Security Incident and Event Management (or SIEM) refers to the cyber security products and services that can be used by organisations to monitor and alert staff as well as provide real time analysis on cyber security status.

How does SIEM work?

SIEM encompasses a suite of cyber security products and services tailored to empower organisations with proactive threat detection and rapid incident response capabilities. A SIEM solution works by collecting security logs, normalising data and then using this data to tease out any interesting patterns. These logs can come from multiple sources within an enterprise network infrastructure, including servers, systems, devices and applications from the perimeter of the network to end users. After this data has found any interesting patters, it can be researched by to determine whether or not a security threat has been detected. A SIEM solution will be able to provide a centralised view with context, additional insights and information on users, assets and more. Once this data has been researched, a confirmation or deletion can be made.

Data sources include:

• Network devices such as routers, switches, bridges, wireless access points, modems, line drivers, hubs.
• Servers including web, proxy, mail and FTP
• Security devices including IDP/IPS, firewalls, antivirus software, content filter devices and intrusion detection appliances.

Attributes that may be analysed include:

• Users
• Event types
• IP addresses
• Memory
• Processes

Deviations in any regular activity can be found through actions like:

• Failed login attempts
• Account changes
• Potential malware

These deviations will be able to trip up the SIEM tools so that the system will alert cyber security analysts. The system can also be set up to suspend the unusual activity to give time to cyber security staff to investigate this activity. You can set the guidelines for what triggers an alert and establish which procedures are required for dealing with any suspicious activity and potential malicious activity based on your organisational security needs.

SIEM Tools

SEIM tools and technologies can vary from basic log management tools and alerts to robust dashboards, machine learning and the ability to conduct deep dives and analysis into historical data from data sources. Some leading tools for SIEM solutions can include:

• A dashboard overview of any notable events in your environment that could represent potential security incidents.
• A workbook tool of all open investigations allowing the cyber security team to track progress and activity while investigating multiple incidents at once.
• Risk analysis tool that identifies risk of systems and users across the enterprise network.
• Threat and protocol intelligence tools that allow for context and captured data in security investigations.
• User intelligence tools that allow the team to investigate and monitor activity of users and assets in the network.
• Web intelligence tools to analyse web traffic within your network environment.

Changes to Traditional SIEM

Non-traditional tools are beginning to make their appearance in the modern SIEM space, in particular, behaviour analytics. User Behaviour Analytics (or UBA) can be used to discover internal and external security threats and is becoming increasingly commonly used in SIEM.

This type of analysis would be nearly impossible to perform manually but a SIEM tool can make it happen with just a few clicks. Modern SIEM solutions can be deployed on premises, in the cloud or in a hybrid environment and is designed to easily scale as an organisation changes and grows.

SIEM in the Security Operations Centre (SOC)

SIEM provides analytics to the SOC with consolidated insights from analysis of event data that can often be too varied and voluminous for manual review. SIEM analysis of machine data and log files can surface malicious activity and trigger automated responses, significantly improving response time against any potential attacks against an organisation. SIEM is now a vital component for a modern SOC’s task of responding to any potential attacks. Whether threats are internal or external, SIEM provides simplified threat management and provides clear, organisation wide visibility and security intelligence.

Getting Started with SIEM In Your Organisation

Before making any moves towards SIEM solutions, the best thing to do is understand the existing needs of your organisation, the risks inherent to your industry and spend time finding the right solution that will scale with your business as it grows. It is important to remember that while most SIEM tools can typically apply to all organisations, some tools and rules might not be necessarily the priorities of your business. The needs and objectives of different organisations can vary widely, so it’s important to personalise to what your network requires.

Factors that can help you guide decision making and implementation of SIEM can include:

• Your budget
• Your network size
• Your compliance obligations
• What type of data is available within your network
• The level of internal and external expertise that have the ability to manage and maintain the SIEM
• Where the organisation is growing and at what rate

Once ready to make a decision, some tools and features to look for in an SIEM can include:

• Real time monitoring of attacks
• Automated incident response
• User monitoring tools to determine and deter internal threats
• Threat intelligence tools to identify key threats and weaknesses in security posture
• Advanced analytics and machine learning to provide sophisticated quantitative methods including statistics, descriptive and predictive data, simulation and optimisation to provide deeper insight.
• Advanced threat detection to adapt to advanced threats that may bypass firewalls and intrusion protection systems.

Maintaining Your SIEM Tools

1. Do not fix and forget! Once an SIEM solution is deployed, the tool will only work with proper maintenance. Even the most intuitive tools require you to continually review the system and make any adjustments required as your business adapts to change.
2. Establish procedures and monitor them closely. These procedures should include criteria for generating alerts and determining the actions that the tool will make in response to any suspicious activity. Make any changes required as time passes to reduce the amount of false alarms.
3. Employ the required team to keep your SIEM solution well oiled. Your team should be trained to implement, maintain and continually finetune solution to keep with the changing IT and security landscape.

BluBiz’ Value Proposition For SIEM

At BluBiz Solutions, we specialise in delivering tailored SIEM solutions designed to address the evolving cyber security challenges faced by organisations. We work with some of the leading SIEM solution providers, such as Splunk, Rapid7, LogRythm, Elastic Security FortiSIEM to name a few. With decades of collective experience and a customer-centric approach, we are committed to providing end-to-end support, from initial consultation to ongoing management and support.

From initial consultation to planning, design, implementation and management, BluBiz offers end to end management and support in delivering services for our clients. Our 24/7 Network Operations Centre and Security Operations Centre provides proactive and real-time management of enterprise networks, increasing the uptime for our clients.

For more information on how a SIEM solution can help your organisation, contact our Sales Team today.