5 reasons why SIEM is more important than ever

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note that it will likely favor the submitter's approach.

IT environments are growing ever more distributed, complex and difficult to manage, making the role of security information and event management (SIEM) technology more important than ever. Here's why.

* Compliance: Almost every business is bound by some sort of regulation, such as PCI-DSS, HIPAA and Sarbanes-Oxley (SOX). Attaining and maintaining compliance with these regulations is a daunting task. SIEM technologies can address compliance requirements both directly and indirectly.

DEPLOYMENT TIPS: Security info and event management do's and don'ts

Virtually every regulatory mandate requires some form of log management to maintain an audit trail of activity. SIEMs provide a mechanism to rapidly and easily deploy a log collection infrastructure that directly supports this requirement, and allows both instant access to recent log data, as well as archival and retrieval of older log data. Alerting and correlation capabilities also satisfy routine log data review requirements, an otherwise tedious and daunting task when done manually.

In addition, SIEM reporting capabilities provide audit support to verify that certain requirements are being met. Most SIEM vendors supply packaged reports that directly map to specific compliance regulations. These can be run with minimal configuration, and will aggregate and generate reports from across the enterprise to meet audit requirements.

* Operations support: The size and complexity of today's enterprises is growing exponentially, along with the number of IT personnel to support them. Operations are often split among different groups such as the Network Operations Center (NOC), the Security Operations Center (SOC), the server team, desktop team, etc., each with their own tools to monitor and respond to events. This makes information sharing and collaboration difficult when problems occur. A SIEM can pull data from disparate systems into a single pane of glass, allowing for efficient cross-team collaboration in extremely large enterprises.

* Zero-day threat detection: New attack vectors and vulnerabilities are discovered every day. Firewalls, IDS/IPS and AV solutions all look for malicious activity at various points within the IT infrastructure, from the perimeter to endpoints. However, many of these solutions are not equipped to detect zero-day attacks. A SIEM can detect activity associated with an attack rather than the attack itself. For instance, a well-crafted spear-phishing attack using a zero-day exploit has a high likelihood of making it through spam filters, firewalls and antivirus software, and being opened by a target user.

A SIEM can be configured to detect activity surrounding such an attack. For example, a PDF exploit generally causes the Adobe Reader process to crash. Shortly thereafter, a new process will launch that either listens for an incoming network connection or initiates an outbound connection to the attacker. Many SIEMs offer enhanced endpoint monitoring capabilities that keep track of processes starting and stopping and network connections opening and closing. By correlating process activity and network connections from host machines a SIEM can detect attacks, without ever having to inspect packets or payloads. While IDS/IPS and AV do what they do well, a SIEM provides a safety net that can catch malicious activities that slip through traditional defenses.

* Advanced persistent threats: APTs have been in the news a lot, with many experts claiming they were responsible for the high-profile breaches at RSA, Lockheed Martin and others. An APT is generally defined as a sophisticated attack that targets a specific piece of data or infrastructure, using a combination of attack vectors and methods, simple or advanced, to elude detection. In response, many organizations have implemented a defense in depth strategy around their critical assets using firewalls and IDS/IPS at the perimeter, two-factor authentication, internal firewalls, network segmentation, HIDS, AV, etc.

All of these devices generate a huge amount of data, which is difficult to monitor. A security team cannot realistically have eight dashboards open and correlate events among several components fast enough to keep up with the packets traversing the network. SIEM technologies bring all of these controls together into a single engine, capable of continuous real-time monitoring and correlation across the breadth and depth of the enterprise.

But what if an attack is not detected by the SIEM? After a host is compromised, the attacker must still locate the target data and extract it. Some SIEM correlation engines are able to monitor for a threshold of unique values. For example, a rule that looks for a certain number of unsuccessful access attempts on port 445 (or ports 137, 138 and 139 if NetBIOS is used) from the same host within a short time frame would identify a scan for shared folders. A similar rule looking for standard database ports would indicate a scan for databases listening on the network.

Through the integration of whitelisting with SIEM, it becomes trivial to identify which hosts and accounts are attempting to access data that they shouldn't be accessing. Meanwhile, implementing File Integrity Monitoring with a SIEM can correlate data being accessed with outbound network traffic from the same host to detect data leakage. If a FIM event shows that the critical data was accessed along with a thumb drive being plugged into the same host that was accessing the critical data, an alarm can be generated to notify security personnel of a potential breach.

* Forensics: A forensics investigation can be a long, drawn-out process. Not only must a forensics analyst interpret log data to determine what actually happened, the analyst must preserve the data in a way that makes it admissible in a court of law. By storing and protecting historical logs, and providing tools to quickly navigate and correlate the data, SIEM technologies allow for rapid, thorough and court-admissible forensics investigations.

Since log data represents the digital fingerprints of all activity that occurs across IT infrastructures, it can be mined to detect security, operations and regulatory compliance problems. Consequently, SIEM technology, with its ability to automate log monitoring, correlation, pattern recognition, alerting and forensic investigations, is emerging as a central nervous system for gathering and generating IT intelligence.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags managementNetworkingsecurityinfrastructure managementForensicssecurity information and event managementIT managementregulatory compliance

More about Adobe SystemsetworkIPSLANLockheed MartinRSASymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Dave Pack, CISSP, manager, knowledge engineering, LogRhythm Inc.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place