An SIEM is critical to your Cybersecurity planning. Why? It turns out there are many ways to secure an organization’s network, but can you depend on any of them to be 100% reliable? The answer is no. Zero-Day exploits, File-less malware, Phishing, Social Engineering, Brute Force Attacks, lost or stolen mobile devices...all of these can be the one opportunity that a cyber-hacker needs to gain access to your network, exfiltrate your most sensitive data, and hold your business Ransom for hundreds of thousands, if not millions of dollars.
But how can you know where the attack will come from, the multiple resources that are being attacked, and how to defend against the attack? It turns out that CyberSecurity, just like ogres and onions, has layers. More accurately, Cybersecurity has a framework which, when used properly, can help to defend organizations from a Cybersecurity attack. The reason for the framework is so that if one of the elements fails, the organization has additional systems ready to help defend the organization.
Physical Security As A Model For Cybersecurity
If you were looking to secure your physical office space, you would most certainly first focus on putting keyed locks on the doors. You might also add deadbolts that use a different key, or keycard security, or maybe even a digital keypad with an access code. But doors are not the only way into your building, so you’d probably want bars on the windows and reinforced glass. And just in case anyone were to get through that security, you would of course want an alarm system so that you’re notified of the intrusion. Is that enough? Probably not, and so you’d want to install video surveillance both inside and outside your building so you can see who is trying to get in...or who might have already gained access.
You protect the doors and windows because those are ways people might get in. You add an alarm system to notify you if there’s a breach, and you have video surveillance so you can see what actually happened. Each of these layers of security plays its own role in protecting your physical business. And layers of Cybersecurity help to protect your network, your data, and your entire business.
NIST Cybersecurity Framework
The most common Cybersecurity framework was developed by the NIST (National Institute of Standards and Technology), a department of the Federal Government, and contains five different layers to help organizations protect themselves from cyber attacks. Those layers are:
- Identify -- Know what it is you are protecting, the assets you have available, and the risks you face.
- Protect -- Security, Access Control, Protection and Education to keep your business safe.
- Detect -- Monitor everything, know what’s normal and what’s not normal.
- Respond -- How to figure out what happened, how to reduce the damage.
- Recover -- Recovering from the breach, improving your systems for next time, and communicating with interested parties.
Of course, this is a greatly simplified view. The NIST cybersecurity framework actually has 108 subcategories of recommended activities. The problem is that many businesses focus on the Protection activities to the exclusion of most of the others. That is why they will install strong password policies, strong antivirus, end-point protection, sandboxing of all web links, firewalls to block entry to the network, and VPNs to make communicating from or to the outside more secure.
Those are all good and necessary parts of a Cybersecurity strategy, but they aren’t enough on their own. Just as an organization needs alarms and video surveillance, an SIEM is critical to an organization’s Cybersecurity plan.
Why an SIEM is Critical To Your Cybersecurity Framework
Detection is a critical activity of any Cybersecurity strategy, which is why every quality Protection strategy is going to also provide strong, secure and detailed logging of all activities.
- Workstations will keep logs of every time a user logs in or runs an application.
- Networks will monitor and log all traffic that runs across it, including each file accessed and message exchanged.
- Firewalls will keep logs of all traffic going through its systems and attacks it has defended against.
- Virtual Private Networks (VPNs), which are designed to secure traffic from one endpoint to another, will similarly keep track of logins and traffic.
...and so on for all of your quality IT infrastructure systems.
Logging is critical for detection activities, but the problem with all of these logs is that they are all separate and independent logs...and they are HUGE if they are doing their job. They are individual silos of data that on their own cannot tell you all that you need to know. But if they are monitored and mined properly, they can reveal critical insights and information about the health of a network, the attacks that are attempting to breach it, whether they were successful or not, and the damage they might have done.
An SIEM is critical because it correlates the data from all of your logging activities in order to provide real information about the health and activities of your network and its security.
The vast majority of the data contained in your logs are going to be for legitimate traffic and activities. The most dangerous and threatening activities are going to be few and far between. But they will leave a trail...think of them as dots along a path...that the SIEM will link together to paint you a picture of what’s going on in your network.
An Illustrated SIEM Example
So how can an SIEM be critical to your organization’s Cybersecurity in real terms? Imagine for a moment that Bob is on a business trip to New York. He logs into the network via his VPN access minutes before his big presentation. Moments before, he logged in from someone else’s workstation within the facility. Worse yet, he is at the same time downloading intellectual property data from the branch office in Houston.
None of those activities on their own might be flagged as malicious, but an SIEM would coordinate and contextualize all of this logged data from the VPN, the internal network, the HR system and other systems and conclude that there is an access problem and that an attack is underway.
If You Don’t Have An SIEM Yet, You Need To
At Digital Uppercut, no Cybersecurity plan is complete without a properly configured SIEM standing guard over your business and sending up alarms when there are issues. We let our clients know that an SIEM is critical to the success of any Cybersecurity plan, and we regularly install SIEMs in companies as small as just a few employees and as large as thousands of employees. In every environment, they have successfully identified incidents and helped us to block activities that could have otherwise crippled the organization. If you don’t have an SIEM yet, it’s time for us to talk. Contact us online today, or call us at 818-913-1335.