Successful attacks on computers/network systems rarely look like real attacks. It is only in hindsight that you would know that if an attack is actually happening. This is also the reason that somewhere we always need the human eye to catch it, although a lot of advancements are happening with Machine Learning and AI.
We would perhaps need human analysts all the time. For human cybersecurity professionals/analysts to do this job properly, they need to know --What is there in your log-files. Only logs can provide the insights and are often the only way to detect attacks.
Ask any network and system administrators, they would surely tell you that it is very important to have more information and insights in order to detect malicious behavior effectively.
That's is the fundamental reason that you must deploy a SIEM solution of top quality!
Basically, Security Information and Event Management (SIEM) is about looking at your own network through a larger lens than can be provided by a single security control or information source. For example:
-
You may have some Asset Management system, but it only sees applications, business processes and administrative contacts.
-
You may have some Network Intrusion Detection system (IDS), but it only understands Packets, Protocols and IP Addresses. Nothing else!
-
You may have some Endpoint Security system, but it only sees files, usernames and hosts.
-
You may have Service Logs which show user sessions, transactions in databases and configuration changes.
-
You may have some File Integrity Monitoring (FIM) system, but it only sees changes in files and registry settings.
It becomes very clear that none of these technologies, by themselves, can tell you what is happening to your network and your business. Hence, you need a SIEM solution, regardless of what size your company is.
SIEM have evolved from several different (but complementary) technologies before it. Let's take a brief overview of all those:
-
“Log Management System (LMS)” – A system that collected Log Files (from Operating Systems, Applications) from multiple hosts and systems and store them into a single location. It allowed you the centralized access to all logs instead of accessing them from each system individually.
-
“Security Log/Event Management (SLM /SEM)” – An LMS, but was marketed more towards security analysts instead of system administrators. SEM was about highlighting log entries which were more significant to information security than others.
-
“Security Information Management (SIM)” - An Asset Management system, but it used to have features to incorporate security information too. Hosts might have vulnerability reports listed in their summaries, Intrusion Detection and AntiVirus alerts might be shown mapped to the systems involved.
-
“Security Event Correlation (SEC)” – These were special products/offers and were aimed at Log Correlation. It meant looking for patterns in log files. Log Correlation is a way to raise alerts when something suspicious happens within the network. For example, to a particular piece of software, three failed login attempts to the same user account from three different clients, are just three lines in their log file. Right? But to a trained analyst, that is a peculiar sequence of events worthy of investigation.
Security Information and Event Management (SIEM)
SIEM is the “All of the Above” option, and all the above technologies have been merged into single products, and are called SIEM.
SIEM is essentially a management layer which is above your existing systems and security controls. SIEM connects and unifies information from disparate systems, allowing them to be analyzed and cross-referenced from a single interface.
You can observe in the graphic that how a SIEM system is required to look at a log entry and the “many moving parts” that must be considered to make a valid decision as to whether this is a valid business activity on the network or not.
What this graphic explains is that a variety of sources from security controls to SQL databases are configured to send logs to the SIEM. In this case, the SQL database located at 10.100.20.18 indicates that the user account USSalesSyncAcct was utilized to copy a database to the remote host located at 10.88.6.12. The SIEM allows for quick examination of this type of activity. For example, if it is determined that the account USSalesSyncAcct had been compromised, CSIRT analysts can quickly query the SIEM for any usage of that account. From there, they would be able to see the log entry that indicated a copy of a database to the remote host. Without that SIEM, CSIRT analysts would have to search each individual system that might have been accessed, a process that may be prohibitive.
SIEM by itself, is not a security control or detection mechanism, but it makes the security technologies you have more effective. It enables the whole to be greater than the sum of the parts.
SIEM is about collecting logs, and mapping information about your infrastructure and business processes to those logs. It empowers security analysts to make reasoned, informed investigations into activities on the network to determine their impact on security integrity and business continuity.
The SEIM should act as your single portal to activity on your network, decoupling your analysts from a need to have product-specific knowledge about security capabilities. This allows them to focus on what they do best – Security Analysis.
In the final analysis, SIEM by itself does not do very much – it is akin to a “Database without Data.” However, the more information you put into it, the more useful and insightful it becomes. The critical consideration is feeding the SIEM the logs it needs to make it effective.
-
IMPORTANT:
SIEM is only as useful as the information you put in it – the old adage “Garbage In, Garbage Out” still applies to it. Oh, and it’s often a complicated situation.
Guys, what do you think of this post on the importance of SIEM for Information Security?
Please let me know in the comment section.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM