It never ceases to amaze me how many apps and services IT professionals are accountable for, so it’s hardly surprising that security teams are searching for solutions to give them greater visibility of their IT estate. SIEM tools (Security Information and Event Management) are often top of the search list when considering which options are available, and with the promise of real-time analysis of security alerts across software & hardware, why wouldn’t you choose a SIEM tool? Let me tell you why I believe you might be barking up the wrong tree and provide an alternative, more logical solution.
SIEM Tools – Visibility after the event
The first SIEM were developed around 20 years ago and gave IT professionals enhanced visibility of security events within their environment. Fast forward 15 years and the third generation SIEM tool now include analytics and machine learning with a move away from pre-defined alerts, which although important, do not offer security teams protection from zero-day threats. SIEM tools aggregate log data from multiple sources, typically security logs, providing the ability to consolidate data and translate it into meaningful bundles. Dashboards provide those responsible for security with an overview of these consolidated events and help to identify abnormal patterns of activity. Retaining a record of these patterns over time helps to correlate data trends. This is a critical component to support forensic investigations, as it is very unlikely that the discovery of the network breach will be at the time of the breach occurring.
Please go out and invest in SIEM tool, I would be the first to say that for certain requirements they are the ideal solution. They undoubtedly shorten the time to identify threats and hence minimise the damage those threats might cause. They also support large amounts of data allowing organisations to scale, whilst providing advanced protection from major security breaches. But, is SIEM the right fit for your organisation?
Understand your commitment
Here are a few important considerations to factor into your decision making:
- It typically takes several months before your SIEM is up and running. Team training requirements, integrating with existing infrastructure and establishing reporting criteria all take time.
- I planned to put together a meaningful cost comparison of the SIEM solutions on offer, but I drew a blank. Investing in SIEM can be expensive and cash strapped security teams may be put off by the complicated pricing structure, factoring in the upfront and ongoing variable costs to their budgets.
- Do you have in house capabilities to support SIEM? There is a requirement to have a skilled support function to monitor and manage the implementation of the SIEM. Internal or outsourced Security Operation Centers don’t come cheap and, if provided externally, choosing the right third party provider to delegate this responsibility to is an important consideration.
What is it that you really need?
Can I suggest that the type of visibility that you might be looking for isn’t found in a SIEM.
SIEM are highly effective at translating noisy data into meaningful alerts that expedite the time it takes to detect a potential breach, great, but what does this say about your security defences?
A recent review of fines handed out by the ICO contained the same repeat offenders rising to the top of identified deficiencies within each organisation. You might not be surprised to read that the following head the field:
- Knowing what’s on your network (asset management)
- Keeping it up to date (patching)
- Knowing what’s happening to it (monitoring)
The elephant in the room
The environment in which IT professionals operate is by no means a simple one. The average enterprise has been forced to take on an ever-increasing number of security tools to keep up with today’s turbulent threat environment and growing attack surface. It has been estimated that even smaller companies are using an average of 15-20 different security tools, with the number going up to 50-60 for medium sized enterprises and more than 130 for large organisations. The numbers do seem rather high, but even if you half them, those responsible for IT security are faced with a sizable management challenge.
Visibility in this context means having real-time assurance that security measures remain within policy and fundamental security controls are enabled. Prioritising the monitoring of data and security logs before you secure your defences, is like putting the proverbial cart before the horse. The advent of remote working has resulted in endpoint protection being the number one concern of IT security professionals 2021 State of IT Report. SIEM is not designed to report on the fundamentals of IT security and it is highly likely that most opportunist hackers in 2021 will be targeting organisations with weak security controls and poorly configured endpoints.
Doing the basics brilliantly
It would appear ill-advised for a business to invest in SIEM tools whilst leaving themselves exposed to basic vulnerabilities, however this is often the case. The Accenture Cybersecurity Report 2020 cites the fact that companies leading the way in cyber resilience are those that get the most from existing security investments. This means ensuring that applications and services are deployed, patched, configured and that company policy, around things such as Multi Factor Authentication, is being adopted effectively. Periodic interrogation of an organisation’s cyber resilience does provide value, however these controls move in and out of policy, therefore having a regular process to monitor and manage compliance is vital for those seeking to secure their attack surface around the clock.
The ability to visualise the fundamental vulnerabilities within your IT estate in real-time is a vital step towards becoming cyber resilient. It’s a major concern that most IT leaders find themselves in the dark when it comes to having 100% clarity of their cyber hygiene status. A cost-effective solution that provides this holistic visibility with the means to remediate identified security gaps would be a logical starting point for those looking to protect corporate data from the most frequently exploited vulnerabilities.
To find out more about a radically simplified, but highly effective solution that addresses this IT security challenge please get in touch.