While conducting enterprise Cyber Security Assessments for customers, consultants at Elliott Davis find that many organizations are not monitoring their networks for system and security events. Awareness of these events is crucial to an organization’s ability to monitor the health and status of information systems and their ability to mitigate threats in a timely manner. In fact, many organizations who seek out our services are often unaware of the capabilities of a Security Information and Event Management (SIEM) solution.
What’s a security event?
A security event is something that has occurred in an organization that can have a potential impact on its security posture. Examples include a system administrator changing a privileged group, a user account is locked out, or something as mundane as a user logging into an organization’s Virtual Private Network (VPN). These events are the same events system administrators and security analysts use when conducting forensic investigations for incident responses. Organizations not capturing these security events make the task of determining what happened during a security incident nearly impossible. With these events, it’s possible to trace a security incident and build a timeline of events, which is crucial to understand what happened and reach a resolution.
Elliott Davis consultants have been involved in assisting and leading incident response and forensic exercises for organizations of all sizes. Effective incident response programs take a proactive approach to gathering and analyzing security events. Adversaries understand the value of these logs and utilize tactics to cover their tracks by deleting and clearing these logs from local systems they compromise. Capturing and forwarding security events to a centralized aggregation point prevents an attacker from easily clearing these logs.
How do SIEMs help address this?
A Security Information and Event Management – or SIEM (pronounced “SIM” with a silent e) allows organizations to consolidate and analyze their logs in a central location. Organization IT systems and applications have the capability to generate logs to document and monitor the actions taking place on those systems. Subsequently, most systems can be configured to forward these events to a centralized system for storage and analysis. Using these events, system administrators, security analysts, and application engineers can get a better understanding of the activity that has occurred on an organization’s systems.
A practical use case seen for SIEM solutions is monitoring for account lockout events. Security analysts can use these events to identify and thwart adversaries who are hunting for weak passwords. Being proactive, instead of reactive, to system events allows analysts to respond quicker instead of waiting until it’s too late.
How much does a SIEM cost?
While there are many SIEM solutions available for organizations to choose, the barrier to entry has previously been a significant cost to operate. In the past number of years, an open-source solution called GrayLog has become a cost-effective option available for organizations to adopt and implement. The GrayLog SIEM is a feature-rich solution that can scale out for large organizations, while still easily implementable by a small and medium-sized business with limited IT staff. Alongside the log aggregation and notifications, dashboards can be configured to monitor and analyze system events from a central “Mission Control” interface. While GrayLog does have a subscription option for its software, many organizations successfully run the opensource solution to handle all their logging needs and requirements.
There are also excellent commercial options in the SIEM industry. Leaders in this area include QRadar, Splunk, and LogRhythm and their products will offer more “out of the box” alerting and tuning options. Pricing for these solutions is usually subscription-based and determined by how many logs are processed or stored by the solution.
We can help
Our Digital Team is ready to assist organizations with their SIEM solutions in varying capacities. This can include assisting in evaluating and establishing a new SIEM platform, replacing a solution that is not meeting organizational needs, or fine-tuning the solution already in place. Our consultants have decades of experience as IT practitioners and are ready to assist. For more information on SIEM services for your business, contact a member of the Elliott Davis Digital Practice.
The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.