Why You Must Have a SIEM

Want to see if Cybriant is right for you?

Try a no-risk free trial today!

Short form

This field is for validation purposes and should be left unchanged.

// SECURE YOUR FUTURE

Watch Your Back: Why You Must Have a SIEM

Recently, an article was published on Wired about, Rob Joyce, Chief of the NSA’s Tailored Access Operations, and his discussion on Disrupting Nation State Hackers. 

 

There are quite a few areas that Joyce discusses that make life miserable for the NSA.  The things that make them the most miserable are the following:  Security Incident and Event Management (SIEM) tools analyzing logs, Indicators of Compromise (IOCs), out-of-band (OOB) devices to analyze traffic, and worst of all competent System Administrators that use these technologies.  Today, we are going to dive into logging, OOB devices, SIEM, IOCs, and monitoring your network with SIEM.

 

Technology creates a lot of information, and it typically leaves a record of what it has performed in log files.  Whether it’s your router, switch, server, virtualization platform, cloud provider, smartphone, or printer a trail of events and information is created like a receipt you would get from grocery shopping.  Unfortunately, the logs are often forgotten, or commonly never analyzed unless there is a major problem.  Even then, System Administrators grudgingly perform log analysis simply due to the sheer volume of data created.  It’s like a scene out of The Matrix where the rebel crew members watch green characters scroll down the monitor, but slightly less exciting.  However there is a wealth of information contained in these logs, and like in The Matrix, System Administrators can use this information to observe what is happening in their infrastructure.

 

Now, there are specialized OOB devices that can analyze your network traffic.  These are typically your Intrusion Detection Systems (IDS) that passively monitor your network from a tap or mirroring port.  They are out-of-band because they are not directly in the path of the data and instead have data mirrored to them.  This gives them a couple of advantages: if they break they don’t break your network, and more importantly when it comes to security, hackers cannot see the OOB device.  You can think of it like having a concealed bodyguard in the dark with night vision when a mugger is trying to sneak up on you.  Naturally, these OOB monitoring devices create a lot of logs which are then sent to your SIEM.

 

SIEM stands for Security Incident and Event Management.  The SIEM is a highly intelligent technology that views all of the logs coming from every device and correlates each piece of information.  It sniffs out irregularities in data patterns and makes sense out of the mountains of information.  The SIEM watching your logs and OOB systems is the scariest piece of technology in your arsenal to the bad guys because it can actually find the needle in a haystack.  Fifty million events just happened on your network and it can find the handful of malicious actions stealing your data (or credit card numbers if you’re Target or Home Depot).

 

SIEMs need to be constantly updated in order for them to be effective.  The information that updates the SIEM is called the Indicator of Compromise (IOC).  An IOC might be a system sending SPAM to the internet, a malicious website infecting anyone who lands on their homepage, malware traversing your network, the intern down the hall accessing HR data to which he shouldn’t have access or data going to an inappropriate or unauthorized destination such as a country like Russia or China.  IOCs enable System Administrators and Engineers to remain vigilant and stay abreast of new threats on the horizon.  As Joyce says, “If you’re looking at the Nation State hackers, we’re going to be persistent. We’re going to keep coming and coming and coming, so you’ve gotta be defending and improving and defending and improving and evaluating and improving.  The static person is going to float to the back of the pack.”  And, when a bear is chasing you, you don’t have to be the fastest in the pack, just don’t be the slowest.

 

Finally, we get to the most important part of defending your company or organization’s jewels:  the System Administrator.  You can have the best network security, the best SIEM, the best IDS, and the best awesome security gadget in the world, but all of it is worthless if your System Administrator isn’t qualified and constantly monitoring, analyzing, and improving.  The responsibility doesn’t stop at them watching the bad guys do bad things.  As Joyce says, the System Administrators must have clear policies and procedures on how to act once a threat has been detected.  If at any point the Detect → Analyze → Remediate → Repeat approach fails, then your data will definitely be compromised and the hacker wins.

 

Don’t let the hackers win. Contact Cybriant for a world-class SIEM solution.

CybriantXDR Means Visibility

Security and Response Across Your Entire Organization

24/7 Security Monitoring and Analysis

Through continuous monitoring and analysis, our dedicated security professionals assess alerts in real-time, determine their nature, and provide remediation if necessary.

identify vulnerabilities

Real-Time Threat Detection and Prevention

By using AI technology, we have the ability to detect and prevent attacks before they can fully execute. When a threat is detected, we are able to contain and mitigate threats from diverse modes of attack.

mobile threat defense icon

Take Action and Remediate

When you work with Cybriant, we give you the insight and expertise to remediate confirmed threats. This will help your organization reduce impact and quickly restore businesses operations.

vulnerability scans

End-to-End Visibility

As an extension of your team, our experts will identify, investigate, triage, and remediate security events and provide executive-level reporting.

// REACH OUT

Contact Us

Main Contact Form

Areas of interest:
How do you prefer to be contacted?
This field is for validation purposes and should be left unchanged.

Want to See if Cybriant is a Fit for You?

Try a 30 Day Free Trial of our MDR Services

Enterprise-grade managed security services to fit your mission, needs, and budget.

Let our award-winning team make sure your business is safe.

Shoot us a message to start a discussion about how our team can help you today.

“5 star company to work with”

Jessie M.