Gartner’s latest IT spending forecast shows that spending on cloud system infrastructure services (IaaS) will grow from $39.5 billion in 2019 to $63 billion through 2021. Our team has previously explored the many versions of cloud that can be implemented; the general advantages and challenges to each. Yet, private cloud remains the steady element in […]
What is SIEM and why do I need it?
SIEM stands for Security Incident and Event Management. SIEM technology provides real-time collection, analysis and alerting against logs generated by hardware and applications. Digital Planet combines this with configuration and asset collection on devices providing alerting and reporting on security events and policy violations including records of changes made to devices.
For organisations to store particular types of information, such as personal details or payment information, the organisation must comply with different standards of security policies. For example; requirement 10 of PCI DSS standards, which all companies storing payment data must comply with, stipulates that the organisation must track and monitor all access to network resources and cardholder data. Monitoring this level of access to systems is a significant task when there is a multitude of different hardware and application vendors, many of which may have proprietary logging standards.
Let me explain where SIEM comes into its own with a scenario:
At 00:41 on a Friday morning, regular ‘9-5’ customer service worker, Joe Blogs, logs into the corporate VPN. He then gains access to a server using a service account that, against company policy, was granted full domain admin access. While connected to the server, he sets a registry key to trigger a script on the next server reboot and then logs off. The following morning Joe announces his resignation and that he is taking a position at a competing firm. The changes Joe has made exposes the organisation to a range of potential risks which could have serious repercussions for the company. These include data destruction or data theft or many other malicious activates.
A scenario such as this, while visible in logs across multiple systems, would often go completely unnoticed in an organisation. Why? This is more than likely due to the fact that these logs are dispersed across the business and that an individual log entry, in isolation would not be flagged as a potential security risk.
So how would SIEM have alerted us in this scenario?
- All logs are collected to a central location allowing for easier analysis.
- Using intelligent analytics anomalies are indicated through comparison of firewall logs which cross reference departmental shift patterns.
- Potential breaches of security policy are detected when the presence of privileged accounts is identified.
- Compromised server configuration is compared to previously collected configuration. This determines exactly what changes were made.
- Weeks, months or even years down the line, far beyond the log retention period on any of the devices, the breach is discovered. The data collected in SIEM is still available and can be used to provide evidence of who made the change as well as compiling a forensic log of the changes.
Every year Gartner Research, the world’s leading information technology research and advisory company, produces a report on the leading SIEM applications. The report ranks applications based on their ‘completeness of vision’ and the ‘ability to execute’. The contenders then fall into one of four categories, niche players, challengers, visionaries and the much coveted leaders category, also known as the ‘magic quadrant’. John Pescatore, Vice President in Gartner commented “Security programs need to move from reactively monitoring log events to developing situational awareness that supports rapid reaction and threat analysis along with continuous monitoring of security status.” Digital Planet has partnered with selected SIEM vendors in order to provide a complete security solution to its customers.
As the trend moves towards cloud, security of information stored in the cloud becomes more important than ever. In order to perform this task efficiently and effectively, logging across an organisation needs to be centralised allowing it to be indexed and easily searchable. Intelligent rule sets can then be applied to the incoming events to detect anomalies, suspicious activity or attack attempts. SIEM will also retain the collected logs far beyond the retention period of the source devices, providing secure unalterable evidence of all activity within an organisation.
By assessing customers’ business needs and regulatory requirements Digital Planet can determine the best suited SIEM solution for the organisation. Thanks for reading. If you like what you have read and are interested in speaking to us about SIEM or would like to ask me a question, feel free to email us.