We’ve Got This: Security Monitoring with a SIEM

by | Sep 9, 2020 | Managed Services

These days, organizations are forced to navigate uncertain waters, resources are stretched as thin as ever, and workers are adapting to new workstyles. Through it all, Peters & Associates wants you to know that we have your back. As part of our 6-part webinar series, every two weeks we’ll be sharing solutions for supporting, managing, and securing your IT environment – whether workers are back in the office or working from home. Check out the schedule below to catch up on webinars that you’ve missed or register for our remaining webinars.

On September 9th, we held our sixth and final webinar in our series, Advanced Security Monitoring with a SIEM. During that presentation we discussed the importance of security monitoring, how a Security Information and Event Management (SIEM) platform detects suspicious behavior, and how Peters & Associates helps our clients respond quickly to cyber incidents and maintain compliance. Read on to get caught up or check out the full recording below.

The Importance of Security Monitoring

Throughout our “We Got This: Essential Managed Services” webinar series we’ve covered different ways that we help organizations to secure their business. As we did a couple of times during our series, let’s turn to the National Institute of Standards and Technology (NIST) Cyber Security Framework.

Solutions like Patch Management and Endpoint Protection help to Protect our IT environments to prevent a breach. Solutions like Managed Backup & Recovery help businesses to quickly Recover from a disaster or security breach. One of the most overlooked components of cyber security strategy, especially for small and mid-sized businesses, is Detect. What do we mean by “detect” and why is it so important?

When we talk about detection in cyber security, we are referring to the need to identify and alert on potential breaches. The earlier an organization can detect a breach, the earlier they can begin their incident response plan. The security industry tracks a statistic known as “dwell time.” Dwell time is the amount of time from when an attacker first breaches your network until the attacker is removed. According to Ponemon Institutes 2017 Cost of Data Breach Study, there is a positive correlation between the length of time that an attacker is in the network to the expense of recovery. The table below from this study demonstrates the cost for containment that is less than 30 days compared to the cost for containment longer than 30 days.

How does a SIEM help organizations? Essentially the top 3 ways are:

  1. Time savings for log collection/review.  We all know it’s important, but who has cycles to look at Active Directory and firewall logs as well as servers and devices nowadays?  One of the main tenants of a SIEM is collecting and parsing log files from across the IT environment. This includes devices that are integral to security like an organization’s firewall or active directory. Most organizations should also include external-facing devices like web servers and critical infrastructure like core switches. The SIEM can also preserve log files for time allowing an organization the ability to turn back the time dial to when an event occurred.
  2. Injecting anomaly-based detection into the review process.  Humans are not as good as machines when it comes to noticing strange log entries.  Relying on programmed rules and machine learning, the SIEM will parse logs to alert on suspicious behavior.  However, these solutions go beyond simple log aggregation and parsing. The real strength of a SIEM is log correlation. That is, the ability to review activity taking place across different devices in your environment and understand how they might be related. For instance, a successful authentication to your VPN would not raise a red flag. However, a successful authentication to your VPN, followed shortly by a successful authentication against an internal domain controller with the same credentials could indicate an attack.
  3. Behind every good SIEM implementation, is a good human response team.  While the SIEM is designed to surface events worthy of attention, the response team is responsible for determining how to react.  Having access to a 24×7 Security Operations Center (SOC) and a response team responsible for quick reaction in the event of a incident or breach is critical.  The human element is key to helping move smoothly from the Detect portion of NIST’s Cyber Security Framework into the Response area.

Essential Managed Services: PULSE Alarm Managed SIEM

Implementing, maintaining, and monitoring a SIEM requires experienced familiar with security logs. A SIEM is not a “set-it-and-forget-it” technology platform. Regular maintenance is required to ingest and parse security logs from new devices and services. Additionally, tuning is necessary to reduce the “noise” of the system. Beyond regular system maintenance, 24×7 response helps to limit the scope of a cyber security attack.

Peters & Associates provides monitoring, alerting, and response to our clients as part of our PULSE Alarm Managed SIEM program. P&A responds to alerts 24×7, working with our customers to identify the threat and remediate the issue. In addition to continuous management, P&A provides quarterly external vulnerability scanning to identify system weaknesses before they can be exploited.

Our team can help to identify security breaches early to limit the damage. Meanwhile, you can focus your energy on supporting your employees and advancing your organization.

Looking to Learn More?

  • You can download the slide deck here.
  • Watch the full webinar below