It’s not wise to go SIEMless

1 August 2019 Information Security, Security Services & Risk Management

SIEM is an acronym for Security Information and Event Management. These applications, bought as software, appliances or even managed services are often the central point of an organisation’s security defence, spanning networks, branch offices and even continents if necessary.

Wikipedia defines SIEM as follows: “In the field of computer security, security information and event management (SIEM), software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware” (https://en.wikipedia.org/wiki/Security_information_and_event_management).

However, as with every other aspect of security today, information security, while the popular child in a dysfunctional family, is no longer enough. In an IoT (internet of things) world, including the physical security world, everything is connected, and if it is connected, it is a risk. Hi-Tech Security Solutions asked Alexei Parfentiev, lead analyst at SearchInform, to discuss what today’s SIEM applications look like and whether they are incorporating monitoring the IoT and physical security risks we all face.

Hi-Tech Security Solutions: How important is being cybersecurity aware when installing, using or maintaining physical security or other IoT equipment? Are end users aware of the cybersecurity dangers of connecting all these products?

Parfentiev: Awareness and understanding are important, since the integration of physical and information security into a single analytical process can provide new information security tools and better threat detection. Moreover, IoT devices should be regarded as fully valid members of the corporate IT infrastructure, so the requirements should be the same. The end user is rarely aware of all the cybersecurity dangers linked to IoT, because convenience is more important for them, that is why the security service has to gain control of the situation.

HSS: Are there SIEM systems out there that can assist in managing the cybersecurity posture of integrated security systems (meaning integrated physical, digital and IoT security)?

Parfentiev: SIEM is the software that helps in managing cybersecurity. The connection of physical security automation tools (smart cameras, access control systems, security alarms, etc.) to a SIEM system is directly related to security. Such a combination makes it possible to detect a number of risks that are simply impossible to identify at the logging level while using classical systems. It is clear that, if a person carries out activities on the server being out of the building, and remote access to the server is prohibited, this is a problem. To detect such violations, there is no need to check tons of logs manually, it is enough to connect a SIEM system with ACS.

When a client decides to make IoT a part of own IT infrastructure, each IoT device has to be treated as a full-fledged host with its own operating system, vulnerabilities and functionalities. I do not see a fundamental difference between the control of a user node, network device or IoT equipment. The main thing is to assess all the possible risks and be prepared for mitigation or prevention.

HSS: How do SIEM systems balance the traditional role of protecting information assets and the newer tasks of managing data to and from other devices that are not part of traditional security operations? What do these systems do to protect against malware, hacks and other attempts at intrusion or sabotage?

Parfentiev: It is important to understand that a SIEM system itself does not protect against anything: its capabilities directly depend on the capabilities of the software, devices, and equipment to which it is connected. If there is an intelligent IDS / IPS (intrusion detection system / intrusion prevention system) inside the network, SIEM will enhance its capabilities, but if there is no IDS / IPS, then SIEM will not perform its tasks. The same situation with regard to the antivirus software. When installed, it works on users’ devices and on all operating systems and detects viruses at the network traffic level, the SIEM system optimises the work of the antivirus program.

This is a key point for understanding the operation of the SIEM system. Its task is not to provide fundamentally new opportunities in terms of security, but to reduce the response time to an incident and to provide a deeper understanding of it. The integration of SIEM with the products such as antivirus, IDS, IPS or DLP (data leak prevention) used by the company to protect against insider attacks or internal actions advances the functionality of these products, allowing you to maximise the effect of each element.

Information security is a continuous process that requires an integrated approach and comprehensive analysis. Moreover, the tendency to integrate security solutions into one system is supported by both regulators and information security experts.

We implement this in our product line that includes SearchInform SIEM and SearchInform DLP. SearchInform SIEM recognises abnormal behavior and determines how data access was granted, and SearchInform DLP analyses the contents of communication. The system integration makes it possible to fully investigate a crime and gather evidence. This greatly increases the level of information security.

HSS: For companies looking for a SIEM solution, what are the features and functionality they should expect from their SIEM?

