June 10, 2019
Is a SIEM the Best Way to Monitor All Your Security?

Is a SIEM the Best Way to Monitor All Your Security?
What is in a SIEM
We hear all kinds of stories from customers regarding security monitoring. There is a ton of
confusion about what SIEM (Security Information and Event Monitoring) systems are expected to do and why companies need
them.
Most of the products providing confusion are not labeled as SIEMs. These include:
- Network monitoringproducts
- AI based network security monitoring(Ala Darktrace that provide a unique security solution, but it is not a SIEM)
- Log monitoringproducts (Low end solutions that focus on select log inputs and provide basic visibility)
- Public cloud monitoring solutions(Dedicated monitoring of public cloud infrastructures only)
- Security product logswith visualization (like firewalls and endpoint security generating
product specific logs)
A product that collects logs from one,
or only a few products,
or only monitors networks,
is likely only part of what you need to monitor your security. Similarly,
public cloud monitors that provide you with part or all of your cloud infrastructure,
also do not provide you with anywhere near a complete security solution. Check out our recent article on cloud securityto understand more about cloud security.
What are the Goals of a Security Monitoring (SIEM)?
- Monitor all relevant inputsthat can provide indicators of compromise (IoCs). This should
input from:- All security devices/solutionsregardless of vendor
- Network devices(all servers, workstations, phones etc)
- NetFlowtraffic
- Vulnerability scans
- From all sources: Public clouds,
private clouds,
hybrid infrastructures (All your infrastructure) - User behaviorlooking for anomalies and enforcing rules
- Correlate and analyzeIoCs to determine when to Alert
- Alert on high probability eventswith low false positive rate
- Solutionmust be manageableor managed by a
3rdparty(MSSP provider) to make it usable
Common Questions about Security Monitoring
Why do I need a SIEM?
- Several reasons. #1 many customers are now being held to be compliant with security regulations like
HIPAA,
PCI,
NIST,
financial,
SOX etc. Regulations always require monitoring of your security. The expectations are that you are using a
solution that is appropriate your situation. A full SIEM solution is always the best answer. #2 if you are
serious about protecting your or your customers data,
you should have a SIEM. It provides comprehensive visibility about your security.
How do you monitor public &
hybrid cloud infrastructures?
- Your cloud infrastructure (Azure,
Amazon AWS, Google) are only a part of your
overall infrastructure that needs to be secured. You still need to monitor,
correlate and analyze events from endpoints,
other infrastructure sites,
servers,
mobile devices,
IoTs,
cloud applications and storage etc. A real SIEM product or monitoring service will monitor,
correlate,
analyze and alert based upon input from the entire infrastructure. - Network or security monitoring solutions provided by the cloud provider are limited to looking at that
specific cloud infrastructure only and thus are only part of any solution.
Can I replace a SIEM with a network monitoring/security product like Darktrace?
- Network monitoring is only a part of what a SIEM will do. In fact Darktrace only looks at network traffic
to draw its conclusions. It is an innovative solution,
but does not monitor the entire infrastructure.
Are log monitoring solutions adequate to provide security monitoring?
- Again. Looking at either a limited set of logs (like firewall logs) or analyzing logs alone for security
issues is only part of what a SIEM will do. You also need to look as user behavior,
network traffic,
vulnerability scans etc. Even when looking at logs alone,
using a sophisticated SIEM to analyze logs produces much better results than inexpensive or limited log
monitors.
Conclusions
- Companies that are serious about security know that they need a security monitoring and event management
system thatlooks at as many relevant inputs as possible. That means the ability to
gather information from security devices,
endpoints, IoCs, cloud environments, cloud applications, user behavioretc.
- To be effective,
monitoring solutions must also have advanced correlation and analysiscapabilities and
to be able to define complex rules to detect real threats and attacks.
- Using a third party monitoring companycan offload the burden of
implementing,
tuning and monitoring from your team. You also get the benefit of
Contact
usso that we can help you implement and manage your SIEM system and to define the right security for
your organization