eSecurity Solutions Articles/Blog

Cyber Security Articles to Keep your Business Secure and Compliant

Blog Categories

Is a SIEM the Best Way to Monitor All Your Security?

Is a SIEM the Best Way to Monitor All Your Security?

 

What is in a SIEM

We hear all kinds of stories from customers regarding security monitoring. There is a ton of
confusion about what SIEM (Security Information and Event Monitoring) systems are expected to do and why companies need
them.  

Most of the products providing confusion are not labeled as SIEMs. These include:

  • Network monitoringproducts
  • AI based network security monitoring(Ala Darktrace that provide a unique security solution, but it is not a SIEM)
  • Log monitoringproducts (Low end solutions that focus on select log inputs and provide basic visibility)
  • Public cloud monitoring solutions(Dedicated monitoring of public cloud infrastructures only)
  • Security product logswith visualization (like firewalls and endpoint security generating
    product specific logs)

A product that collects logs from one,
or only a few products,
or only monitors networks,
is likely only part of what you need to monitor your security. Similarly,
public cloud monitors that provide you with part or all of your cloud infrastructure,
also do not provide you with anywhere near a complete security solution. Check out our recent article on cloud securityto understand more about cloud security.  

What are the Goals of a Security Monitoring (SIEM)?

  • Monitor all relevant inputsthat can provide indicators of compromise (IoCs). This should
    input from:

    • All security devices/solutionsregardless of vendor
    • Network devices(all servers, workstations, phones etc)
    • NetFlowtraffic
    • Vulnerability scans
    • From all sources: Public clouds,
      private clouds,
      hybrid infrastructures (All your infrastructure)
    • User behaviorlooking for anomalies and enforcing rules
  • Correlate and analyzeIoCs to determine when to Alert
  • Alert on high probability eventswith low false positive rate
  • Solutionmust be manageableor managed by a
    3rdparty
    (MSSP provider) to make it usable

 

Common Questions about Security Monitoring

Why do I need a SIEM?

  • Several reasons. #1 many customers are now being held to be compliant with security regulations like
    HIPAA,
    PCI,
    NIST,
    financial,
    SOX etc. Regulations always require monitoring of your security. The expectations are that you are using a
    solution that is appropriate your situation. A full SIEM solution is always the best answer. #2 if you are
    serious about protecting your or your customers data,
    you should have a SIEM. It provides comprehensive visibility about your security.

How do you monitor public &
hybrid cloud infrastructures?

  • Your cloud infrastructure (Azure,
    Amazon AWS, Google) are only a part of your
    overall infrastructure that needs to be secured. You still need to monitor,
    correlate and analyze events from endpoints,
    other infrastructure sites,
    servers,
    mobile devices,
    IoTs,
    cloud applications and storage etc. A real SIEM product or monitoring service will monitor,
    correlate,
    analyze and alert based upon input from the entire infrastructure.
  • Network or security monitoring solutions provided by the cloud provider are limited to looking at that
    specific cloud infrastructure only and thus are only part of any solution.

Can I replace a SIEM with a network monitoring/security product like Darktrace?

  • Network monitoring is only a part of what a SIEM will do. In fact Darktrace only looks at network traffic
    to draw its conclusions. It is an innovative solution,
    but does not monitor the entire infrastructure.

Are log monitoring solutions adequate to provide security monitoring?

  • Again. Looking at either a limited set of logs (like firewall logs) or analyzing logs alone for security
    issues is only part of what a SIEM will do. You also need to look as user behavior,
    network traffic,
    vulnerability scans etc. Even when looking at logs alone,
    using a sophisticated SIEM to analyze logs produces much better results than inexpensive or limited log
    monitors.

 

Conclusions

  • Companies that are serious about security know that they need a security monitoring and event management
    system thatlooks at as many relevant inputs as possible. That means the ability to
    gather information from security devices,
    endpoints, IoCs, cloud environments, cloud applications, user behavior
    etc.
  • To be effective,
    monitoring solutions must also have advanced correlation and analysiscapabilities and
    to be able to define complex rules to detect real threats and attacks.

Contact
us
so that we can help you implement and manage your SIEM system and to define the right security for
your organization

X