SIEM. What is security information and event management (SIEM)- as a service?
Share This Story!
Security information and event management (SIEM) is an approach to cybersecurity management that provides an all-inclusive view of a company’s network security. The acronym SIEM is pronounced “sim” with a silent e. A SIEM system acts as a single aggregation point and log management tool for various devices in your IT environment. The information is gathered, correlated and analyzed by an individual or team to help determine if a security event is taking place. SIEM’S are important because they can help determine if allowed and authorized behavior is actually malicious in nature.
An example of this might be, Wally in accounting is authorized to view financial information and Wally is authorized to log into the network remotely because often times he works from home on Mondays and Fridays however if Wally is logged in remotely and at work at the same time then that might be something worth investigating because Wally obviously cant be in two places at one time.
Legacy vs Next Gen
Even though most organizations see the value of a SIEM solution many of them don’t move forward with a SIEM because historically they have been expensive to purchase, manage and difficult to properly tune. In order to fully recognize the benefits of a SIEM an organization must provide human resources dedicated to the management of the SIEM or the logs and alerts will go unnoticed and the cyber attack will continue to occur under the radar.
Modern Security Monitoring
Businesses running a Security Operations Center (SOC) or using a Managed Security Service Provider (MSSP) to monitor security events and alerts come across similar issues and problems as well. The first problem is that there is no perfect security operations team or managed service that arrives out of the box as a standard implementable solution. Everyone operates under budget constraints with a finite number of resources, and most have organizational structures or legacy infrastructure adding to complexity. MSSPs have dedicated personnel to provide around the clock, best in class security monitoring, within limits.
Due to the nature of monitoring an external organization’s security events, some businesses can only allow MSSPs to escalate alerts and make recommendations instead of remediate incidents. Internal SOCs can respond and react to incidents with deeper capabilities, processes, and tools inside their organization. Not every company will have the people and tools to triage, analyze malware, hunt, and respond to incidents.
Bringing the right tools to solve complex security use cases is key to a successful SOC, so a flexible set of tools, technologies, and mechanisms need to be employed. The ability to get data out is critical if an incident occurs which warrants a post-breach investigation.
The second problem is that technology choices need to augment personnel and processes. Organizations that buy security products without investing the time to train analysts or configure and tune products find security noisy and full of false positives. Some misconfigured devices might not be sending any valuable data at all. Without proper installation, configuration, and tuning some systems generate so many alerts it is impossible for an analyst to make sense of the data. Raw data, while useful for some situations, isn’t particularly useful for security use cases. Understanding the context, situation and circumstances is critical. Additionally, enrichment is also key—filling in missing data, making sure data is correct and adding critical information is important. A good example is around Microsoft® Windows® logs—while they tend to be verbose in detail, they can (and do) miss critical pieces of information such as an IP address or hostname on certain logs. This adds complexity and additional processing to understand their meaning. By having a sophisticated log collection process that understands the context and enriches the log data, large data sets are made easier to understand and process.
Technology choices must be made to make the security team’s performance easier and more effective. Before purchasing an expensive commercial solution, a proof of concept using open source solutions might be deployed to show the value of use cases under consideration.
The third problem, alert fatigue, is a source of error and talent attrition. When an analyst is dedicated to pure alert triage, the work can be mind-numbing and dull valuable skills. Many talented analysts will pursue other roles. Another consequence of alert fatigue is human error. It’s easy for someone to miss one step in a triage process that’s done tens or hundreds of times each day.
Tuning your SIEM
Redbot Technologies SIEM-as-a-Service offering is Next Gen and the ideal solution for small to medium sized businesses, allowing customers to benefit from the SIEM offering at a fraction of the cost. Our system collects logs from end users, server environments, security devices and software, including firewalls, intrusion detection/prevention systems and endpoint anti-virus software. Events are carefully monitored and analyzed by our in house SoC (Security Operations Center) to determine real time threats and attacks.
Redbot Denver can offer our services to assist customers with SIEM product selection, deployment, management and tuning or as fully hosted and managed service solutions that can be monitored 24×7, relieving staff of SIEM management, enabling resources to focus on other areas.
Redbot is a HPE / Aruba Partner. ClearPass Aruba ClearPass OnGuard Software agents perform advanced endpoint posture assessments on leading computer operating systems to ensure compliance is met before devices connect. Sharing NAC/AAA data with these solutions is essential to any access layer security strategy. ClearPass integrates with SIEM systems like QRadar, ArcSight nd Splunk to share session logs, audit events, event records and other syslog data. Contextual data shared by ClearPass enables SIEM systems to rapidly pinpoint security threats and policy violations.
Running on the Aruba ClearPass Policy Manager platform, the advanced network access control (NAC) framework in ClearPass OnGuard offers exceptional safeguards against vulnerabilities. In addition to anti-virus, anti-spyware and personal firewall audits performed by traditional NAC products, OnGuard agents can perform additional posture and health checks to ensure a greater level of endpoint compliance.
Redbot Technologies is a USA based customer-centric engineering company whose focus is managed cyber security, solving core issues and helping organizations navigate the ever changing cyber threat landscape.
Redbot has two Network Operation Centers (NoCs) , a Security Operation Center (SoC), Multiple Data Centers a Robust Team of Senior Level Engineers and the world’s top ranked cyber security experts. We add tremendous value and cost savings to any business, large or small. Our core focus is cyber security and our service model begins with Security Assessments, Policy and Compliance Reviews and continues with remediation , development and deployment of next generation cyber security solutions – managed.
Redbot Technologies provides a full suite of best in class data security services and solutions, setting a new standard in cyber security strategies. We identify and re-mediate threats, risks and vulnerabilities, helping our customers deploy and manage leading edge technology that protects and defends.