Subscribe
About

Is SIEM the answer?

Security information and event management might not be everything it's cracked up to be.

Tallen Harmsen
By Tallen Harmsen, Head of cyber security at IndigoCube.
Johannesburg, 08 Mar 2018
Tallen Harmsen.
Tallen Harmsen.

SIEM keeps companies up to date with what's happening right now on the network, if anyone's trying to hack company systems, and what they're trying to do exactly. If anyone's keeping tabs, do they know what to do about any alarms? Are they empowered to act quickly enough to actually do something positive? Have the alerts given them time to prepare properly? Because proper preparation, as the saying goes, prevents poor performance. And can they make sense of what the alerts are telling them so they know where to direct their resources?

Even if a company can answer yes to all these questions, they still pose one major problem: they're all a bit after the fact, aren't they? By the time the systems begin alerting the company, the attack is already under way and the company is having to put out fires instead of building fire breaks that will let it back burn to keep things under control.

One of the major reasons why forewarning is so important is because a company's cyber defences are typically static. This means they may stop the attackers only the first or second time they try to penetrate the environment. Even if the company has a security operations centre staffed by expert administrators, it can respond to situations that crop up, but they're still just waiting for something to come along. Anything. They don't know what. So how can they prepare?

Break it down

SIEM analytics are current, they're the here and now. But, that's not how the hackers typically approach a hack. There are indicators that attacks are imminent. And hackers usually run up against a company's defences a few times, to find out what defences are in place, so they can return with ways to defeat them, and continue to do so until they break through.

This demonstrates that hackers have always had time on their side, time that allows them to adapt to the company's defences. They also have resources and they have the financial motivation. In fact, their financial motivation is hardly any different from the company's. They invest into resources in an effort to gain a return on their investment (ROI). And that's an important consideration I'll come back to later.

The fact that a hack doesn't thrust out of nowhere, rapidly penetrate and plunder, with hackers then making off with the swag while leaving the company bereft and confused, is actually great news. It gives the company the opportunity to stop attacks before hackers can test, penetrate, test the next layer, penetrate further, and so on until they finally succeed.

SIEM doesn't necessarily allow a company to be adaptive.

SIEM doesn't necessarily allow a company to be adaptive. And adaptive security is crucial, particularly in the complex world of digitalised and smarter systems and devices spread inside and outside traditional and cloud networks, with people working wherever they find themselves on a plethora of devices and apps and systems. Then there are also the many machine Internet of things (IOT) devices to consider. And nothing is static, so it's not like the company can eventually get a handle on everything in, on, and around the network and then that's it, it's safe. Employees will do all kinds of things to sabotage the company's systems. Not because they're hackers and they're malicious people. But, one day, they'll buy an iPad, bring it to work, and find a way to connect it to the network to download a ripped movie, which may or may not contain malware. Complexity is really on the side of the hackers in all of this. That's what makes the company's ability to be flexible and adapt so important.

Adaptive security is important enough that it's made it onto Gartner's radar. Gartner is saying things like artificial intelligence and machine learning will come to the cyber security environment to aid adaptability. And it is right. These two innovations will definitely help people to automate a lot of the security elements they need in place to deal with the analytics of what's happening on and around the network at a given point in time. And they'll probably even help the company's security people to get the information they need to help prevent attacks in the first place.

Essentially, it's going to be a lot of machine automation, some of it intelligent, so it helps security people free themselves from routine, mundane maintenance tasks (which people are inherently bad at doing anyway) and lets them do the associative thinking that's the crucial X-factor in adaptability.

Forearmed

But, it's the forewarning that's much more important than all of this other stuff that's happening anyway. People, not machines, must make important decisions based on finding information about upcoming attacks. The information is actually quite accessible, as long as people know where to look for it.

First, it's essential to keep an eye on insider fraud. This means employees or others inside the network helping the hackers to get in. This is done by combining human-generated sources of information with external structured transactional data, which is chatter in the deep Web, in services like Pastebin, unstructured internal reports, and social media feeds where human chatter can be found. That's wrapped in a dashboard for easy overview, with drilldown for the precise facts.

Tier that with intelligent analyses, human-driven intelligence and the automated help I mentioned earlier to visualise associations and feed intelligent questioning by humans.

That approach goes beyond the basic SIEM services and makes it more difficult for the hackers to crack the systems, which pushes out their ROI. It's a lot easier, and cheaper, for them to go after somebody else's low-hanging fruit.

Share