You’ve installed and upgraded firewalls, domain controllers, switches, routers, wireless access points, intrusion prevention systems (IPS), intrusion defense systems (IDS), anti-virus tools and more. You hired one group of consultants to make sure your networks are configured correctly and another group to run penetration tests. And next year’s budget includes additional investments to support business continuity.  
 

Even with the obvious boxes checked, you’re still not sleeping well at night because you know there is always a way in – an inside job by a disgruntled employee or a laptop stolen from an employee’s car. If you read “The Art of Deception,” by Kevin Mitnick, you know there will always be plenty of reasons to worry.

 

Mitnick is the (in)famous hacker that spent five years in prison before becoming a high-profile security consultant. He admitted to leveraging social engineering to gain access to most systems, not brute force techniques, DDoS attacks or other more sophisticated intrusion efforts. Mitnick identified real-world scenarios that he could exploit to gain access to systems directly or indirectly. For one hack, he impersonated a system administrator stuck at home during a snow storm and convinced an unwitting staff employee at a target company to share security credentials over the phone. Why break a window when you have the key to the front door?

 

Introducing SIEM

The news is full of cyberbreaches that originated through various social engineering attacks. New ransomware victims are a weekly occurrence and the hospitality industry has been on the list of the top most targeted industries for the past three years. With the security market offering a vast arsenal of tools and appliances aimed at addressing every possible threat, which one can protect against social engineering attacks? Fortunately, SIEM solutions are up to the task.

 

Security information and event management, or SIEM, is a solution that sits on top of your entire infrastructure and, from a central location, watches everything that is going on. How is this possible?  Remember those log files that every device, server and application is producing? Those log files contain a goldmine of data that if properly mined can track a broad range of activities and identify potential threats.  

 

When you implement a SIEM solution, the tool is connected to every device within your infrastructure to access the related log files. The log files are processed in real time and the data is immediately analyzed by the system. The “secret sauce” of the SIEM analysis is artificial intelligence algorithms that correlate related and disparate events from multiple sources. Business rules are built using these correlations and appropriate thresholds are set for triggering alerts.

 

Let’s see how this would work in a real-world scenario. A workstation that is assigned to the marketing department is compromised via a phishing attack and the hackers are attempting to access a database in the engineering department. Consider the number of devices and applications that the hackers accessed in some way during this intrusion. The volume of log data generated from the normal activity on those devices would make it nearly impossible for any manual review process to identify the suspect activity. And unless you somehow knew an intrusion was in progress, the log analysis wouldn’t happen until after the attack when you were trying to figure out what happened. Analyzing all these logs in real time is exactly what SIEM is designed to do.

 

The SIEM loads the data from these disparate log files in real time and analyzes the data for correlations that suggest possible threats. The SIEM will have business rules configured to look for unauthorized cross-function or cross-department access (e.g., a marketing workstation accessing an engineering server) and would trigger an alert in this scenario. The SIEM would raise the alert to the security team and the compromised workstation would be taken offline to stop the attack. Appropriate remediation measures would then be taken to restore the workstation.  

 

In this case, the SIEM saves the day by identifying atypical activity while it is in progress. The good news is that SIEM is capable of a lot more.  

 

Deeper Dive into SIEM

As part of an overall information assurance plan, it is common to implement a “defense in depth” strategy that forces the attacker to breach multiple layers of security to reach a protected asset. With your security infrastructure in place, you then implement a SIEM to monitor activity across the layers.
 

Without SIEM, these tasks require considerable staff resources and utilization of a range of individual tools. By bringing all the log file data to a centralized database, the SIEM delivers value beyond the sum of the parts.  

 

Log File Retention

Log files use significant storage space and require dedicated processes for removal and archival from their respective devices. SIEM solutions provide long-term secure storage and archiving of log data. The log data is timestamped and encrypted to prevent tampering – a common compliance requirement. 

 

Privileged User Activity Monitoring 

Every system has administrative users that have the “keys to the castle” and the obvious question to ask is – who is watching the admins? Since the SIEM is processing log files across many devices in real time, even an administrative user would find it nearly impossible to cover his or her tracks without tampering with the SIEM itself. Privileged user monitoring and audit reports are standard features for most SIEM solutions. 

 

File Integrity Monitoring

From shared document servers to application servers, there are always key files that should only be accessed by a restricted group of users. For example, web server config files typically contain critical settings for securing the site and may even include passwords. SIEM solutions can monitor specific files and folders to track when they are created, deleted, accessed, modified, renamed and more. Alerts can be set to notify the appropriate party when any restricted files have been accessed in some manner.  

 

Business Benefits

Beyond the operational and technical benefits of SIEM, there are bottom line benefits including cost savings and improved compliance that every CEO and CFO will appreciate.  

 

Cost Savings

SIEM solutions leverage a form of artificial intelligence at scale to provide an enhanced level of security that cannot be achieved with internal staff or contractors. With cyberbreaches top of mind for every C-level executive, the natural inclination to throw more people and technology at the problem carries a hefty price tag. The SIEM solutions on the market are sized and priced in different ways – some by device and others by log volume – but the cost is less than the staff equivalent required to achieve the same results.  

 

Compliance

Not all compliance standards require SIEM solutions but most require specific elements that are commonly covered by SIEM solutions. Whether it is log file retention or privileged user activity audits, implementing a SIEM solution will provide a better security posture for your company while also addressing a wide range of compliance requirements.  

 

The ability to generate compliance reports on demand will pay for the SIEM solution in terms of the staff hours saved. SIEM solutions typically have the standard compliance reports prebuilt including FISMA, HIPAA, ISO 27001, PCI 2.0, PCI 3.0, PCI DSS 3.1 and SOX.

 

The business case for implementing SIEM is based on the rapid ROI achieved through resource savings, improved compliance and other obvious security benefits. The question is when – not when do you need it, you need it now –  but when do you budget for it and implement it.  

 

Ultimately, your brand needs SIEM before it ends up as the next cyberbreach in the news. If a breach occurs, you will spend more on PR and crisis management than you would have on SIEM. So if your technology budget is a little tight right now, walk over to the marketing department and convince them to invest a little in crisis prevention technology.