Parfentiev: Companies need to focus only on two key points. The first point is that out-of-the-box SIEM system should be maximally adapted to the infrastructure and tasks of the customer, and it should start solving its problems immediately after the installation. If the system has potentially huge opportunities for setup, customisation, etc., the process will take several months and all this time the infrastructure will not be protected.

There are out-of-the-box systems on the market that solve 70% to 80% of typical tasks, and that's exactly the systems that have to be chosen. We develop our SIEM solution along these lines.

The second point is that SIEM systems require extremely strong and user-friendly customisation. It is not necessary to invent a new logical programming language to create rules and generally complicate the process to make a fully customisable system. The greatest efficiency is shown by the SIEM systems that allow you to create complex rules through a graphical interface, because in this case a customer understands and adjusts the rules.

HSS: Given the vast amount of data being generated today, is it possible to monitor this data in real time to prevent breaches or malware infection? What capabilities can be used to provide real-time warnings of potential problems?

Parfentiev: In real time, you can detect threats based on content. Many context-based threats require time for analysis, since it is necessary to monitor not a single event, but a whole cycle or chain.

I want to draw your attention to the fact that there are two fundamentally different approaches: some systems analyse the content and others the context. A SIEM system allows you to analyse any context very well and it can be a powerful complement to the systems that analyse the content itself. It is necessary to analyse the content of the transmitted data amount to prevent data leakages, and this is what a DLP system does.

For more information contact Condyn, +27 12 683 8816, [email protected], www.condyn.net





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

The growing role of hybrid backup
Infrastructure Information Security
As Africa’s digital economy rapidly grows, businesses across the continent are facing the challenge of securing data in an environment characterised by evolving cyberthreats, unreliable connectivity and diverse regulatory frameworks.

Read more...
POPIA non-compliance puts municipalities at risk
Information Security Government and Parastatal (Industry)
Digital responsibility must go beyond POPIA compliance to recognising that privacy and service delivery are fundamentally linked. Despite this, only 51 out of 257 municipalities submitted their mandatory data protection and access to information reports in 2024.

Read more...
Choicejacking bypasses smartphone charging security
News & Events Information Security
Choicejacking is a new cyberthreat that bypasses smartphone charging security defences to confirm, without the victim’s input or consent, that the victim wishes to connect in data-transfer mode.

Read more...
Most wanted malware
News & Events Information Security
Check Point Software Technologies unveiled its Global Threat Index for June 2025, highlighting a surge in new and evolving threats. Eight African countries are among the most targeted as malware leaders AsyncRAT and FakeUpdates expand.

Read more...
Welcome to the new cyber battleground
Information Security
The Iran-Israel conflict is rapidly redefining modern warfare, pushing the boundaries of cyber capabilities and creating a new, borderless digital battlefield. Fortinet’s CISO, Dr Carl Windsor, offers a critical, in-depth analysis of the escalating tactics and global implications in his latest report.

Read more...
African industries may overestimate cyber defences
Information Security
] A significant perception gap exists in security awareness training: 68% of leaders believe training is tailored to roles, yet only a third of employees feel adequately trained. Many organisations only conduct annual or biannual generic training that may not effectively change behaviour.

Read more...
SMARTpod talks to Sophos and Phishield
SMART Security Solutions Technews Publishing Sophos Videos Information Security News & Events
SMARTpod recently spoke with Pieter Nel, Sales Director for SADC at Sophos, and Sarel Lamprecht, MD at Phishield, about ransomware and their new cyber insurance partnership.

Read more...
Cybersecurity and insurance partnership for sub-Saharan Africa
Sophos News & Events Information Security Security Services & Risk Management
Sophos and Phishield Announce first-of-its-kind cybersecurity and insurance partnership for sub-Saharan Africa. The SMARTpod podcast, discussing the deal and the state of ransomware in South Africa and globally, is now also available.

Read more...
Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Corporate and academic teams can register for Kaspersky contest
Kaspersky News & Events Information Security
Kaspersky has announced the registration opening for its new Kaspersky{CTF} (Capture the Flag) competition, inviting academic and corporate teams from around the globe to compete in a battle of skill, strategy and innovation.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.