Taylor Toce
May 9, 2019
What is SIEM?
SIEM for small businesses is becoming increasingly important. SIEM, or Security Information and Event Management, allows you to view your network as a whole rather than just a sum of all its parts. So how does it give you that bigger picture? SIEMs collect logs from all across your network, basically all assets, and correlate them to search for events that might indicate a security issues or anomaly. The more asset logs the SIEM has, the better it will be able to perform.
Now you’re probably thinking, “Great…another security measure I have to add to the list of others I’ve already implemented.” In your defense, you most likely have a number of different security measures that all do a great job, but they only monitor certain parts of your network. Endpoint Security looks at files and processes on the endpoint. Network Intrusion Detection systems (IDS) monitor packets, protocols, IP addresses, and traffic flow. Separately, each of these systems helps keep your business secure, but none can give you a full picture of your network and all business operations. They can’t talk to each other and say “Hey, this doesn’t look right, what about for you guys?” – that’s where SIEM comes in.
Implementing SIEM
SIEM, after testing out a few different names over the years, has become the catch all term for the management system of all security controls and infrastructure. SIEMs are able to take information from different security systems, like the ones mentioned above, and unify the differing information. This unification allows you to cross-reference and analyze the information collected from within a single interface. SIEM for small businesses helps lessen the work load for your IT team or IT analyst by funneling the necessary information into one location.
Once you’ve purchased a SIEM you’re ready to go, right? Unfortunately, wrong. Unlike some other security measures, such as antivirus software, a successful SIEM cannot just be installed and left to its own devices. The effectiveness of your SIEM is based entirely on how it is setup, maintained, and continuously monitored. Tracking all of the activity on your network with no context as to what it is, where it is coming from, and what it should look like is pointless. Yes, you want as much information to be funneled into the SIEM as possible, but you need to know what that information is and how it relates to the rest of your network. This is why most small businesses bring in a Managed Security Services company to implement, monitor, and maintain these types of solutions.
Collecting Asset Logs
Your network creates an enormous amount of data every single day. The more data that is run through and understood by your SIEM, the more accurate the SIEM becomes. By comparing logs across different assets and times, SIEMs can give you context. It shows you what was happening before and after the time of a specific event, rather than just the event itself. Knowing the context allows you to decipher between legitimate attacks and false positives. If you have a system of log data that you that you know to be true, it’s easier to pinpoint slight changes in an otherwise consistent stream of data alerting you to potential attacks. Knowing this, it’s easy to see why log collection is the heart and soul of a SIEM.
Alright, so you know what SIEM is and that logs are necessary for its success, but do you really need to collect every log from every asset throughout your entire network? To answer this question, you need to look inward. What are the key components to your business? Key applications and processes? Your firewall, servers, Active Directory servers, antivirus, as well as your web servers are all assets you should collect logs from. This is an area where SIEM for small business can be configured to make the most sense for their resources. If you have limited resources for security monitoring, it’s important to decide what’s important. Although getting as much information to your SIEM as possible is a good thing, you don’t bog want down yourself with unnecessary logs to cipher through.
Standardizing Asset Logs
So you have your SIEM and you’re collecting logs from your critical assets, now what? We mentioned earlier that SIEM has to understand the logs and compare them to each other to be successful, but if the logs being collected are from different assets, are they the same? Yes and no. Yes, they are the same in that a human could look at two different logs from two different applications and understand them to be the same information. Humans can use context clues and reason that “Bob has the green car” is the same as “The green car is Bob’s” – a computer cannot. All log messages have to be broken down and normalized so that each log from each separate asset is understood by the SIEM regardless of format.
Of course, your SIEM will not be collecting logs on Bob’s car or have a location in the log file that notes that the car is green. It will, however, need to know that src from one log and src_ip from another are the talking about the same thing. Once the log files are all speaking the same language, the information can be put into a database table. Now that you have a bunch of data compiled in a table what can you do with it? Search! Searching through this newly created log database allows you to track and monitor specific events across all assets. This database table also allows you to report and create automated correlation of events – matching fields from log events from different times and devices.
Can SIEM help with regulatory compliance?
SIEM not only protects you from potential attacks but by collecting and reporting on your entire network, SIEM helps keep you compliant. If your business has any regulatory or corporate governance requirements to follow, you’ll be especially thankful for your SIEM. Continuous, real-time logging gives you the data needed to satisfy regulators auditing your environment. Audits are inevitable but with SIEM you will always be prepared to hand over true and accurate information.
Implementing a SIEM no doubt takes time and continuous tweaking to keep up with your business needs, but the payout is well worth it – especially if you have a dedicated MSP to do all the hard work for you. An efficient, well programmed SIEM strengthens your business’s security posture, helps detect attacks before they happen, gathers and reports on all important assets in your network, and keeps you compliant and regulators happy with real-time, accurate data.
If you liked this article, check out these related articles: