Many businesses need to increase their security game. You can put all the preventive measures in place that you want—like patching, antivirus, mail protection, and firewalls—yet threats can still slip past defenses. According to the recent Ponemon
2018 Cost of a Data Breach report, the average time to identify a data breach was 197 days
[1]. If something slips by your defenses, you need to be able to detect it much faster to minimize the damage.
The truth is that you also need a visibility and detection layer on top of your preventive cybersecurity measures. That’s where security information and event management (SIEM) tools come into play. Yet, not all SIEMs are created equal. Here are a few simple tips on what to look for.
Requirement one: simple, automated log correlation (and analysis)
Pretty much everything creates an event log entry—login attempts, file creation, changes to the registry, or events from
intrusion detection software. The structure of these logs can vary, so it can be challenging trying to read this data. A good SIEM will collect these logs into one spot and put them into a human-readable format.
However, putting these logs into a human-readable format isn’t enough. The truth is that even security professionals often don’t sit down to check the logs and reports they receive. Instead, the SIEM should be able to analyze these logs and use this information as inputs for alarms and alerts.
It’s also important to choose a solution with strong log search capabilities. Once a potential incident has been discovered, the investigation team will need to search existing logs to help them determine how to act. The last thing they need during an active attack is to be slowed down trying to find essential information.
A SIEM should also offer (and understand) context. For example, excessive failed login attempts could simply be due to someone forgetting their password. If it occurs across numerous accounts, it could be someone attempting to brute-force their way into a network. Any report the system generates should give you the context you need to make a sound decision.
Requirement two: detection
Next, the
SIEM tool should be strong on detection. This incorporates elements from the log analysis component, but then adds two additional components.
The first is threat intelligence. A strong SIEM solution should incorporate at least some
threat intelligence from external feeds. Some include information from multiple feeds to teach the system what to look for based on the latest attack patterns. One major benefit of picking a strong SIEM solution with integrated threat intelligence is that you won’t have to evaluate the strength of a threat intelligence service yourself. Evaluating the quality of a threat intelligence feed requires some cybersecurity expertise and industry knowledge. Choosing the right SIEM vendor removes the guesswork.
Also, the system should include intrusion detection, preferably an anomaly based system. In this case, the system
analyzes network activity when compared to a baseline. Once this occurs, the SIEM can send an alarm to the team to investigate further.
Requirement three: people
Even the best SIEM with the strongest automation still requires security staff to run. You will need people to check alarms from the SIEM system to decide whether to triage the issue or mark it as a false positive. You’ll need people to investigate the root cause. You’ll need people to suggest and implement remedies for the issue. You’ll also likely want people in place to consistently evaluate and tweak the policies and rules of your log correlation alarm engine.
However, this shouldn’t discourage you. A SIEM solution can simplify the process of detection and
incident response considerably. The point is there simply aren’t any silver bullets in cybersecurity. Many business leaders assume having a SIEM solution in place is enough (especially if they put it in place to check a compliance box). However, you still need to actively work with the solution to improve your security posture. Compliance by itself isn’t security—it’s a minimum threshold.
Get your arms around security data
As the cyberthreat landscape continues to evolve, businesses will have to adapt. While cyberhygiene methods like daily backups, antivirus, and keeping up with patches are still
essential for prevention, most businesses will need to add a level of threat detection to the mix. A strong SIEM solution is an essential element in building this capacity for a business.
[1] “2018 Cost of a Data Breach Study: Global Overview,” IBM and Ponemon Institute. https://www.ibm.com/security/data-breach (Accessed December 2018).