What SIEM is and how it protects medium-sized businesses

A medium-sized company is an attractive target for cybercriminals. It operates on a scale that’s large enough for the company to pay a substantial ransom if its data is taken hostage. Meanwhile, its approach to information security is often an inheritance from the time when it was much smaller. Hackers can come up with a tactic to bypass the company’s basic protection and compromise the network with little to no resistance. The damage done by such incidents averages around $100,000. The regulatory side of things also cannot be ignored: cybersecurity rules and regulations have been proliferating around the world, and so have the fines for non-compliance.

Businesses are often cognizant of these threats and willing to allocate more resources to their infosec teams. How do you take your corporate security to the next level without excessive outlay? Here’s a little spoiler: deploying a SIEM (Security Information and Event Management) system is key.

Layered protection

A company’s long-term goal should be to build layered defenses in which different tools and controls complement one another to significantly complicate attacks on the company and limit the attackers’ options. A company with 500 to 3000 employees is almost certain to have the basic tools and the initial protective layer: access control through authentication and authorization, endpoint protection (popularly known as “antivirus”), server protection including email servers, and a firewall.

The next thing to do is supplement, rather than replace, this arsenal with more advanced cybersecurity tools, such as:

• A system for comprehensive monitoring and correlation of security events from a variety of data sources (computers, servers, and applications) in real time across the entire infrastructure
• Tools for obtaining enhanced information about possible incidents or just suspicious activity and anomalies
• Incident response tools: from investigations in accordance with regulatory requirements, to isolation of compromised hosts and accounts, vulnerability elimination, and so on
• Advanced identity management tools: from centralized user management and role-based access control, to a single authentication portal with MFA
• Tools for improving visibility and manageability of IT assets, attack surface management, and patch management

Having all of these at the same time is out of the question, so implementing these measures will need to be prioritized and broken down into phases. That said, comprehensive monitoring forms the basis for many other information security tools, and therefore, SIEM implementation should be close to the top of the list.

This equips defenders with brand new capabilities: detecting attackers’ malware-free activities, spotting both suspicious objects and suspicious behavior, and visualizing and prioritizing infrastructure events. Proper use of SIEM can relieve the workload on the infosec team, as it spares them the need to spend time handling isolated events, logs, and other artifacts manually.

What a SIEM system is and why a medium-sized company needs one

SIEM solutions have been used for comprehensive IT monitoring in corporate infrastructures for two decades now. These solutions are composed of a number of components that collect, store, organize, and analyze telemetry, and allow responding to incoming events. Thanks to SIEM, an infosec employee can receive most alerts in a single console, easily link different aspects of an event (such as file creation, network activity, and account login) into a single entity without having to dig through five different data sources, and respond promptly to these events. The high degree of automation saves the infosec team a great deal of time. What you used to do manually just by walking over to a coworker’s computer becomes too much effort as the company grows in size.

Key SIEM components for medium-sized businesses

The architecture may differ between SIEM systems, but the key elements are always the same:

Event sources: these aren’t part of the SIEM, but they serve as providers of information. Anything that generates logs as it runs – whether it’s an operating system, EDR agent, business application, or network device – can be a source.

Collector: this is typically a separate service that receives logs from telemetry sources for processing in the SIEM.

Log normalizer and storage: these are elements of the SIEM platform core. The normalizer transforms and adapts the logs it receives from a collector to make them suitable for use, search, and analysis. Centralized data storage significantly simplifies detection and investigation of incidents, as well as the provision of incident information to regulators.

Event correlation is the heart of SIEM systems. This is the key step where disjointed events contained in different logs are correlated, merged if found to be associated with the same activity or different stages of a single activity, and prioritized. Prioritization is driven by threat intelligence available to the defenders. This is what can serve as the basis for writing a rule that won’t ping the infosec team every time a PowerShell script runs, but will raise an alert if a script runs with command-line options characteristic of a targeted attack.

Dashboards and alerts are a purely visual but important part of the system that helps make sense of heaps of data, easily find what you’re looking for, quickly drill down into an incident, and learn about issues or suspicious events in time.

A steep price used to be a real barrier to SIEM adoption by medium-sized businesses, as the products were aimed at larger companies exclusively. This has now changed with the advent of new solutions that no longer target just the enterprise segment of the market, such as our platform.