SIEM – What is it? Do you need it and Why?

What is it?
Your insurance company may ask if you have one, your cybersecurity company may try to sell you one, articles talk about them, but what really is a SIEM?

We can start with the easy part, SIEM is pronounced either SIM or SEEM (SIM is the most common pronunciation). SIEM stands for Security Information Event Management tool. That is an obtuse way of saying it collects, digests, and alerts on all logs from all devices in an environment. Computers, servers, switches, firewalls… you get the idea. Anytime an “event” occurs it gets logged, the SIEM’s job is to take that log and send it to a repository where it is either stored, discarded, or creates an alert.

Why should I care?
What does this mean, and why should you care? Well for a managed SOC (Security Operations Center) like I run at Aqueity, this provides me with information that is wildly useful. We call it the smoke before the fire. All attempted and failed logins to computers, servers, and firewalls are recorded and sent over to our portal. All processes that occur within programs and software on a given device are analyzed and depending on the actions taken by the program or process, an alert can appear in the SIEM. This allows us to correlate attempted or successful breaches and attacks on a company, and we can use the logs to find out why a software is failing and what might be killing the process – it is data. How the data is used, and why the data is important is the difficult aspect. You do not want an alert for every action that occurs on every device, as you would be inundated with thousands of alerts per second. We call this part “Tuning” like a car or a piano, the SIEM needs to be tuned to run appropriately and make the right noises for the right reasons.

Without diving into what the noises and reasons are – we should talk about why we are seeing more people talk about SIEM tools and why compliance organizations and insurance companies want you to have them. When it comes to DFIR (Digital Forensics and Incident Response) a SIEM and the associated logs are the “clues” necessary when investigating a digital crime, such as a data breach or ransomware. Knowing how an attacker, whether a malicious insider, criminal or nation State were behind the attack is important for insurance companies and law enforcement to know. It also helps defenders and incident responders know who got in, how they did it, and how to stop them. It warns of unauthorized access, and custom rules for identification can be written to prevent breaches and find vulnerable programs and processes. In short, a SIEM is the camera security system that can function as both a deterrent, and a record keeper of what happens in your “Home.”

Do I need One?
So, the last question is “Do I need one?” and that answer really depends on your company. First, do you have to abide by the rules of a governing body or have a regulatory agency that sets industry standards? If you do, and SIEM is on the list of requirements, that is rather obvious, but what if you fall outside of those needs? Do you manage substantial amounts of sensitive Data, Personal Identifying Information, or Personal Health Information? Do you have contractors or non-direct employees in your enterprise that have access to sensitive information? Are you in an industry that is highly litigious? Do you have a large number of devices, employees, or data that you are trying to protect and monitor? If you can say yes to any of those questions, I would highly recommend a SIEM to monitor your environment with a corresponding SOC to manage, digest, and dispose of alerts as they come through. I will state for clarity, that monitoring and maintaining a SIEM is not something your standard IT team has the time nor resources to add to their plate, and a dedicated security operations center that is focused on deploying and monitoring a SIEM is the correct choice. If you choose to build a SOC internally or hire a managed SOC or MSSP (Managed Security Services Provider), that is an organizational choice that I will dig into in a later blog, but for now – know that these critical skills and tools are becoming more necessary in the current threat landscape to protect your business environment.

For all your Cybersecurity needs, Aqueity Shield is here to help!