By Steve Tylock
Not Just Log Monitoring
Saying Security Information and Event Management (SIEM) is just “Log Monitoring” is like saying the Mona Lisa is just a painting of a woman…
To be sure – at an inclusive level, SIEM does include monitoring logs, and the subject of the painting is a woman.
But let’s not throw the word “just” in there, ok?
Consider some of the regular events that happen in your typical technology environment:
- End users login
- Files get opened
- Emails get sent, received, and read
- Individuals look at web pages
- Remote workers access the network
- Clients get invoiced
- Bills get paid
- And occasionally, someone watches a cat video…
But also think about some of the not-so-good things that could happen:
- Users open up attachments with viruses
- Bandits probe the company’s technology defenses
- John suddenly logs in via the network in North Korea
- Mary copies every company network file to a thumb drive attached to her PC
- Nobody can get any work done because the network is flooded with requests
Each time one of these things happens, it carries a potential trace, an indicator that it happened – that may result in an alert or log entry.
The sum total of all of these things happening creates a body of information. If we wanted to investigate – we’d open up the book and review what happened.
So one question might be: how far back do the records go?
Another: how complete are they?
And completing this trifecta: have they been compromised?
If one really wants to know what’s been happening, one should make sure that records go back “far enough”, include all of the important and significant sorts of events, and most certainly can never be altered or erased by the same sort of event that they were meant to monitor.
Now we can turn our attention to what we can do with all of this event information – put the clues together.
Let’s take care of the obvious alerts that should follow – single points of unusual-ness:
- Virus reported on a PC
- Email phishing attempt
- Rogue WiFi Access Point detected on the network
Each of those events, on their own, should generate an action and alert, and might call for an investigation.
But then we can also put a few different points of data together.
- Would a user really try to login an excessive number of times? Say 10,000, 1,000, or even 100?
- Is a user really going to completely read every file on the server at one time?
- And is a user going to edit 50 files in a row?
- Or if Tom has logged into the system from the office network, why would Tom be trying to login from another location?
The communication patterns of standard network behavior can be compared to an unusual event today, last week, or over the last 30 days – to create a dossier for further follow-up.
All in the name of security.
Because wouldn’t you like to shorten this statistic – the average time to identify and contain a breach: 280 days
In the world of physical security we still employ cameras, motion sensors, and other interior defenses to indicate that someone is already past the perimeter – and steps need to be taken in response. That’s what we’re getting with Security Information and Event Management (SIEM) and Security Operations Center (SOC).
All Together Now
SIEM and SOC work together with the rest of your environment to provide a safe, secure, and productive workplace. Your technology partner keeps you informed, keeps the gears turning in the background, and supplies the grease to make sure things are humming along as designed.
If this is a topic you’d like to explore more, we’d be happy to talk. The fun starts when you bring up the unique situations that face your organization.