Advertisment

SIEM: A half-baked approach?

author-image
Voice&Data Bureau
New Update
mohanty

Rajat Mohanty

Advertisment

According to many organizations today, Security Information and Event Management (SIEM) is a high maintenance security solution that adds minimal value to the security bearing of the organization. A lot of organizations have not been able to reap even 50% of the true potential of the SIEM solution, which reduces it to a tool used for generating reports to satisfy auditors and to comply with regulatory requirements.

One of the major reasons for this is lack of effective usage which makes SIEM solution just a box that generates a huge number of alerts with no actionable steps to take. These non-actionable alerts impact people’s SIEM alerts and consequently these solutions become no less than a noisy Intrusion Detection System, which are ultimately not taken seriously. In fact the team monitoring the solution either takes the alerts lightly or ignores them completely.

Before reaching any conclusion, it is of prime importance to first understand the technology behind Security Information and Event Management. The technology behind SIEM helps safeguard sensitive information stored in databases of an enterprise. It uses a procedure that can present, store and gather security data. It creates an actionable security alert by processing the data and analyzing it through the implementation of a set of algorithms, discarding whatever is not needed.

Advertisment

In view of this usability, the enterprises need to understand how SIEM prioritizes events and creates actionable notifications from thousands of events in an enterprise, and how a security analyst can identify alerts that need immediate attention.

SIEM can be utilized to its fullest potential by building a security score. This can be created by detecting a few isolated incidences where abnormal activity is noticed. It seeks correlations between these which may include incidences like: originating from the same IP, originating from the same user, and threatening a specific high value asset. In such cases, these incidences are mostly not regarded as isolated instances and the analysts move on to the next step. The second step comprises including other criteria in the equation.

Thirdly, one must check for threats from outside and the target of the attackers. This is done by analyzing if these incidences are coming from blacklisted countries, if they are being repeated and are attacking two assets at the same time. When these parameters are met, the analysts know that it is time to issue a warning and that there may be a situation that needs attention.
The third set of criteria examined is the one preset by the personnel who created the algorithms. This set determines whether a simple notice is enough, or if automatic action is to be taken without further delay. For example, a user that has breached authorized access protocols and is trying to manipulate or download personnel information must immediately be cut off and banned from further access.

Advertisment

Therefore, it is of utmost importance to create the correct set of criteria. It is a frequent situation that these sets are overly aggressive and block out users who are not supposed to be blocked. Unfortunately, an even more frequent phenomenon is that it allows access to users who should have been blocked and banned.

It can be concluded that security is a matter of tools, people and policies. It revolves around equipping the security systems with the correct tools, algorithms, and criteria to identify the actual dangers in order to keep the critical and sensitive data from the hands of attackers.

Automation is a key tool here and helps resolve incidents before they snowball into a costly breach. As long as this system is kept up-to-date with the ever evolving threat landscape, an organization can keep its cyber security anxieties at bay.

Advertisment

The author is CEO & Co-Founder, Paladion Networks.

paladion-networks siem rajat-mohanty
Advertisment