Detecting Enterprise Security Threats And Unusual Behavior With SIEM

The Continuous Collection, Analysis And Reporting Of Security And Operational Information

Jeff Orr

SIEM Coordination

Organizations are widely adopting IT solutions that digitize and connect data. This connectivity has created efficiencies within business operations and a new level of risk to be managed.

The traditional security perimeter of an organization’s campus considered endpoints, such as servers, PCs and laptop computers. With mobile devices, the perimeter extended further. These boundaries have become even less clear with the adoption of cloud services. The deployment of IoT adds thousands to hundreds of thousands of endpoints further complicating the security process.

The large volume of exposed endpoint devices has been met with high levels of enterprise spend to minimize the potential vulnerabilities. Unfortunately, this had the side effect of creating a hyper-focus on containing unauthorized access and data breach incidents in the present.

At the same time, cyber threats are continuing to become more sophisticated. A large volume of security alerts and event notifications within the organization create a need for robust and efficient security-based solutions.

See Related: Developing A Culture Of Enterprise Cyber Security Resilience

Right-sizing The SIEM Platform For The Enterprise Need

A Security Information and Event Management (SIEM) platform is an enterprise cyber security tool used by businesses. Industry analyst firm Frost & Sullivan encourages organizations with 300 or more endpoints to use a SIEM to detect security threats, malware, unusual behavior and suspicious network traffic.

A SIEM platform supports the continuous collection, standardization, correlation, analysis, and reporting of security and operational information. For SIEM tools to be effective says Frost & Sullivan, they need policies and regulatory processes, transforming logs into intelligence and mixing with other forms of information (vulnerabilities assessments, threat intelligence, etc.).

“Implementing mismatched security products and making them work with your other systems is a challenge, especially when you have limited budgets,” noted former Herman Miller CISO Chris Wolski during the CISO Exchange West conference, “until something happens. That’s when the blank check shows up.”

Wolski also discussed the importance of making everything seamless to your information security professionals so that your least common denominator — such as a help desk technician — can understand the information and act on it.

“I have a 24x7 help desk but not a 24x7 SOC. That is orchestration,” Wolski said. “It’s not just about technological capabilities and automation but having processes in place that make it work.” For Wolski, the key is having a SIEM to bring information and events together and allowing his help desk to respond more quickly.

See Related: 5 Insights Surface From CISO Exchange West 2019

SIEM Market Drivers

According to industry analyst firm Frost & Sullivan, the continued proliferation of SIEM platforms can be distilled to five market drivers:

  • Improved usability: SIEM solutions assemble the security logs for human analysis and escalating any events. Platform training remains necessary for adapting SIEM to new threats.
  • Additional security intelligence integration: As new threat vectors are introduced, SIEM must adapt and integrate with threat intelligence and forensic analysis tools
  • New compliance regulations: Regulated industry sectors, including healthcare and financial services, enabled compliance reporting with SIEM. Data privacy regulation, such as GDPR and CCPA, will drive future SIEM adoption across all vertical markets.
  • Cloud as integral SIEM vector: Mobile device security was managed as endpoints of the organization’s security perimeter. With cloud migration and third-party relationships, event management must be coordinated. The cloud has become an essential deployment vector for SIEM platforms.
  • Automation: The use of Artificial Intelligence (specifically machine learning and deep learning) improves the effectiveness of the SIEM solution.

Legacy security tools, including a firewall or anti-virus solution, are not obsolete with the deployment of a SIEM platform; however, they do not protect against contemporary evolving and mutating threats that bypass detection. A SIEM platform with behavior analytics, for example, provides visibility into insider threats and suspicious user activity. As threats continue to become more sophisticated, more advanced techniques and expertise will be required to augment legacy tools.

See Related: Market Report - A Centralized Point Of View: SIEM For Better Efficiency And Compliance