Is a SIEM the Best Way to Monitor All Your Security?
We hear all kinds of stories from customers regarding security monitoring. There is a ton of confusion about what SIEM (Security Information and Event Monitoring) systems are expected to do and why companies need them.
Most of the products providing confusion are not labeled as SIEMs. These include:
- Network monitoring products
- AI based network security monitoring (Ala Darktrace that provide a unique security solution, but it is not a SIEM)
- Log monitoring products (Low end solutions that focus on select log inputs and provide basic visibility)
- Public cloud monitoring solutions (Dedicated monitoring of public cloud infrastructures only)
- Security product logs with visualization (like firewalls and endpoint security generating product specific logs)
A product that collects logs from one, or only a few products, or only monitors networks, is likely only part of what you need to monitor your security. Similarly, public cloud monitors that provide you with part or all of your cloud infrastructure, also do not provide you with anywhere near a complete security solution. Check out our recent article on cloud security to understand more about cloud security.
What are the Goals of a Security Monitoring (SIEM)?
- Monitor all relevant inputs that can provide indicators of compromise (IoCs). This should input from:
- All security devices/solutions regardless of vendor
- Network devices (all servers, workstations, phones etc)
- NetFlow traffic
- Vulnerability scans
- From all sources: Public clouds, private clouds, hybrid infrastructures (All your infrastructure)
- User behavior looking for anomalies and enforcing rules
- Correlate and analyze IoCs to determine when to Alert
- Alert on high probability events with low false positive rate
- Solution must be manageable or managed by a 3rd party (MSSP provider) to make it usable
Common Questions about Security Monitoring
Why do I need a SIEM?
- Several reasons. #1 many customers are now being held to be compliant with security regulations like HIPAA, PCI, NIST, financial, SOX etc. Regulations always require monitoring of your security. The expectations are that you are using a solution that is appropriate your situation. A full SIEM solution is always the best answer. #2 if you are serious about protecting your or your customers data, you should have a SIEM. It provides comprehensive visibility about your security.
How do you monitor public & hybrid cloud infrastructures?
- Your cloud infrastructure (Azure, Amazon AWS, Google) are only a part of your overall infrastructure that needs to be secured. You still need to monitor, correlate and analyze events from endpoints, other infrastructure sites, servers, mobile devices, IoTs, cloud applications and storage etc. A real SIEM product or monitoring service will monitor, correlate, analyze and alert based upon input from the entire infrastructure.
- Network or security monitoring solutions provided by the cloud provider are limited to looking at that specific cloud infrastructure only and thus are only part of any solution.
Can I replace a SIEM with a network monitoring/security product like Darktrace?
- Network monitoring is only a part of what a SIEM will do. In fact Darktrace only looks at network traffic to draw its conclusions. It is an innovative solution, but does not monitor the entire infrastructure.
Are log monitoring solutions adequate to provide security monitoring?
- Again. Looking at either a limited set of logs (like firewall logs) or analyzing logs alone for security issues is only part of what a SIEM will do. You also need to look as user behavior, network traffic, vulnerability scans etc. Even when looking at logs alone, using a sophisticated SIEM to analyze logs produces much better results than inexpensive or limited log monitors.
- Companies that are serious about security know that they need a security monitoring and event management system that looks at as many relevant inputs as possible. That means the ability to gather information from security devices, endpoints, IoCs, cloud environments, cloud applications, user behavior etc.
- To be effective, monitoring solutions must also have advanced correlation and analysis capabilities and to be able to define complex rules to detect real threats and attacks.
- Using a third party monitoring company can offload the burden of implementing, tuning and monitoring from your team. You also get the benefit of
Contact us so that we can help you implement and manage your SIEM system and to define the right security for your organization