Who are the biggest targets for hackers and cybercriminals? You are. Intruders are finding the holes in your network, your devices, your applications—and they are accessing your data. The majority of organizations do not have the security resources or the required security solutions in place for 24x7x365 threat detecting, monitoring and response. And consider this: Small businesses account for 58% of data breach victims, according to the latest Verizon 2018 Data Breach Investigations Report.1 Whatever the size of your organization, it might be the right time to consider a Security Information and Event Management (SIEM) solution to detect and monitor your intrusion points for security incidents, help you prevent cyberthreats, and minimize data breaches, especially when the average cost of 1 data breach is US $1,027,053.2
SIEM Can Flag Compromises so You Are Not Exposed
Think of SIEM as keeping a watchful eye on all your data points, looking for suspicious activity—such as malware or multiple failed logins—with quick visibility and fast response times so that you are flagged right away. By monitoring all your network traffic and threat points, a SIEM can aggregate all your logs into one source to detect and flag any type of compromise so that you do not let a security incident slip by undetected. A SIEM monitors and analyzes all your devices’ logging data—including workstations, servers, routers, firewalls, switches, intrusion detection systems (IDS)/intrusion protection systems (IPS), and any other device that produces data—to alert you to potential indicators of compromise and enable threat intelligence and incident response.
These days, typical threats to organizations include malware, phishing, session hijacking, credential reuse, denial-of-service (DoS) and Structured Query Language (SQL) injection attacks. Growing attack surfaces are leaving organizations overexposed and underprepared. Most attackers are opportunistic and target the unprepared. Increasingly sophisticated threats and changing attack methods now require a different approach.
Five Reasons to Consider SIEM
A SIEM solution can provide organizations with insight into security-related incidents and events, which could indicate malicious activity. It can monitor and analyze all device’s logging data, including workstations, servers, routers, firewalls, switches, intrusion detection systems(IDS)/intrusion prevention systems (IPS), and any other device that produces data—and can aggregate it into one place to alert stakeholders to potential indicators of compromise, enable threat intelligence and incident response, if necessary. Here are 5 reasons to consider SIEM:
- Keep a watchful eye on all your data points with continuous, centralized monitoring of all your environments and devices (i. e., cloud, on-premises).
- Continuously scan for vulnerabilities.
- Stay ahead of emerging threats.
- Stop attacks sooner with early threat detection, correlation of events, classification and prioritization.
- Ease compliance efforts with centralized log collection and audit-ready reports.
IF NOT TUNED PROPERLY, A SIEM MAY SIGNAL TOO MANY FALSE ALERTS OR TOO FEW, NEITHER OF WHICH IS HELPFUL.
The Challenges That Come With SIEM Deployment
No solution is perfect and, certainly, SIEM comes with challenges. What can be most challenging for organizations is training the SIEM solution and tuning it to their specific environment. If not tuned properly, a SIEM may signal too many false alerts or too few, neither of which is helpful. Turning to qualified security professionals with SIEM expertise to oversee the installation and tuning process will make the SIEM the most effective.
Content tuning and customization are critically important for SIEM success.3 Geoff Wilson, with True Digital Security concurs. He believes that organizations often mistakenly view SIEM as a set-it-and-forget-it platform. “Nothing could be further from the truth,” he says. “A highly effective SIEM is a product of solid people and processes backing it up.”4 If alerts are not properly tuned, the result can be too many false positives and if alerts are not correctly correlated, they may go unnoticed, which can be devastating. Wilson continues, “SIEM tuning is as much an art as it is a science. The tendency with new deployments is to over-tune the SIEM, which can result in missed threats. Skilled analysts make the biggest difference in a SIEM tuning.”5
Eric Mazurak, network and security engineer at Reed Smith agrees. “SIEM has some ‘no pain, no gain’ aspects. Work has to go into properly activating a SIEM. There will be a high false positive rate if you don't do fine tuning. The more logging you do, the more tuning is involved."6
Security incident, cyberattack, data breach. They are not the same, but each could wreak havoc on your organization. While a security incident may not always translate into a data breach requiring notification, it is best to monitor each and every incident. US founding father Benjamin Franklin was right, “An ounce of prevention is worth a pound of cure.” When it comes to cybersecurity prevention, a SIEM solution might be the best prevention. Even with limited resources, a SIEM solution can help organizations of any size detect, monitor and prevent cyberthreats and minimize data breaches.
This article was originally published in ISACA's The Nexus. View article.
1 Verizon, 2018 Data Breach Investigations Report, USA, 2018
2 IBM and Ponemon Institute, 2017 Cost of Data Breach Study, USA, 2017
3 Chuvakin, A.; “SIEM Analytics: Process Matters More Than Products,” TechTarget, October 2013
6 Messmer, E.; “Security Information and Event Management Tools Require 'Fine Tuning,' User Says,” Network World, 28 February 2011