Conventional security strategies are being constantly challenged by newer and smarter threats – APTs and AETs to name two. CISOs and CIOs are becoming extremely careful of where they tread, because most defense strategies are being effortlessly infiltrated.
Most high end strategies lack one thing – a single dashboard view. Only an analytics and intelligence driven security strategy can create the correct security solution. A robust Security and Events Management (SIEM) process is a basic step that’s required to achieve a single dashboard view of all the security technologies being deployed. SIEM was once a tool to ensure standards and compliance, but can also be used to generate a centralized dashboard view. This information can be used to co-relate the threat, its prevention and mitigation perspective seamlessly, in the security scenario through the analysis of structured and unstructured data- through logs and network traffic, and through some of the billions of events that occur in an enterprise daily.
However, these logs cannot allow the SIEM to see new threats like APTs. So, a new wave of SIEM products has been developed that allows them to monitor all the traffic and logs to detect specialized and business specific threats, using state of the art intelligence. Thus they can zero in on attacks that are happening or about to happen from data flowing through mails, documents, social media, audio, network traffic, click streams, accessed files, registry changes…anywhere. It makes security sense out of all this data, in terms of a possible event or offence, using ‘adaptive intelligence’. That means, it has the ability to understand network behavior over a certain period of time, and can detect any aberration almost immediately. This new age SIEM has drastically increased the ability to pre-empt threats.
But it is important that even this state of the art SIEM tool is updated with related technologies, to stay abreast of the iterative processes. For example, self-learning algorithms are increasingly available to enable complete automation of rule writing, but human intervention is required to identify business critical offences. A good MSS partner could be the answer here.
In addition, global security information feeds usually work at complementing the baseline information for SIEMs, keeping them current and updated at some level. These feeds could be a warning for dangerous IPs or latest information on threats detected globally.
A robust Security operations centre is the best investment to make all of this easy or any enterprise, instead of piecemeal solutions that may or may not talk to each other.
The function of the SIEM becomes even more crucial once the enterprise migrates to the cloud. This would give an even more holistic view of the security stand and vulnerability across the company. The cloud provider needs to station an SIEM collector on premise, to collate all the logs and events which can then be forwarded to the SIEM at the company’s premises. However, for this, a good amount of negotiation skills are necessary, since any delay in this intelligence could be fatal.
The only caveat with SIEM is that it needs to generate actionable intelligence through data analysis to detect threats, across the organisation. If fine tuned to the company’s needs and security status, and focused on a business risk, the insights provided by SIEM could be the value everybody needs for their security strategy. And once turned into quick decisions by SLA managers’ teams, they can be a priceless support.