Eric E.S. Brown | March 12, 2019
Security information and event management (SIEM) is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system. The acronym SIEM is pronounced “sim” with a silent e.
Devices that are connected to a network generate event logs as a part of their normal operation. This gives enterprise security professionals both insight into, as well as a track record of the activities within their IT environment. SIEM software collects and aggregates log data generated throughout the organization’s technology infrastructure, from host systems and applications, to network and security devices such as firewalls and antivirus filters.
Reasons for a Business to Deploy SIEM Technologies
- Compliance obligations (HIPAA, SOX, PII, NERC,COBIT 5, FISMA, PCI, etc.)
- Gaining and maintaining certifications (such as ISO 27000, ISO 27001, ISO 27002 and ISO 27003)
- Log management and retention
- Continuous monitoring and incident response
- Case management or ticketing systems
- Policy enforcement validation and policy violations
BlumShapiro uses a SIEM tool called AlienVault. AlienVault has its own network that monitors the threat landscape around the globe. This platform is called the AlienVault Open Threat Exchange (OTX) and is the world’s most authoritative open threat information sharing and analysis network. OTX provides access to a global community of threat researchers and security professionals, with more than 50,000 participants in 140 countries, contributing over four million threat indicators daily. OTX allows anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques.
The AlienVault software then identifies and categorizes incidents and events, then analyzes them. The software delivers on two main objectives:
- Provides reports on security-related incidents and events, such as successful and failed logins, malware activity and other possible malicious activities
- Sends alerts if analysis shows that an activity runs against predetermined rulesets, thus indicating a potential security issue
How Does blum Help Our Clients With This Type of Information?
Many of our clients have internal IT departments that provide day-to-day help desk services and run and maintain their corporate infrastructures. The value that blum provides is in the realm of security and compliance obligations. For example, if client A processes credit cards, what obligations would they have to maintain compliance?
One potential obligation would be to monitor and store the firewall logs for the device that protects the credit card environment for a period up to one year; however, three months of logs would have to be readily available for analysis. The AlienVault tool helps our clients satisfy that requirement by logging all network activity pertaining to this environment. Another benefit is AlienVault’s ability to assist our clients if they were to encounter a breach.
Target Had a Catastrophic Network Breach; How Could This Have Been Prevented?
Target’s security breach, though complicated, wasn’t exactly the most genius hacking event of all time and could have been prevented. Multiple levels of negligence occurred, exposing one in three Americans to identity theft. Investigation into this security breach revealed that Target’s security system, FireEye (SIEM Tool), showed that warnings had been there all along and the security team in Bangalore either missed them, or chose to ignore them. When they finally informed the Target security team in Minneapolis about the breach, the warnings went unheeded. At BlumShapiro we proactively view and work with our client’s internal IT staff to ensure that they are always aware of any suspicious activity.
The Target case illustrates a complete failure in the security incident notification process. An intelligence system can only be of value if the data produced is used to make better decisions.
Listed below are examples of the types of information we regularly review with our CISO as a service clients:
- Network activity report, what countries is data being sent to?
- Wireless report, guest and corporate access report
- Windows active directory issues
- Remote access report, success and failures
- Anti-Virus report and Anti-Malware activity report
Additionally, BlumShapiro would provide guidance on ways to improve the company’s security posture on a monthly or quarterly basis, and assure that it’s aligned with the company’s overall IT strategy.
Should you have any questions related to blum’s SIEM as a Service Products and how it may positively affect you or your business, please contact Eric Brown at 617.221.1917 or ebrown@blumshapiro.com.
