter implementation times and minimal resource requirements for maintenance. Moreover, the pricing for these modern solutions is also based primarily on the scale of the IT infrastructure, as opposed to data usage, as was done in the past. This effectively provides a business with drastically reduced costs when compared to previous solutions, together with the freedom to grow their business and have their SIEM solution scale with them.
Modern SIEM solutions have been designed with compliance in mind. As a result, with SIEM, all log data from across your organization is aggregated and presenting it in audit-ready format. Furthermore, most automatically provide the data monitoring and reporting required to meet standards such as ISO2700x, GDPR, SOX, HIPAA, Basel-II, PCI, GPG13, PCI/DSS, and more.
Making the Most of SIEM
Realistically speaking, until recently, SIEM was used by most companies primarily for tracking and investigation purposes after an incident had occurred. However, things are changing. As technology advances and with the emergence of dedicated managed cloud service providers, the technology is becoming far more reliable, and the investment required has also dropped significantly. Constantly evolving technologies such as machine learning are helping SIEM systems more accurately identify unusual and potentially malicious activity faster and more reliably. As such, “the goalposts have now moved,” so to speak. The focus now has moved to speed –now it’s a matter of how fast the system can detect a threat. In fact, many of the more advanced companies and service providers today feature near real-time response. While the capabilities of SIEM have improved, it’s not always easy to use its capability to its fullest.
However, in spite of such advances in technology, if SIEM is not implemented correctly, any business will struggle see any real ROI. There are a couple of areas that any business needs to realize before implementing SIEM or, once implemented, to get the most out of it.
- Getting the Right Staff
SIEM technologies are resource intensive and require experienced staff to implement, maintain, and fine-tune. While sourcing it via a third-party managed service provider can alleviate a significant portion of this requirement, having a few staff well versed in the technology within your organization can significantly improve the results you get.
- Determine Your Key Success Metrics
As with any service, SIEM also needs to be implemented in such a way as to align its operations with your business goals. As such, it is imperative that your key success metrics are determined beforehand. SIEM will then need to be implemented in such a way that you can leverage its security capabilities to the fullest in order to help you achieve said success metrics.
- Sourcing Quality Data
A SIEM solution is only as good as the quantity of quality data that it is provided with. The bigger the data source, the better it will perform and the better it gets at identifying outliers. However, as stated earlier, it’s not just the sheer quantity of information that matters but also the quality of that data. For best results it is recommended to properly determine your business-critical data sources and then clearly determine how the relevant data can be obtained. Furthermore, don’t restrict your data sources to security-related sources such as firewalls, intrusion detection systems, and antivirus software. While these may be your primary data sources, it is also worthwhile looking into your other connected devices and applications such as routers, databases, web filters, application servers, and more. It is also important to prioritize this data within the SIEM in order of its importance to your business objectives.
- Dealing with False Reports
Even with strong data sources and a qualified team running it, most modern SIEM software do have their limits. As with any software, they are not completely perfect in their detection capabilities. As a result, you can expect a significant number of false reports, especially in the initial stages shortly after implementation. While machine learning and proper tuning can help reduce these numbers significantly with time, there are certain steps that you can also take right from the beginning to make dealing with these reports easier on your staff. Firstly, the software itself can be tuned in such a way as to make events and data more insightful. This can be achieved by first determining what can be considered to be high-priority events and how the data for such events can be derived. Another methodology that certain organization use is writing scripts to automate some of the more mundane tasks related to investigations such as pulling contextual data. In doing so they manage to shave off a significant amount of time from the process.
At ODP we offer you a modern state-of-the-art SIEM solution that provides effective reports to your company. These reports allow you to take proper actions to address threats before they become breaches. In fact, our SIEM solution is extremely efficient at capturing incidents on your systems, be they standard or even proprietary, well before they become a threat to your business. They also provide you with a real-time overview of your network data, giving you a deeper insight into your network and helping prevent service degradation. Another key aspect of our SIEM solution is the detection of undesirable network behavior and the investigation of incidents through data enrichment.
The built-in intelligent log analysis engine automatically detects and notifies you of all critical incidents on your systems, be it ongoing attacks, compromised systems, system breakdowns, or even user authentication issues. Such deep insight into your systems further helps you easily adhere to the compliance requirements of major regulations such as PCI-DSS, SOX, HIPAA, Basel-II, ISO27001, GDPR, GPG13, and more. In fact, Our SIEM solution also includes built-in templates based on these most common compliance and security reports, making this easier than ever before.
As is expected of a modern SIEM solution, it also helps greatly cut down on false positives, saving time, and helping build a more effective security perimeter. But that’s not all. With us, you also benefit from 24×7 monitoring throughout the year at our Security Operations Center. Moreover, each of the real-time results are carefully filtered and correlated, following which they are displayed in dashboards that are easy to manage and can be configured based on your specific requirements.