What is SIEM? How to choose the right one for your business

abstract circuitry with padlock for security



Configuring alerts

The primary reason to have a modern SIEM is for sophisticated real-time monitoring of your systems. But that has little value unless a human is monitoring the system for alerts or notifications (in the form of emails, text messages, or push notifications to mobile devices).

The problem with alerts and notifications, as any email user knows, is keeping the volume manageable. If users receive too many notifications, they will either disable them or ignore them. If too few, then critical threats may be missed. Look for flexibility in configuring alerts, including rules, thresholds (i.e., system was down for 15 minutes, 20 errors per minute for 10 minutes, etc.) and alert methods (SMS, email, push notifications, and webhooks).

Role-based access

For large enterprises with diverse business segments, multiple application teams, or dispersed geographic locations, role-based access is imperative. Providing admins, developers, and analysts access to just the log events they need is not only a matter of convenience, but also requisite to the principle of least privilege and, in some industries, certain regulatory mandates.

The events captured by an SIEM often provide a deep level of detail on application and service functionality or even how devices on your network are configured. Gaining illicit access to this event data can benefit malicious actors looking to infiltrate your systems, the same way thieves benefit from casing target before a heist. Limiting user access to SIEM event data is a best practice for one reason: it limits the impact of a compromised account and ultimately helps protect your network as a whole.

Regulatory compliance

Many industry regulations — such as HIPAA or Department of Defense STIGs (Security Technical Implementation Guides), to name just two — not only require the use of an SIEM or a similar utility, but also specify how the solution should be configured. Study the relevant requirements for your organization in detail. Things to look for include retention periods, encryption requirements (for both data in transit and data at rest), digital signatures (to ensure event data is not modified in any way) and reporting obligations. Also keep in mind that most compliance regimens include an audit or reporting element, so make sure your SIEM solution can spit out the appropriate documentation or reports to satisfy auditors.

Event correlation

Perhaps the biggest reason to implement SIEM is the ability to correlate logs from disparate (and/or integrated) systems into a single view. For example, a single application on your network could be made up of various components such as a database, an application server, and the application itself. The SIEM should be able to consume log events from each of these components, even if they are distributed across multiple hosts, and correlate those events into a single stream. This enables you to see how events within one component lead to events within another component.

The same principle applies to an enterprise network. In many cases, correlated event logs can be employed to identify suspicious privilege escalation or to track an attack as it impacts various segments of the network. This broad view has become increasingly relevant as organizations move to the cloud or implement container-based infrastructure such as Kubernetes.

SIEM ecosystems

SIEM depends on connecting with other systems from a variety of vendors. Of course, there are data exchange standards from text-based log files to protocols such as SNMP (simple network monitoring protocol) or Syslog. If the SIEM can integrate directly (or through plugins) with other systems, that makes things much easier. A SIEM with a robust, mature ecosystem enables you to enhance such features as event collection, analysis, alerting, and automation.

In addition to the system enhancements to be had through an SIEM ecosystem, there are other business benefits to be considered. For example, a mature SIEM will often create demand for training, drive community-based support, and even help streamline the hiring process.

Interaction via API

An ecosystem offering extensibility is great, but it will not meet all the diverse needs of every business. If your business involves software development, and particularly if your company has invested time and effort in DevOps, the ability to interact with your SIEM programmatically can make a huge difference. Rather than spending development time on logging capability for the sake of security or debugging, the SIEM can ingest, correlate, and analyze event data from your custom code.

Do I need AI-enhanced SIEM?

SIEM would seem like a tailor-built use case for AI-backed analysis, and vendors aren’t shy about implementing AI-based features. Generally, these features are centered around analysis and alerting, but this means so much more than reports. AI-enabled SIEM systems can integrate with immense cloud data feeds from a variety of vendors and sources, knowledge which can be leveraged to build deep context into your event data without lifting a finger. This context is essential to triaging events, identifying attack chains, and putting together a plan for incident response. Do keep in mind that the AI question may be tied to the cloud or on-prem question. On-prem offerings have the potential to support your needs with AI but may require those workloads be farmed out to cloud services.

How much to pay for SIEM

SIEM is not an area you want to overly-tighten your purse strings. Cost is a factor in your SIEM decision, of course, but calculating it involves nuance. You also don’t want to be caught in a situation where you cut corners to save money on your SIEM only to end up as the victim of an attack that could’ve been prevented. SIEM platforms offered as a cloud service are almost always offered by subscription. But your bill may include usage charges, such as event data volume or the number of endpoints being monitored. There are well-respected SIEM platforms available for free under an open-source license, but be aware of hidden costs such as support, and make sure the solution meets all of your business needs. The bottom line: Once you’ve narrowed down your SIEM candidates to those that have the features you need, compare in detail the subscription and usage charges you’re likely to incur. If you prefer a more expensive offering, consider how you might be able to gain efficiency or scale back a little.



Source link
ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde ddde

Leave a Reply

Your email address will not be published. Required fields are marked *