Security information and event management (SIEM) technology has been around for well over a decade, and to many businesses it remains crucial to minimising cyber security risks. However, there are still many organisations that have never even heard of it, let alone understand what it is or how it could benefit them.
SIEM is an extremely important tool that can help organisations to detect and respond to cyber threats that originate both inside and outside the network perimeter. According to Gartner, the SIEM market grew from $1.99 billion in 2016, to $2.18 billion in 2017 – and these figures look set to rise even further.
Here we will take a look at SIEM in more detail, and explain how it could benefit your organisation.
What is SIEM?
Security information and event management is a type of technology that makes it easier for companies to detect and respond to cyber threats. The technology is able to achieve this by collecting, correlating, and analysing log data from sources such as firewalls, intrusion detection systems, and network infrastructure.
SIEM uses behavioural analytics to identify sequences of events that could indicate something anomalous – when it identifies activity that appears suspicious (compared to normal, expected behaviour) it will generate an alert for a security or IT team to investigate. Suspicious activity could include network policy violations, data exfiltration and privilege escalation.
“Security information and event management is a set of threat detection technologies that combine to provide a holistic view of an organisation’s cyber security posture.” (SIEM experts, Redscan)
There are a variety of different SIEM tools available, meaning it’s definitely worthwhile to carrying out research to help identifying the right solution for business needs.
Moreover, recent years have seen the development of so-called ‘next-gen’ SIEM systems, which are able to support a greater number of log sources. This includes logs generated by cloud environments ,such as AWS, and SaaS applications including Office 365 and G Suite. The latest SIEM systems also include automated threat containment and response capabilities, often referred to as SOAR, and User and Entity Behaviour Analytics (UEBA).
The benefits of SIEM
In order to protect your organisation against cybercrime it is important to have visibility of what is happening inside your network. There is still a place for traditional perimeter security measures such as firewalls and antivirus software, however these are no longer effective in fully protecting your business. Without network visibility, organisations can really struggle to establish whether they are being targeted, or even if a breach has occurred.
Identifying breaches early, before an attacker is able to access sensitive data or critical systems, can help to avoid operational disruption as well as severe financial and reputational damage.
Additionally, SIEM supports compliance requirements such as those mandated by the GDPR, and the PCI DSS, which require that organisations have appropriate controls and procedures in place in order to detect, respond, and report breaches.
Is SIEM a good fit for your business?
There is no doubt that SIEM tools can be an extremely effectively for enhancing threat visibility but many lack the resources to be able to implement it properly, and get the best out of it. A key problem is that if incorrectly configured, SIEM systems can generate a huge volume of alerts (and many of these will be false positives).
This might not sound like a problem, but it can actually be a very dangerous scenario in which important alerts are missed due to the fact that in-house teams lack the time to properly evaluate them. This is known as alert fatigue. A recent study found that 25 per cent of a security analyst’s time is spent chasing false positives.
To get the most out of a SIEM system, organisations need to have a good understanding of the best ways to deploy it as well as have the people to manage, monitor, and investigate alerts. This includes out of hours, when organisations are most likely to be targeted.
What about a managed SIEM service?
If you believe that your business would benefit from SIEM system but are concerned that you do not have the technical expertise in-house to manage it properly, you could look into outsourcing. A managed SIEM service, delivered by a specialist provider of security services, can not only supply the latest SIEM technology but also the security professionals to help maintain and monitor it.
It’s a good idea to speak with a security services or managed detection and response provider to help identify the solution that’s best aligned to the security challenges your business faces. SIEM experts will help to augment security capabilities and free up time for your in-house team to focus on other important IT and security activities.