SIEM is an acronym for Security Information and Event Management. These applications, bought as software, appliances or even managed services are often the central point of an organisation’s security defence, spanning networks, branch offices and even continents if necessary.
Wikipedia defines SIEM as follows: “In the field of computer security, security information and event management (SIEM), software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware” (https://en.wikipedia.org/wiki/Security_information_and_event_management).
However, as with every other aspect of security today, information security, while the popular child in a dysfunctional family, is no longer enough. In an IoT (internet of things) world, including the physical security world, everything is connected, and if it is connected, it is a risk. Hi-Tech Security Solutions asked Alexei Parfentiev, lead analyst at SearchInform, to discuss what today’s SIEM applications look like and whether they are incorporating monitoring the IoT and physical security risks we all face.
Hi-Tech Security Solutions: How important is being cybersecurity aware when installing, using or maintaining physical security or other IoT equipment? Are end users aware of the cybersecurity dangers of connecting all these products?
Parfentiev: Awareness and understanding are important, since the integration of physical and information security into a single analytical process can provide new information security tools and better threat detection. Moreover, IoT devices should be regarded as fully valid members of the corporate IT infrastructure, so the requirements should be the same. The end user is rarely aware of all the cybersecurity dangers linked to IoT, because convenience is more important for them, that is why the security service has to gain control of the situation.
HSS: Are there SIEM systems out there that can assist in managing the cybersecurity posture of integrated security systems (meaning integrated physical, digital and IoT security)?
Parfentiev: SIEM is the software that helps in managing cybersecurity. The connection of physical security automation tools (smart cameras, access control systems, security alarms, etc.) to a SIEM system is directly related to security. Such a combination makes it possible to detect a number of risks that are simply impossible to identify at the logging level while using classical systems. It is clear that, if a person carries out activities on the server being out of the building, and remote access to the server is prohibited, this is a problem. To detect such violations, there is no need to check tons of logs manually, it is enough to connect a SIEM system with ACS.
When a client decides to make IoT a part of own IT infrastructure, each IoT device has to be treated as a full-fledged host with its own operating system, vulnerabilities and functionalities. I do not see a fundamental difference between the control of a user node, network device or IoT equipment. The main thing is to assess all the possible risks and be prepared for mitigation or prevention.
HSS: How do SIEM systems balance the traditional role of protecting information assets and the newer tasks of managing data to and from other devices that are not part of traditional security operations? What do these systems do to protect against malware, hacks and other attempts at intrusion or sabotage?
Parfentiev: It is important to understand that a SIEM system itself does not protect against anything: its capabilities directly depend on the capabilities of the software, devices, and equipment to which it is connected. If there is an intelligent IDS / IPS (intrusion detection system / intrusion prevention system) inside the network, SIEM will enhance its capabilities, but if there is no IDS / IPS, then SIEM will not perform its tasks. The same situation with regard to the antivirus software. When installed, it works on users’ devices and on all operating systems and detects viruses at the network traffic level, the SIEM system optimises the work of the antivirus program.
This is a key point for understanding the operation of the SIEM system. Its task is not to provide fundamentally new opportunities in terms of security, but to reduce the response time to an incident and to provide a deeper understanding of it. The integration of SIEM with the products such as antivirus, IDS, IPS or DLP (data leak prevention) used by the company to protect against insider attacks or internal actions advances the functionality of these products, allowing you to maximise the effect of each element.
Information security is a continuous process that requires an integrated approach and comprehensive analysis. Moreover, the tendency to integrate security solutions into one system is supported by both regulators and information security experts.
We implement this in our product line that includes SearchInform SIEM and SearchInform DLP. SearchInform SIEM recognises abnormal behavior and determines how data access was granted, and SearchInform DLP analyses the contents of communication. The system integration makes it possible to fully investigate a crime and gather evidence. This greatly increases the level of information security.
HSS: For companies looking for a SIEM solution, what are the features and functionality they should expect from their SIEM?
Parfentiev: Companies need to focus only on two key points. The first point is that out-of-the-box SIEM system should be maximally adapted to the infrastructure and tasks of the customer, and it should start solving its problems immediately after the installation. If the system has potentially huge opportunities for setup, customisation, etc., the process will take several months and all this time the infrastructure will not be protected.
There are out-of-the-box systems on the market that solve 70% to 80% of typical tasks, and that's exactly the systems that have to be chosen. We develop our SIEM solution along these lines.
The second point is that SIEM systems require extremely strong and user-friendly customisation. It is not necessary to invent a new logical programming language to create rules and generally complicate the process to make a fully customisable system. The greatest efficiency is shown by the SIEM systems that allow you to create complex rules through a graphical interface, because in this case a customer understands and adjusts the rules.
HSS: Given the vast amount of data being generated today, is it possible to monitor this data in real time to prevent breaches or malware infection? What capabilities can be used to provide real-time warnings of potential problems?
Parfentiev: In real time, you can detect threats based on content. Many context-based threats require time for analysis, since it is necessary to monitor not a single event, but a whole cycle or chain.
I want to draw your attention to the fact that there are two fundamentally different approaches: some systems analyse the content and others the context. A SIEM system allows you to analyse any context very well and it can be a powerful complement to the systems that analyse the content itself. It is necessary to analyse the content of the transmitted data amount to prevent data leakages, and this is what a DLP system does.
© Technews Publishing (Pty) Ltd | All Rights Reserved