Target, Equifax, Wendy’s, what do all these companies have in common? They are different yet, they all have experienced the same thing. That is right, all these companies have experienced a breach in their security resulting in millions of credit cards, social security numbers and other personal information being exposed on the internet. I am sure that many of you have heard of these security breaches on the news, in a paper, or on other social media outlets. The breaches were the top headliner on many different news outlets for days on end and rightfully so. After each type of these incidents reported, I am always left wondering to myself, “could they have possibly done more to protect our information?” As are living in the aftermath of what is regarded as the digital explosion, more and more of our personal information is being stored in big data bases and not in locked filing cabinets. Our world has changed and so have we. We have accepted the fact that our information will be on the internet whether it being our choice to put it there or not. Because of this reality, our businesses today must continue to be progressive in cyber security. This could be installing the latest version of an OS, or making sure that they use strong encryption methods, or following good password creation. However, one of the best ways to improve this area is with Security Information and Event Management.
Security Information and Event Management (SIEM) is a set of different complex technologies that are brought together to provide an overview of a technical structure that is created by a company. In simpler terms, these technologies will provide an admin, head technical officer, or technical assistant the ability to monitor and collected data that will be used to better security for a company. SIEMs, like mentioned before, are a collection of technologies that are used to better the security of a business. A SIEMs components are; logging, parsing, storing, correlating, interpreting, alerting, reporting.
- Logging- A SIEM will log events on all devices on its network. It will then translate these events into a database. These events recorded are called log records. A SIEM records information from these devices in different ways.
- One way is that the devices would send logs to the SIEM one-by-one, in real time. The device would then send this data back to the system.
- Another way is where something called an agent would be installed on to the devices so that the devices would not have to generate logs on its own. The agent would generate logs from the device and then send it to the system.
- Finally, the SIEM would have to log onto devices to take information from the device’s security logs. The SIEM would have to store a correct ID and password that is able to read the logs.
- Parsing- Now, that a SIEM has collected this data, it needs to know how to sort it and what to really do with it. A SIEM will categorize devices on its system by its type. The SIEM will generate different types of logs dependent on the device type. As for each log type, it is then sorted even further. It is sorted by what elements are contained in the recorded, how the data is held, the element’s positions in the record or an associated key.
- Storing- The SIEM will store the data to the appropriate data base or place that is based upon the device. This is important so that data from confidential, higher level devices are not stored on a database that anyone can access.
- Correlating- Correlating is where the event management starts to come into play. Correlating is where the SIEM will combine the security logs together. This will give a person an overview of what steps a person could take to secure the network, databases and the company.
- Interpreting- As certain correlating occur, the SIEM will record the correlation events. The user can interpret if actions should be taken or to do nothing
- Alerting- A SIEM can alert people when a certain correlation event has happened. The SIEM administrator can log contact information into the system so that it can alert them if a certain situation happens.
- Reporting- Most SIEM systems provide a set of queries and reports so that people can edit them to where they will generate a customized report. The administrator could customize the report so that the information would be displayed on the dashboard for network health and how the servers are working.
Altogether, A SIEM is a powerful tool that helps business with decision making, what steps they need to take if an event occurred, or what they need to do in the future to prevent it.
Now that we know what a SIEM is, we need to understand why it is important to a business. Today, we see more people trying to find vulnerabilities in large company’s websites, databases or their servers than ever before. This has placed a huge responsibility on businesses. It is not an uncommon thing anymore that a business will go through great length to hire outside people to monitor and detect events or they will install the latest firewall to restrict packet flow. However, with a SIEM it can collectively combine many security aspects so that an administrator is able to act more quickly to prevent actions. We have already looked at what a SIEM is, so now we will look at what it can do for a company.
First, a SIEM can help a company with monitoring and securing the network. A SIEM can help network security in many ways. For instance, a SIEM can help prevent something called a zero-day attack from occurring. A zero-day attack is where an attacker finds and exploits a vulnerability that is not known until the vulnerability is discovered. A SIEM can prevent this from happing by monitoring the network devices so that the SIEM will know when something is transmitting or not or when a process is starting or stopping. With this information, it can combine it with other information gathered to prevent these attacks. Second, a SIEM can help improve something called operation support. With how much help is needed with keeping security in top shape, a company will often hire a lot of IT personnel. With a SIEM, a bigger company can cut down on the number of employees they hire. This is because of the SIEMs ability to combine many IT aspects into one like said before. A SIEM also can help with how fast a company is able to react to an event. When a company has a lot of IT workers, word might travel slow. With a SIEM, it can alert the administrator as soon as the event happens. Finally, a SIEM can help with computer forensics. As mentioned before, a SIEM collects data and stores it into a big database. If an attack occurs, a person could examine this information and find out where it came from and how to stop it.
However, one question remains, “why a business should even consider having a SIEM?” Businesses should always consider having a SIEM. The Internet age, as they call it, has presented new challenges that we have not seen before. Before the Internet, most crimes were committed in person. So, a person would only ever have to worry about someone personally stealing their information. A person or a business before the Internet age would store information on site. Now, people must worry about people stealing information online and not have to do anything in person. Businesses also must worry about this same fate. Businesses are now storing information online and they must worry about people stealing their information as well. With SIEMs businesses can prevent these things from happening. SIEMs can give businesses the tools to prevent security breaches.
All in all, SIEMs are something that I believe that all businesses should implement. This is because of their extreme value. Businesses and individuals need to protect their data. Our lives are impacted by what is put on the Internet all the time. Therefore, attackers constantly poke to find weaknesses in everything. Therefore, we are seeing more and more data breaches. However, I believe SIEMs can change this. Along with other safety measures, maybe one day we can see less and less of this thing happening.
Interested in discussing the challenges and solutions on this topic? Please contact us at bizdev@sdsolutionsllc.com or call 540-860-0920.