Let’s talk about SIEM. Are you having consistent challenges with responding to threats, breaches and related incidences? Do you find it increasingly draining to get to the root cause of breaches in light of the increasing numbers of attacks and related downtimes in your network? If yes, a SIEM solution is just what you may need.
More often than not, the above pain points are brought about by a lack of collaborative efforts between the Network Operations Center (NOC) and the Security Operations Center (SOC). The NOC is primarily interested in network performance and uptime while the SOC teams are primarily focused on network security, regulations, and compliance.
To further deepen the disconnect, they each make use of a diverse variety of tools and software that are not integrated so as to give a global view of the enterprise’s overall network. These factors introduce a complex monitoring and reporting environment which increases the likelihood that threats and breaches can go undetected for some time.
What is SIEM software?
Security information and event management (SIEM) software give enterprise security professionals a better handle on events within the enterprise. This is done through the collection of Security Information and Event Management (SIEM) network and security logs, in a central repository from multiple diverse sources e.g access points, active directory and database servers, routers, switches, firewalls, intrusion detection, and prevention systems, etc. SIEM is a fundamental element of a successful Cyber Resilience strategy.
A SIEM must be aware of what is attached to the network and be able to collect event and log data from all of those attached items. FortiSIEM is the only SIEM tool in the market that has a self-learning, real-time asset discovery and device configuration engine built into its platform. SIEM does parsing, data normalization and categorization on any type of device, as long as it’s able to send logs to it.
SIEM software should have an intelligent context, such that it is able to identify the specific kinds of running devices, applications, servers, and their corresponding configurations among other data so as to add relevant context to the events and notifications. This is a critical element of ensuring the SIEM product doesn’t raise false alarms.
SIEM software also requires that it is fed quality data for maximum yield; the bigger the data source you give it, the better it gets and the better it can see outliers.
How SIEM works:
SIEM software collects and aggregates log data generated throughout the enterprise’s endpoints, applications, firewalls, and antivirus filters.
SIEM delivers on the below objectives, which are to:
Security teams often start by chasing down a staggering amount of false alerts. False alerts are one of the most nagging challenges in implementing reliable cybersecurity initiatives. These refer to “useless” alerts that end up wasting an enterprise’s SOC teams time since they are not real threats.
According to Cisco’s 2017 Annual Cyber Report: The Hidden Danger of Uninvestigated Threats. Only 28% of security alerts that are investigated turn out to be legitimate, from these, only 46% are remediated, meaning 54% of legitimate threats are not resolved!
This is partly a result of the redirection of the SOC team’s effort to investigate false alerts. So how exactly can an enterprise deal with false alerts?
Dealing with False Alerts:
Proactive organizations will learn to tune the tooling over time so that the SIEM understands what are normal events and thereby reduce the number of false alerts. After getting a false alert, make an adjustment to your SIEM so that it doesn’t catch that again. Fine Tuning should be done often to reflect both internal changes e.g the commissioning and decommissioning of devices, changes in the global threat landscape, etc.
Managing SIEM is a resource-intensive process that requires regular evaluations and adjustments to maintain optimal performance. Despite this, going without a SIEM solution isn’t the answer, because this can leave you vulnerable to attack. With this in mind, many IT professionals don’t know how to do this efficiently, thus, expert SIEM consultancy may be required.
To develop proficiency with accurately managing SIEM products, you can sign up for an Insoft instructor-led FortiSIEM training here.
SIEM Tools and Vendor Selection
SIEM tools come in both paid-for commercial offerings and free open-source alternatives. Different SIEM tools draw their strength from a myriad of different features and capabilities, so it’s upon you to carefully choose one that addresses your enterprise needs.
There are a couple of leading vendors, including Solar Winds, HPE, IBM, Splunk, Fortinet, and Intel, we also have open-source SIEM tools which are supported by the community. They are not vendor backed, hence they may not be as reliable; especially in critical enterprise-grade environments. Some of the best free open-source SIEM tools include Elasticsearch, ELK Stack, Ossim, Splunk Free and Ossec.
FortiSIEM Case Study:
FortiSIEM is a SIEM product manufactured by Fortinet. It offers SOC and NOC data correlation capabilities. It collects and normalizes a variety of logs, for instance, transaction, SNMP, connection, application and user logs.
These logs are then used for IT network and security monitoring and troubleshooting, consequently enabling organizations to eliminate blind spots by monitoring and analyzing a diverse set of events from multiple sources. Organizations, therefore, get an upper hand when it comes to the identification of threats and their root causes for even more agile remediation.
In addition to security metrics, FortiSIEM also monitors infrastructure resource utilization, application health, performance and availability metrics. The collection of all these data is done at a set polling interval. The results are converted into logs, which follow the typical SIEM processing logic. You can also read more about What is SIEM software? How it works and how to choose the right tool here.
More Blogs for you:
Relevant Exams: Fortinet NSE 5