Security Information and Event Management (SIEM): Splunk

The Challenge

Cybercriminals continue to make headline news as they exploit vulnerabilities in organizations’ defenses and gain unauthorized access to sensitive/confidential data, which leads to security/data breaches.

The Consequences

In the past, organizations would have to manually log into many endpoints such as servers, network devices, applications, databases, and security tools one by one and ‘stitch’ the results together and interpret them manually to make sense of the data.  They needed to understand the path attackers would take to breach their system to know how they were breached and use that information to prevent further attacks.  As one can imagine, this took up a lot of time and resources.  By the time the organization identified, followed up on, and confirmed the attack, the cybercriminals had already done damage by extracting sensitive/confidential data.  They would potentially expose and sell the extracted information on the Dark Web, causing reputational damage.  Privacy concerns could be raised depending on whether the sensitive/confidential data extracted was related to personal information or, worse, a ransomware attack that would encrypt the organization’s data rendering it unreadable and useless without a decryption key.  Sadly, most organizations who suffer a ransomware attack end up paying thousands or millions to regain access to their data.

The Solution

Organizations need to gain more insight into the vast amounts of data they generate daily from various endpoints and leverage these insights to protect themselves better.  They need a way to sift through large amounts of data as quickly as possible and detect potential cyber-attacks.

This is where a Security Information and Event Management (SIEM) system plays a considerable role – a single pane of glass view for unified log management across the organization.  Since all endpoints generate logs, SIEM can be used in the following way:

• Ingest logs from various endpoints
• Normalize them so that each log can be interpreted in a standard way
• Enrich the log data with other sources of information from HR and asset management systems so that they can be consumed
• Correlate the data to be able to understand ‘the story’ or the attack path the cybercriminals have used to gain unauthorized access to your systems
• Respond in an automated way to cyber-attacks

This allows users such as Security Operations Center (SOC) analysts to consume the resulting information in a meaningful way and take necessary actions.  What would take hours or days to perform manually, with a SIEM, you can do in a matter of minutes.

A SIEM coupled with the proper cybersecurity controls can prevent and detect cyber-attacks in the future and respond timely to threats.

What is Security Information and Event Management (SIEM) and how does it work?

Security Information and Event Management (SIEM) is a software solution that aggregates and analyzes activity from many different resources across your entire IT infrastructure.

SIEM collects security data from network devices, servers, domain controllers, and more.  SIEM stores, normalizes, aggregates, and applies analytics to that data to discover trends, detect threats, and enable organizations to investigate alerts.

Main capabilities :

• Threat detection
• Investigation
• Time to respond

Key features :

• Basic security monitoring
• Advanced threat detection
• Forensics and incident response
• Log collection
• Normalization
• Notifications and alerts
• Security incident detection

How can a SIEM help?

The SIEM software generates security alerts when it identifies potential security issues.  Organizations can use predefined rules to set these alerts as a low or high priority.

For instance, a user account that generates 25 failed login attempts in 25 minutes could be flagged as suspicious but still be set at a lower priority because the login attempts were probably made by a user who had forgotten their login information.

However, a user account that generates 130 failed login attempts in five minutes would be flagged as a high-priority event because it’s most likely a brute-force attack in progress.

SIEM makes it easier for enterprises to manage security by filtering massive amounts of security data and prioritizing the security alerts the software generates.

SIEM software enables organizations to detect incidents that may otherwise go undetected.  The software analyzes the log entries to identify signs of malicious activity.

A SIEM system can also help an organization meet compliance requirements by automatically generating reports that include all the logged security events among these sources.  Without SIEM software, the company would have to gather log data and compile the information manually.

A SIEM system also enhances incident management by helping the company’s security team uncover the route an attack takes across the network, identify the compromised sources, and provide automated tools to prevent the attacks in progress.

Benefits of SIEM:

Benefits of SIEM include the following:

• It significantly shortens the time it takes to identify threats, minimizing the damage from those threats.
• SIEM offers a holisticview of an organization’s information security environment, making it easier to gather and analyze security information to keep systems safe.  All an organization’s data goes into a centralized repository where it’s stored and easily accessible.
• Companies can use SIEM for various use cases around data or logs, including security programs, audit and compliance reporting, help desk, and network troubleshooting.
• SIEM supports large amounts of data so organizations can continue to scale out and add more data.
• SIEM provides threat detection and security alerts.
• It can perform detailed forensic analysis in the event of significant security breaches.