By Samantha Agather, Information Security Analyst – Intrinium
Self Help for Security Information and Event Services
Security monitoring is reliant on the data provided. Traditionally, event logs record different activities in information systems are then correlated (or individually utilized) to identify a security event. A security event is an observable occurrence that requires review and potential action based on the analysis of the logs and other data sources. To properly manage these alerts can be an overwhelming task, especially if there’s no central collector, such as a SIEM (Security Information and Event Management).
Solutions should go beyond acquiring any combination of these devices alone. Security companies such as Intrinium, offer monitoring and management services to move the responsibilities of event tracking to a third party, allowing your team to focus on more critical projects.
Ok, so what are the devices?
The SIEM focuses on data collection and collation from multiple sources, correlating and alerting per the limits set by the primary user to allow for higher accuracy of actual security breaches versus false positives. It also assists in meeting compliance requirements and data retention goals.
A NIDS device can also be useful, placed strategically on your network. It will analyze the traffic on your network, and some prevention (NIPS) models can even take action- quarantining files, blocking traffic, etc. Combined with a SIEM, you have an easily searched database of traffic should it become necessary to find logs to trace an incident.
In the case of a breach, the SIEM allows forensic analysis to proceed at a quicker pace by aggregating all the logs related to an incident based on multiple criteria.
What do the solutions/external professionals do?
- The Professionals monitor and develop alerting for your company based on the need and criteria of your organization combined with their expertise and threat feed knowledge. In the case of a security event, they analyze the severity of the alert and escalate to your company as necessary. They consistently develop and maintain alerting, so your organization is given actionable items that map to real organizational risks.
- The SIEM monitors and gathers logs from devices like your firewall, your network, your servers, your databases, and then correlates it to detect patterns and differentiate the malicious activity from your standard network flow.
What’s in it for my company?
The SIEM will assist in maintaining compliance, retention, and detection. It will reduce the number of resources, and the stress on the resources, trying to monitor multiple devices across multiple platforms. If there is a security incident, the SIEM reduces your time to detection and allows you to identify the scope of the incident better. It also can power other IT operational needs.
How it helps keep my company safer:
It can help detect user lockouts, infections, and monitor registry entries commonly attacked by malicious code to give the company a head start on a potential infection. A sample would be matching firewall logs with DLP logs should there be an investigation on data egress. Other correlations include a successful login to a critical server after a VPN login from a foreign country.
The professionals doing the monitoring are also able to analyze potential alerts, and only escalate critical ones, as they can resolve many on their own without your company’s assistance.
Intrinium manages the SIEMs, and the monitoring is overseen by Certified Information Security Professionals. We monitor dozens of companies with countless different brands and types of devices. From firewalls to end-user devices like desktops, this has resulted in thousands of devices from which logs are gathered and leveraged to fine-tune alerts and identify potential risks.
Now let’s help you help your company become more secure:
Consult with a company like Intrinium to discover the best method to protect yourself and your data from those who wish to take it for themselves. Layered security is only the first step, so add monitoring and a data aggregation device to let you focus in on other strategic business initiatives.