Your Guide to Security Information and Event Management (SIEM) Systems

One of the biggest challenges information security experts face has become monitoring all potential security activity as more and more organizational operations move online. In fact, a recent survey by the Enterprise Strategy Group found that nearly half of all cybersecurity professionals are challenged by measuring their risk across their entire IT infrastructure.

One of the best cybersecurity solutions to help address this issue are Security Information and Event Management (SIEM) systems. In this post, we’re going to explore the definition, use cases, pros and cons for SIEMs, as well as a few SIEM case studies that we’ve seen from our customers.

What are SIEMs?

A SIEM system provides security teams with a centralized management platform for managing and monitoring their network and device security. The solution collects and analyzes data from multiple sources in order to detect security threats and incidents across your entire infrastructure. These systems can typically detect suspicious activity, malicious behavior, and potential security breaches in real time, which helps an organization adopt a proactive security posture.

What are the Most Common SIEM Use Cases?

SIEM systems are most commonly used for the business requirements below:

• Threat detection: SIEM systems can evaluate data from many sources in real-time to detect potential security threats and notify security personnel of possible problems.
• Compliance: SIEM systems can assist a business in meeting regulatory compliance obligations by providing auditing data and required access reporting.
• Incident response: SIEM systems can provide security teams with the information required to rapidly identify, investigate, and respond to security incidents.
• Forensics: SIEM systems can provide forensic investigation data that helps an organization determine the scope and consequences of a security incident.
• Decision prioritization: The data gathered from the SIEM can be used to help organizations better understand their security posture and make informed decisions about their security strategies.
• Automated data aggregation: One overlooked but common use case for a SIEM system is to automate and integrate data collection and reporting from a number of disparate systems.

What Challenges Exist When Implementing a SIEM?

SIEM implementation can be complex, and the systems are not a good fit for all businesses. Common SIEM challenges that ADS has observed include:

• Cost: SIEMs can be expensive to acquire and maintain, and the cost may not be justifiable for smaller businesses or organizations with modest security requirements.
• Complexity: SIEMs can be difficult to install and maintain, and their configuration and use often requires specific knowledge and skill of the chosen solution.
• False positives: Misconfigured SIEMs may produce many false positives, which can be time-consuming and challenging to sort through, possibly overwhelming security staff.
• Limited customization: SIEMs are rarely a “plug and play” solution. Their limited customization options may not meet the specific demands of a given enterprise, and limitations to available adjustments may reduce their effectiveness and use.
• Limited scalability: Some SIEMs may not be able to handle the volume of data produced by larger enterprises, rendering them ineffective as an enterprise security tool.
• Limited data retention: Some SIEMs may be incapable of retaining long-term data, making it challenging to monitor and analyze long-term security trends.

What Organizations are Successfully Using SIEMs?

In the last few years, SIEM adoption has skyrocketed across most industries. Today, we’re proud to see a number of customers more safe and secure thanks to the adoption of these systems. The case studies below can provide examples of successful SIEM implementations.

Retail SIEM Case Study

Background
A large retailer in the Northeastern US initially chose not to install a SIEM due to a combination of cost concerns and a belief that its network and systems were sufficiently safe. However, after experiencing a major breach and data loss, the corporation discovered that its present security procedures had been insufficient to protect its sensitive customer data: remediation discovered that security alerts from a less-maintained network segment had been missed.

Action
The retailer chose to adopt a SIEM system to enhance its overall security posture, finding that the system provided improved real-time security threat monitoring, a better view of potential system vulnerabilities, and enhanced incident response capabilities. In addition, the SIEM system assisted the business with compliance adherence for PCI-DSS and HIPAA.

Result
After its initial budget concerns, the client found out that the cost of implementing a SIEM was significantly less than the expenses it incurred due to its security breach and the resulting loss of customer confidence.

Financial Services SIEM Case Study

Background
A community bank ADS supports initially assumed that it would not need a SIEM system because it was a smaller organization. However, the bank unfortunately suffered a cyber assault that resulted in the loss of sensitive customer information and financial data, and sought ways to prevent the issue moving forward.

Action
ADS configured the bank’s SIEM system to gather, analyze, and correlate data from multiple sources affected by the breach, including firewall logs, intrusion detection systems, and endpoint security software. In addition, we coupled the SIEM system with incident response and forensic technologies that allowed the client to analyze and contain the cyber-attack.

Result
After the attack was contained, the bank was able to move to a proactive security posture by utilizing the installed SIEM’s reporting and data visualization features to detect patterns and trends in its security data. The bank has since been able to detect and respond to security risks much more quickly and efficiently.

Financial Services SIEM Case Study

Background
Financial institution provides portfolio management and investment advice to institutional clients, managing more than US $1.4 trillion in total assets. Given its scale and the sensitive data its business handles, this institution faced the dual challenge of compliance with stringent industry and regulatory standards such as SOC 2, PCI-DSS, and FINRA as well as a constant barrage of cyberattacks that have grown unfortunately common in the industry.

Action
ADS supported this financial institutions SIEM implementation through the following process:

1. System scoping, to determine the core business needs the SIEM system must meet. These needs included:
   1. Real-time network monitoring
   2. Aggregation of security data from network devices, servers and endpoints
   3. Regulatory compliance in the form of alerting to any potential unlawful data access, failed login attempts, and data exfiltration efforts
   4. Threat detection and response
2. System implementation, which included:
   1. Alert generation
   2. Building a threat intelligence feed with advanced analytic capabilities to detect and respond to the more sophisticated attacks
   3. Enhanced reporting and data visualization tools to help analyze data patterns and trends in order to proactively improve the organization’s security posture

Result
The financial institution and its customers are now more secure than ever. The firm has streamlined its compliance monitoring, reporting and auditing efforts, and is able to detect and respond to security risks much more quickly than before.

To learn more about how to scope and implement a Security Information and Event Management system, contact Atlantic Data Security today.