Getting More Value out of your SIEM

Getting More Value out of your SIEM

Security information and event management, or SIEM, is designed to provide the complete security visibility organizations need to detect threats, respond to incidents, and accelerate their compliance programs. SIEM software works by aggregating security-relevant data from your environment, and applying event correlation rules to identify relationships among those data. These event correlation rules (also known as policies or filters) help you identify patterns that signal threats, policy violations, and other exposures.

Although the primary budget driver for SIEM software is compliance, the primary way that SIEM software is used is to identify and investigate security incidents. Spotting attacks in real-time, or soon after, requires a combination of data sources, as well as the latest threat intelligence from experienced security researchers, such as Cybriant.

SIEM Requires Expertise

Once you have made the decision regarding your SIEM purchase, a key challenge is the skilled use of your SIEM tool. If you do not have the knowledge or expertise to utilize a SIEM correctly, your SIEM may not work optimally. We’ve heard complaints about an organization’s SIEM when it may the way it was implemented or managed on a daily basis.

To work at peak performance, your SIEM needs continuous visibility, which could be more of an investment in time that your organization may be ready for. Our Managed Security service offers:

  • Real-time monitoring
  • Active event and incident correlation
  • Strategic Incident Response
  • Remediation Services

By moving the monitoring of your SIEM to an outside vendor like Cybriant, you will be able to expand your IT staff with security experts whose entire focus is security and compliance. This team will allocate time on a daily basis to effectively manage and monitor security infrastructure. We’ve already mastered all the capabilities needed to take full advantage of your SIEM implementation, let us take it over for you. We’ll continuously monitor, tune, and enhance your SIEM.

Most People Struggle with SIEM

We recently discussed that the average organization logs about 1,200 IT incidents per month, of which 5 will be critical. It is a challenge to wade through all the data generated by the events that lead to these incidents and prioritize dealing with them. In this survey, 70% say a past critical incident has caused reputational damage to their organization, underlining the importance of timely detection and to minimize impact.

Dealing with the volume of events generated by IT monitoring tools is a challenge.

52% say they just about manage, 13% struggle, and 1% are overwhelmed. Those with event management processes which enable them to easily manage the volume of events have a faster mean time to detect incidents and fewer duplicate and repeat incidents.

Two-thirds of those surveyed admit that dealing with the volume of events generated is a problem. Dealing with incidents distracts IT staff from other activities; beyond the IT department incidents impact business productivity and the customer experience.

Could you use a Hedgehog for your SIEM? 


What is Firewall Logging and Why is it Important?

Ready to Get More Value out of your SIEM?

Feds kick out Kaspersky – here’s why you should too.

Feds kick out Kaspersky – here’s why you should too.

As you may have heard, the Federal Government is requiring the removal of all Kaspersky software. Federal departments and agencies are required to identify any use or presence of Kaspersky products on their information systems and discontinue present and future use of the products by November 13 and remove the products by December 13. https://www.dhs.gov/news/2017/09/13/dhs-statement-issuance-binding-operational-directive-17-01  

The reason? 

This action is based on the information security risks presented by the use of Kaspersky products on federal information systems. Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems. The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.

Any organizations (including contractors, universities, etc.) that receive federal funding should consider removing Kaspersky since your funding could be at risk. Consider our alternative approach because there is a better way. 

Alternative Approach

Traditional antivirus software only detects around 40% of all malware, which means 60% of malware goes undetected. With CylancePROTECT, it’s possible to prevent over 99% of malware before it can execute. Cylance isn’t a “detect and respond” antivirus solution that will leave your systems open to continual attacks.

Cybriant offers Cylance as an endpoint security solution or as a managed service. Cybriant can assist you in the migration from your old anti-virus product and in the implementation, tuning, and management of your Cylance deployment.

Why Cylance?

Cybersecurity firm Cylance uses lightweight artificial intelligence (instead of heavy signatures) to provide customers with security that “predicts, prevents, and protects.” They have recently caught Gartner’s attention by being considered a Visionary in the Endpoint Security realm.

According to Gartner’s 2017 report, Cylance is “by far the fastest-growing EPP vendor” in the market. This is due in great part to its 2016 implementation of CylanceProtect with OPTICS, an endpoint detection and response solution that enables users to “see” the root cause of attacks. With the new OPTICS system, Cylance also released a powerful cocktail of updated support for scripted control, memory protection, and application and device control features.

Gartner also praises OPTICS as a highly versatile system that can seamlessly operate on-premise or can be cloud-enabled. As reported by Gartner, Cylance customers related that OPTICS had “easy deployment and management, low-performance impact, and high-execution detection rates against new threat variants.”

Learn more about artificial intelligence for threat detection. 

Prevent Cyberattacks with Artificial Intelligence