"Morganization’s IT ecosystem is an indispensable vault! It’s a hardened ecosystem that scales effortlessly with business demand, has defined boundaries, and each operational component lives within an impenetrable data center.”
Says absolutely no one—ever!
We all know the reality is much different. We managed complex, heavily regulated, IT-dependent ecosystems with blurred boundaries, dispersed geographies, remote-user needs and increasing adoption of software as a service (SaaS), internet of things (IoT) and hosted data centers. Stakeholders are increasingly technology-reliant with a growing expectation of stability. Furthermore, security has an implicit expectation of a secure and risk-sensing ecosystem.
"SIEM is an additional line of defense in the otherwise traditional security arsenal of firewalls"
Organizations are expected to maintain cyber incident management programs that include 24/7 monitoring, log management, and event response protocols. In this regard, a security information and event management (SIEM) system have become fundamental to security operations. SIEMs reduce dependency on the manual inspection processes performed by support personnel by providing a mechanized approach to collecting and analyzing logs from disparate systems across the network, creating trends and comparing against threat intelligence databases.
Manual inspection of logs produced by network devices would require large teams and specialized training. In this regard, SIEM is an additional line of defense in the otherwise traditional security arsenal of firewalls, intrusion detection or protection tools, antivirus or multifactor systems, all of which are dependent on the response and continual attention of analysts. The digital fingerprints maintained by SIEMs not only alert operational teams to unusual traffic and zero-day threats but assist in post-event analysis and forensic examinations. The effectiveness of the layered defense strategy is considerably reduced without the use of a continual, complementary monitoring/analysis solution.
Most commercial, off-the-shelf SIEMs provide reporting capabilities that can be leveraged by organizations for their compliance, audit, or certification needs. Organizations guided by regulatory frameworks (HIPAA, HITRUST, PCI-DSS, etc.) must demonstrate log management and event response procedures. In addition to operations support, SIEM provides a continual audit trail and data assurance, maintaining compliance with regulatory requirements. SIEM reporting also can be customized to assist with internal audit exercises, policy adherence reviews, and the creation of targeted security training exercises. Organizations also have been able to utilize data and trends from their SEIM to build roadmaps and processes to work toward industry certifications with specific requirements.
The ability to correlate, collect, and analyze logs is a fundamental necessity to a security program. So, with all these advantages, what’s stopping more organizations from adopting a SIEM?
To begin, implementation can be challenging from both training and expense perspectives. Organizations need to hire or train a specific skill set to maintain a SIEM. The effectiveness of a SIEM relies on the logs—the feeds—routed to it, as well as on the continual upkeep, management, and maintenance of its configuration and rules sets. While SIEMs reduce the dependency on operations staff for ongoing monitoring of disparate tools, many organizations struggle to source and skilled staff resources to implement, maintain, or manage an on-premise SIEM system. Several have leveraged a managed security service (MSS) to assist with some or all of these challenges and have found this to be an effective and affordable option.
Additionally, some organizations hesitate to invest, as several SIEMs as yet are unable to provide insight into technologies outside their organization’s direct governance, such as cloud services or hosted technologies. Many would prefer investing in a slightly dated system rather than to experiment with a transitional arrangement.
The future is not sans-SIEM. Though SIEMs have come a long way from the static, rule-based intelligence they were when first developed, the improvement has and will be in incremental measures. The evolution will be gradual, due to the amount of data learning required when catching up to or following new technology.
Future development will complement technology trends and specialized industry needs. For example, the growth in SIEM capabilities around medical device monitoring. Or cloud-based SIEMs as a logical evolution. Additionally, while advanced analytics will reduce the need for human intervention, it will never completely replace the need for human interpretation of security events or evaluation of false positives. With the increasing emphasis of security programs on risk management and layered defense models, the reliance and symbiotic relationship with SIEMs will only continue to increase.