As connectivity grows, so do threats to the IT infrastructures under your care—and, by extension, your organization’s ability to profit and serve its customers. Security strategies that worked fine in the not-so-distant past have grown woefully inadequate as the technology terrain shifts.
You’ve probably heard the acronym SIEM being thrown around a lot these days and for good reasons. As security experts, we know that perimeter defenses simply aren’t enough anymore, and we need a holistic view of our IT infrastructures.
+ Also on Network World: SIEM market dynamics in play +
SIEM (Security Information and Event Management) provides that insight, arming us with a holistic view of our IT infrastructure and greater visibility into its patterns and inner workings.
Gartner, the global research firm, explains SIEM as technology that does the following:
- Supports threat detection and security incident response through the real-time collection and historical analysis of a wide variety of data sources
- Supports compliance reporting and incident investigation through historical data analysis
- Is capable of broad-scope event collection and correlating and analyzing events across disparate sources
The major benefit of SIEM, as described by TechTarget, is that “SIEM combines SIM (security information management) and SEM (security event management) functions into one security management system."
In a piece for Tripwire, tech security expert Joe Piggée Sr. simplifies it further, summing up key SIEM capabilities:
- A bird’s-eye view into the IT infrastructure
- Centralized security event management
- Reporting on all ingested data
- Ability to take in data from virtually any vendor or in-house applications
Uses of SIEM can span various categories, but we’ll focus on two mission-critical functions: Security and Compliance.
“Malware has become an unavoidable evil that every environment will interact with at some point,” notes Mason Vensland, a security ops and digital forensics expert, writing for Tripwire.
The old time-tested model of using a Syslog collection point with a few alerts configured is no longer sufficient. By comparison, a well-implemented SIEM system makes it fairly easy to detect, respond and prioritize malicious attacks or requests because of the holistic view.
Intrusion activity, on the other hand, has always been one of the more difficult risks to handle because it’s hard to tell what’s legitimate or not. With SIEM, you can identify what’s noise and what needs your attention.
SIEM can be a lifesaver for IT admins. By collecting logs into a common repository, SIEM allows for automated reporting for compliance, making it easier come audit time. Plus, by having implemented SIEM, you can identify potential issues before they become a problem, enabling you to be proactive instead of reactive.
Evaluating SIEM solutions
SIEM systems come in a variety of forms: cloud-based, hardware appliances, virtual appliances and traditional server software. Each has similar capabilities and differ primarily in cost and performance, says Karen Scarfone, principal consultant at Scarfone Cybersecurity in a TechTarget article.
When evaluating SIEM solutions, Scarfone advises considering the following criteria as a starting point:
- How much native support does the SIEM provide for the possible log sources?
- Can the SIEM supplement existing logging capabilities?
- How effectively can the SIEM make use of threat intelligence?
- What forensic capabilities can the SIEM provide?
- What features does the SIEM provide that assist in data examination and analysis?
- How timely, secure and effective are its automated response capabilities?
- For which security compliance initiatives does the SIEM provide built-in reporting support?
Granted, SIEM is expensive to implement. For that reason, it’s been mostly adopted in the enterprise market, now trickling down to small and mid-sized businesses. Because every cloud offering has to have it, and no business is exempt from hosting some of their data on the cloud anymore, internal IT departments are realizing they, too, must have SIEM in place. Any PCI-compliant or FedRAMP-authorized cloud offered HAS to have a SIEM implemented as well.
Implementing SIEM in every organization is on the horizon and will eventually become mainstream. For small and mid-sized businesses that can’t afford a large-scale SIEM implementation, they would do well to consider finding ways to outsource that cost.
This article is published as part of the IDG Contributor Network. Want to Join?