What Louisville Businesses should know about SIEM Solutions

The information technology industry infamously loves acronyms. Now you can add SIEM (pronounced sim) to the ever-growing list of technologies for which there’s yet another abbreviation. But don’t discount SIEM—Security Information and Event Management—as an obscure technology. Businesses, and especially midsize and enterprise firms, implement SIEM solutions to better detect and analyze both internal and external cyberthreats throughout their organizations.

Just what does a SIEM do? 

While individual providers commonly offer a variety of features and capabilities, SIEM offerings typically fulfill several essential functions. Businesses deploy SIEM solutions to better protect their organizations against unauthorized cybersecurity breaches, compromises, infections and exploitations by collecting and analyzing security event information, including from server, system and application log files and network data packets and corresponding traffic. SIEM technologies sift through this security information both in real time and over time to better detect unusual patterns and identify cyberattacks that otherwise might go undetected.

SIEM solutions’ security event collection and cyber risk detection and reporting capabilities also assist organizations in complying with industry and governmental regulations. In addition to generating comprehensive reports that collect systems and network data, SIEM offerings store important systems event information and permit powering customizable dashboards, supporting threat management workflows, surfacing alerts and aiding investigations when threats are detected.

Because SIEM technologies analyze security information both in real time and historically, over time, the solutions can play an important role in detecting suspicious activity and potential threats cybersecurity personnel might miss. By working with large amounts of data collected from servers, network devices, applications and even antimalware software, SIEM solutions not only detect and store security event information but also identify trends, discover correlations and otherwise make sense of all the corresponding security event data.

How does SIEM protect your business?

It’s for these reasons businesses deploy SIEM platforms: to better protect their networks, systems and data by collecting security event information from across the organization, analyzing the collected event information both in real time and in a historical context, generating security event reports (including for compliance purposes), creating security event dashboards, assisting security monitoring and response workflows and integrating security event and reporting within cybersecurity protection and response tools.

Which providers offer a SIEM solution? 

Numerous providers offer SIEM services. The following is but a sampling of vendors offering SIEM solutions:

• Exabeam
• Fortinet
• Gurucul
• IBM
• LogRhythm
• Microsoft
• NetWitness
• Rapid7
• Securonix
• Splunk
• Sumo Logic

What SIEM isn’t 

While not intending to split hairs, the cybersecurity sector is rapidly evolving and it’s important to also understand what SIEM solutions are not. For example, SIEM solutions are not just SIM offerings, or Security Information Management tools that typically assist analyzing and reporting on historical security event information. Security event logs can collect so much data from so many sources that cybersecurity professionals can be overwhelmed, so SIM products were developed to assist with overcoming such challenges.

Nor are SIEM solutions only a SEM service that analyzes and reports solely on real time security event information. For example, a SEM service generates real time event alerts for cybersecurity administrators, such as when a user unexpectedly obtains elevated admin privileges on the network, as the CSO site for technology security professionals notes. SIEM solutions are also not an Extended Detection and Response (XDR) or Managed Detection and Response (MDR) solution. Such technologies are commonly deployed alongside SIEM offerings to automate cybersecurity threat protection, detection and response. Increasingly, vendors are integrating SIEM solutions with XDR and MDR platforms and even Security Orchestration, Automation and Response (SOAR) offerings to provide complete, comprehensive cyberthreat coverage, analysis, detection and even automated response.

How are SIEM services deployed and priced? 

SIEM solutions can be purchased and deployed independently by an organization. When owning its SIEM, businesses are also typically responsible for the platform’s administration and management.

In other cases, SIEM services can be provided by a managed services provider (MSP) or received directly from a SIEM vendor, including as a service. Depending upon the specific SIEM deployment, a hardware appliance, software agents or both, as well as cloud services, may prove integral components.

SIEM pricing, as is to be expected with any complex and wide-reaching platform, varies by provider and solution. Among the factors that impact SIEM pricing are the deployment type (on-premises versus cloud, for example), as well as the number of sites, users and security events occurring on the network. While SIEM deployments are typically significant investments, the costs of ownership are often justified by the corresponding cybersecurity management efficiencies, such as occurred at the universities of Nevada Las Vegas and Arizona State with their Splunk deployments.

Top SIEM solutions for Louisville businesses

As technology risks posed by state-sponsored hackers, ransomware attacks, data breaches and even insider threats increase in frequency and severity, businesses’ cybersecurity strategies have necessarily evolved to include sophisticated Security Information and Event Management (SIEM) platforms that assist organizations in better protecting applications, networks and data. Often part of a broader, comprehensive IT security strategy, businesses deploy SIEM solutions to collect and analyze security event information, including from servers, network devices and applications. SIEM platforms analyze network traffic information and other security event data both in real time and over extended periods to better detect unusual patterns and identify suspicious activities and cyberattacks, some of which might otherwise go undetected.

Organizations also rely upon SIEM technologies to fulfill other important functions. For example, Security Information and Event Management platforms generate security event activity reports (including for compliance purposes), power security event reporting dashboards, assist monitoring and response workflows and integrate security event detection and reporting within other cybersecurity protection and response tools, including

Extended Detection and Response (XDR), Managed Detection and Response (MDR) and Security Orchestration, Automation and Response (SOAR) solutions.

A number of vendors offer SIEM services, including:

• ArcSight
• Fortinet
• Microsoft
• Netwitness
• Rapid7
• Splunk

Increasingly, SIEM platforms are deployed alongside an MDR solution to provide a robust cyberthreat defense. Arctic Wolf, for example, offers a cloud-based SIEM platform that captures and analyzes log and network traffic information directly from network sensors installed at customers’ premises.

Corresponding advantages resulting from pairing a SIEM platform with an MDR solution can quickly add up. For example, Arctic Wolf notes its “cloud native security operations platform centrally stores all of [a client’s] security logs and telemetry in one place to aid with compliance requirements, but also enriches it with threat intelligence and risk context so it can be used to drive better security outcomes.”

Deploying Arctic Wolf’s or a similar SIEM offering provides harried IT departments with another important advantage, too. Such managed security solutions also frequently include detection, forensics investigation and analysis and prioritization assistance from the SIEM provider’s seasoned technical security professionals available around-the-clock.

Another approach is to integrate SIEM management within a Cybersecurity-as-a-Service solution. Sophos’ Sophos Central Admin management administrative portal, for example, includes SIEM integration support. Recognizing many businesses needed assistance making sense of the various events and alerts SIEM platforms surface, Sophos and others have built interoperability within their cybersecurity threat response offerings.

Toward that end, Sophos Central includes SIEM integration and support for other vendors’ SIEM platforms’ APIs permitting inclusion, retrieval, alerting and reporting within its threat management solution. Sophos states customers using its Sophos Central platform “consistently say that time and effort spent managing IT security has been reduced by at least 50-percent since moving to Sophos next-gen cybersecurity system managed through Sophos Central.”

The benefits don’t end there. Additional advantages Sophos reports customers receive include an 85-percent reduction in reported security incidents, a 90-percent reduction in the time required to identify an issue and a 90-percent reduction in time needed to manage daily IT security administration tasks.

Still have SIEM questions? 

If you still have questions regarding SIEM solutions or wonder whether a SIEM platform is appropriate for your organization, contact Louisville Geek’s technical experts at 502-897-7577 or [email protected]. We’re happy to assist in reviewing your organization’s cybersecurity needs.