Security professionals the world over crave compliance management and the ability to pull deep insights from their complex IT environments.
This need was the catalyst for the initial adoption of security information and event management (SIEM), which, since its inception over a decade ago, has provided this and more, including security event management (SEM) – i.e. the real time analysis of log and event data for improved threat monitoring, event correlation and incident response – and security information management (SIM), which analyses and reports on log data collections. As demand for better, more robust security measures has risen, so too has the adoption of SIEM.
Today SIEM, in conjunction with third party threat intelligence applications that can monitor and detect external threats, is seen as the foundation for a wider security infrastructure in most large organizations, and is vital in aggregating log data banks built up of data from host systems and applications to network and security devices (i.e. firewalls and antivirus filters). Following analysis, as well as input from a third party that can monitor and detect external malicious threats, SIEM identifies and reports on failed login attempts, malicious malware activity, and other likely criminal activities, and alerts the organization of this activity, and if it contradicts any existing rulesets, which paints the incident as a potential security hazard.
As SIEM continues to grow in prevalence and sophistication, this post will outline the key business value of the software, its role in a complete security solution, and its shortcomings – and how, by combining SIEM with threat intelligence, organizations can overcome those failings and create a single, secure environment.
The business case for SIEM
SIEM is able to provide centralized analysis and reporting of security events happening across an organization’s perimeter by pooling log data from a range of disparate sources – even those lacking in detection capabilities. In turn, this analysis allows security teams to not only identify attacks that might have otherwise gone unnoticed, it empowers them to avert attacks that are already in progress by ‘talking’ to other security controls and making them change their configurations, ultimately blocking the attack.
Beyond the active diversion of attacks, SIEM allows organizations to simply and efficiently streamline their compliance by aggregating all logged events across the system, saving security teams’ the valuable time and resources needed to achieve this otherwise. This efficiency is further bolstered by the SIEMs one-pane, centralized interface, which can aggregate and present event data, speed up malicious activity containment, and significantly reduce any potential damage.
Combining SIEM and threat intelligence
While SIEM alone may boast a host of security features, the software is only as effective as the information it receives. When it comes to identifying who is targeting your organization, and from where, or if your corporate network is compromised or your brand or VIPs are being impersonated, SIEM alone won’t cut it.
Without this, if it is given unvalidated data it is unable to distinguish the full picture, leaving security teams with the unenviable task of wading through potentially thousands of false positives in the search for a legitimate picture of whatever security event has taken place. It’s a laborious process that still doesn’t guarantee organizations will pinpoint what sensitive information has been leaked, if credentials are compromised, and how they may be being used towards fraud.
This is not to say SIEM doesn’t have a place in the modern enterprise: rather, in order to maximise its capabilities, it must be supported by sophisticated threat intelligence. By integrating the two, organizations can benefit from prioritized alerts and altogether more reliable SIEM insights and alerts.
Often, SIEM solutions collate so much information that they struggle to differentiate between urgent and possible false positive alerts, leading to unwanted alert fatigue. Supported by a modern threat intelligence platform, these alerts can also be analysed by user and entity behaviour analytics, resulting in more precise alerts and eliminating any false alarms. Essentially, by combining SIEM and threat intelligence, security teams can benefit from shared knowledge and more precise indicators of attacks as they happen.
Because threat data, whatever its form, must be considered through a global lense. So, while SIEM may be able to identify possible threats from one perspective, organizations really need to add threat intelligence to the equation if they’re to widen their scope and better observe potential security events from all angles. After all, SIEMs are typically only able to flag pre-identified threats. So, if an attacker uses a new tool that is unrecognized by their SIEM system, the organization will be unable to detect the evolved threat and will undoubtedly fall victim to it as a result. Similarly, without added threat intelligence, SIEMs fall short on establishing the intent of an attacker and are unable to deduce their next move or motive based on existing observed behaviour
In addition to all of the above, a threat intelligence system worth its salt to a modern business must value modular, targeted, actionable insights in lieu of any unnecessary and costly false positives. Utilising Blueliv’s own Threat Compass or its MRTI feed, organizations can benefit from frictionless integration through API (application programming interface) and plugins, ensuring all stakeholders – be they CISOs or the wider SOC team – receive real-time results and relevant insights into their priority objectives. Ultimately, threat intelligence such as this allows organizations to handle millions of legitimate threat indicators from a plethora of sources, in turn enabling them to pull actionable intelligence, in real time, at the exact moment they need it. By complimenting threat intelligence with mature, flexible APIs, SOC teams can further enhance their SIEM.
When used in conjunction with threat intelligence, SIEM allows organizations to better manipulate their threat data whilst improving the baseline capabilities of the SIEM software, resulting in an all-round more mature security system that can smartly identify and prioritize security threats.
SIEM and threat intelligence – the building blocks of a sturdy security strategy
For organizations looking to take their security measures to the next level, SIEM is a necessary starting point – not the end goal. The software is able to correlate internal data to create automated alerts and endpoint barriers, but its effectiveness as a whole security solution ends there. Only by complimenting their SIEM solution with threat intelligence can organizations truly prepare themselves for whatever new and innovative threats may come their way.