Security Information and Event Management (SIEM) is one of the underappreciated cornerstones of a fully functioning security platform.
Unlike an antivirus engine, an IDS/IPS tool, or a firewall, a SIEM doesn’t directly mitigate adverse security events. Instead, it collects information – about network traffic, application usage, and about other security software – and applies its own intelligence to identify potential security concerns. It can also be used for storage of logs which can be used for investigations, forensic analysis and compliance.
Why are SIEM logs as important as direct mitigation?
Many more active security tools are designed to mitigate threats directly – except that they do this by mitigating threats that they recognise. An endpoint protection platform, for example, is constantly downloading new signatures that represent encrypted malware. If your platform detects one of those signatures in a downloaded file, it can quarantine and delete the file so that it doesn’t execute.
The trouble is that attackers are onto this – they’re constantly designing new malware and other attacks that can evade signature detection. Polymorphic malware, for example, can defeat up to 75 percent of signature-based detection.
If a new malware strain gets past your endpoint protection, or if a new network-based attack gets past your firewall, you might be completely unaware that you’ve been breached. This happens to many organizations – the average dwell time of an attacker during a breach is now up to 206 days. The only way that you’ll know something is wrong is if you have a system that can detect abnormal signals coming from your applications – a SIEM, in other words.
Making SIEM data work for you
Viewing SIEM logs in their raw form probably won’t tell you anything useful – you’ll just see a stream of numbers. What you’ll need is a solution that can convert raw data from a SIEM tool into time-series data, and then visualize that data in terms of graphs and charts – the SIEM dashboard itself.
Creating a dashboard will allow you to view metrics such as how many users are logged into your network, browsing your website, or using a given application. What’s more, you’ll be able to see patterns in the data that can indicate if your website is behaving normally, or if it’s undergoing a cyberattack.
For example, you might have a visualisation set up that displays how many successful login attempts your network is experiencing plotted against the number of unsuccessful login attempts. Normally, there are more successful login attempts than there are unsuccessful ones, but one day, the number of unsuccessful login attempts undergoes a dramatic spike. This could indicate that you’re currently undergoing a credential-stuffing attack.
It’s not possible to simultaneously observe all of the metrics that an enterprise environment can generate. A machine analysing your SIEM logs at scale has the capability to monitor metrics and detect anomalies. What’s more, analytics solutions are far more sensitive to changes in metrics. Their predictive analytics can sense that a minor spike in activity will turn into a major anomaly well before an attack culminates in data loss or damage.
The last step – storage
SIEM’s allow central logging and storage of raw and correlated events, which allow for analysis of threats to your network, and provide visibility into the timeline of an event. This information is frequently used for forensic analysis of events when they are detected, to help provide earlier identification of similar threats in the future. This provides a feedback loop of security efficacy in an organisation, and shows value of products which have been deployed.
When you work with MOQdigital, you’ll find yourself working with security experts who understand information collection, analytics, and data breach experts. Even if you’re unfamiliar with data science, we can help you create and implement a system that will detect attacks and help you mitigate them before you experience a breach. For more, talk to us today.