OBELUS-SIEM

Why You Need SIEM?

Security information and event management (SIEM) Tool gives security professionals both insight into and record of various activities within their IT environment. It’s a technology that together, provides a centralized view into a network’s infrastructure. SIEM provides data analysis, event correlation, aggregation and reporting, as well as log management. SIEM technology has become a critical component of a comprehensive security strategy in today’s threat environment.

So why do you need SIEM? The short answer: If you suffer a breach and you are asked What happened? you don’t want your answer to be I don’t know. But let’s take a look at the more reasons for having SIEM.

Why you need siem
regulatorycompliance

Regulatory Compliance

Some of the major drivers behind why companies deploy SIEM technologies, and why you need a SIEM are:

  • Compliance obligations (HIPAA, SOX, PII, NERC,COBIT 5 ,FISMA, PCI, etc.)
  • Gaining and maintaining certifications (such as ISO 27000, ISO 27001, ISO27002 and ISO 27003)
  • Log management and retention
  • Continuous monitoring and incident response
  • Case management or ticketing systems
  • Policy enforcement validation and policy violations

Incident Detection

SIEM enables the detection of incidents that otherwise would go unnoticed. Not only can this technology notify/log on security events, they have the ability to analyse the log entries to identify signs of malicious activity by gathering and correlating events from all of the sources across the network, a SIEM can help to reconstruct the sequence of events to determine what the nature of the attack was and whether or not it succeeded.

While a SIEM cannot directly stop an attack, it can communicate with other network security controls and towers, such as firewalls, proxy, Endpoint, and direct them to alter their configurations so as to block the malicious activity. An organization can also choose to have its SIEM consume threat intelligence feeds from trusted external sources. If the SIEM detects any activity involving a known threat, it can then alert and help to take actions to terminate those connections or interactions to proactively prevent an attack from occurring proactively.

incident Detection
incident Management

Incident Management

An SIEM solution can significantly increase the efficiency of incident handling, saving your security teams time and resources. More efficient incident handling finally helps to speed up incident containment, therefore reducing the amount of damage that many threat cause to an IT environment. A SIEM improves efficiency by:

  • Allowing a security professional to quickly identify an attack’s.
  • Enabling rapid identification of all sources that were affected by a particular attack.
  • Speed us the process of incident detection & mitigation to stop attacks that are still in progress.

What you need to know about implementing a SIEM?

Service Stragey

Define your vision, or what services will the SIEM provide as a whole. This could be simple or complex. It’s best to start simple by defining a common sense set of objectives. The 10 common use cases could be a good starter.

Service Design

After analysing all of the business requirements, now you begin to align your SIEM\SOC expectations and deployment initiatives with the business. Define your metrics to be used as your KPIs. These will be the core functions of the SIEM, or the “SIEM service catalogue.”

Service Transition

This is pretty self-explanatory but I will touch on it anyway because many implementations fail in this stage. Basically, SOC or SIEM operators should be made aware of changes in the environment.

Service Operations

The core functions described in ‘Service Design,’ are now shown as how they will be provided – define responsibility, communication and SLAs and OLAs if possible.

Continual Service Improvement

A review of all data gathered and based on KPI and other related metrics redefine or refine services. Processes and procedures. This is the best opportunity for verification and validation of data gathered using manual or GRC methods and mechanisms.