Currently, enterprise awareness on cyber threats is high, and organizations are investing considerably in security solutions and the latest security tools. Nonetheless, the rising incidence of high-profile and successful attacks clearly demonstrate the need for more effective threat detection and management of cyber threats.
The primary reason that many solutions remain ineffectual against emerging threats is the inherent lack of integration and synergy between the several security functions within the organization and the myriad tools spread across various layers—physical, network, user, data, applications, etc. An efficacious cyber security strategy demands a unified and holistic approach to security monitoring and management, where the data available across layers and tools is leveraged in a consolidated manner to develop actionable intelligence and an overall threat and response model.
This need can be adequately fulfilled by a Security Information and Event Management (SIEM) solution.
The SIEM system is a hybrid one that integrates two complementary solutions: Security Information Management (SIM) systems that enable regulatory compliance by consolidating logs, analyzing data and reporting findings; and Security Event Management (SEM) systems that detect and monitor threats and security events in real-time. An SIEM system, thus, facilitates the detection of events of interest by providing a near real-time analysis of security information and by analyzing log records and data aggregated from various sources.
How does an SIEM system detect security events?
An SIEM system is an over-arching one that monitors organizational security in a holistic manner by:
- Aggregating and consolidating data from logs; data derived from all layers and multiple sources—network, servers, applications, databases, Vulnerability management systems, Threat intelligence sources etc. This serves to enhance threat detection by integrating information from across the enterprise, while facilitating the storage of data that are essential for forensic analysis
- Automating and facilitating the aggregation and storage of compliance data to demonstrate adherence to regulations and produce reports for security auditing purposes
- Analyzing historical patterns, trends and activities to arrive at the norm, and using this as a checkpoint to detect deviations and anomalies
- Co-relating events by looking for patterns and linking events, thus transforming raw data into actionable and meaningful information
- Monitoring the access to and use of sensitive data
- Prioritizing risks based on their probable business impact
- Providing automated alerts based on the analysis of correlated events, and thus notifying recipients of issues in near real time
An SIEM system can thus improve the effective detection of events of interest and provide actionable intelligence to deal with evolving cyber security threats. Keep in mind though, that an SIEM solution is only as good as the security analyst operating and configuring it. The best security analysts have a deep and comprehensive understanding of the organization’s IT infrastructure, the environment you operate in, and emerging threats. Moreover, an SIEM solution should not be considered a one-time solution; rather all security, governance and risk assessment processes require continuous monitoring, and should be regularly updated to incorporate emerging technologies and battle evolving threats.
Vijay Bharti is the Chief Information Security Officer (CISO) and Senior Vice President of Cyber Security practice at Happiest Minds Technologies. He brings in more than 20 years of experience in the area of IT Security across multiple domains like Identity and Access Management, Data Security, Cloud Security and Infrastructure Security.
His recent work includes building Security Operation Center frameworks (including people, processes and various SIEM technologies) where he is working on building an integrated view of security and ways of leveraging advance analytics and big data innovations for cyber security.
