Hello, and welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.
Today we are going to discuss SIEM solutions, what SIEM stands for, and what they are typically used for. People pronounce S.I.E.M. in various ways, but for this TomCast I will be pronouncing it “SIM”, with the E silent.
SIEM stands for Security Information and Event Management. This is rather important to understand, as these two terms encompass quite a lot of data. SIEM solutions aggregate, or collect, data from sources throughout the enterprise. Which sources depends on what the various teams (security, operations, engineering, etc.) wishes to collect data on. Yes, in theory some systems might not send log data to the SIEM, but typically the ideal solution is to have all log data sent over. Why is that?
SIEM solutions enable security teams to react to incidents in real time; this allows for decreased business disruption and decreased dwell time by the threat actors. Now, I say that with the rose-colored glasses look of the SIEM solution being set up in an optimal fashion and it being utilized by experienced security personnel.
If not utilized properly, then a SIEM simply becomes a storage database for log data. That then becomes a reactionary scenario that sounds something like this – “Oh no, it appears that our systems have been compromised! Quick, query the SIEM to see if we received any alerts or any data that can show us what happened!”
Obviously, that is not an ideal scenario. SIEM solutions should help teams be more proactive, not more reactive. Getting ahead of the threat actors’ movement is key to success in blocking disruptions or dwell time. With newer technologies available, SIEM solutions are now leveraging artificial intelligence and machine learning to help organizations like never before.
SIEM solutions aggregate log data from all different aspects of an enterprise environment; firewalls, endpoints like desktops and laptops, servers, network devices, if it generates log data, the SIEM can collect it. Once that data is collected, the solutions basically identify the types of data and sort it out. For example, if anomalous behavior occurs and the log data is being collected on each event, the SIEM can be configured to generate alerts based on that anomalous behavior, thereby pulling in the security response teams through whatever alerting mechanism the organization utilizes.
SIEM solutions provide a level of automation with regards to log data that allow professionals across the IT industry to focus valuable time and effort to other tasks and missions. Can you even imagine how long it would take one person or one team of people to filter through logs manually? Systems this day in age generate tons of logs, which in turn produces tons of data to filter through. SIEM solutions do all of that aggregating and filtering at a rapid pace.
Now, seems like the SIEM is just an amazing solution and everyone should hurry up and install one, right? Well, maybe, but the setup and configuration takes quite a bit of time. A SIEM solution is not a plug-it-in-and-watch-it-go type of solution. All of those filters and data types need some sort of touch to ensure they are configured correctly. Similar to SOAR solutions, a SIEM does not eliminate the need for security personnel by taking over data aggregation and alerting responsibilities. It may take, depending on the size of your organization, a dedicated person to manage the SIEM, or even a dedicated team of security professionals to do it.
Like SOAR solutions, consult with your Managed Security Service Provider (MSSP) to see how they can assist your organization with setup and implementation of a SIEM solution. GuardSight, for example, has experience with several different SIEM solutions and would be happy to assist!
We here at GuardSight thank you for taking the time to listen to this TomCast. For more information on various cybersecurity tips head on over to our website and check out more TomCasts. Those are located over on www.guardsight.com/tomcast. Or, if you would like more information on what GuardSight can do for you, head on over to www.guardsight.com and contact us. There are several free cybersecurity tools out there that can help you improve your overall security posture. We’d love to hear from you! Thanks!