Managing information security risks with a SIEM solution
- Published: Tuesday, 13 September 2016 08:35
Sergei Tchesnokov explains why he believes that a security information and event management solution is the most effective way to manage information security risks and to develop a risk-based cybersecurity framework.
Intellectual property and funds stolen, personally identifiable information exposed, reputation ruined. The consequences of cybercrimes are numerous and the list of victims is constantly growing; as are the risks threatening those companies that haven’t yet rethought their approaches to preventing information security breaches. With $15 million as the average cost of a cybercrime in the US, as reported by the Ponemon Institute in 2015, it’s not surprising that cybersecurity risks are now included in the top 3 global business risks preceded only by business interruption and market developments (Allianz Risk Barometer 2016).
Relying on security best practices
Trying to adapt to the new cyber-insecure reality, companies develop corporate cybersecurity guidelines that include security best practices and recommendations stipulating the major pillars of effective information security risk management. And here, surprisingly, there is room for optimism: the Global State of Information Security Survey 2016 by PwC says that 91 percent of companies follow a risk-based cybersecurity framework.
This provokes a reasonable question: how come that, with such a percentage of risk-based cybersecurity framework adoption, companies still suffer from impressive money losses caused by cybercrimes? The answer is that such technology-neutral frameworks aren’t a one-size-fits-all approach to managing cybersecurity risk and don’t aim to determine precise measures to take or optimal tools to use to withstand a cyber siege.
That’s why, to ensure practical implementation of high-level recommendations and to achieve the needed maturity level of information security, risk managers and security officers need to make their own decisions on protective measures. But what technology is able to take up the challenge?
Putting SIEM at the core of your risk management strategy
Of all the solutions, a security information and event management (SIEM) system can serve as the core of a corporate information security strategy. Why is this the case?
First of all, only a holistic solution can help to mitigate information security risks in their entirety. A SIEM solution does this job, as it centralizes data coming from scattered security tools, normalizes them and identifies real-life offences. Furthermore, it fills the gaping security holes in IT infrastructure left by traditional tools that are just not able to ensure all-embracing protection.
A SIEM solution also gives the opportunity to reduce the risks associated with the human errors that can occur during manual monitoring and, therefore, guarantees a quicker and higher quality automated analysis of an IT environment by covering the core steps of a traditional risk management cycle and providing security administrators with the ability to:
- Monitor a corporate network 24/7 by ensuring the visibility of the entire corporate IT infrastructure;
- Identify current and potential vulnerabilities and incidents, as well as detect internal and external security threats;
- Prioritize the most critical vulnerabilities that need to be patched immediately to prevent serious security breaches and group separate offences to understand their nature;
- Analyze comprehensive data on internal and external security events to determine real action vectors and keep the security strategy up-to-date;
- Respond promptly to detected offences to safeguard corporate assets and prevent major leaks of sensitive data.
Going beyond log management
Though companies usually utilize SIEM systems to actively monitor network, IDS/IPS and system logs, a SIEM’s functionality doesn’t stop at plain log collection: that is just the first stage of information security risk management. Fortunately, advanced SIEM solutions, such as IBM QRadar or ArcSight, are able to deal with a whole range of high risk vulnerabilities and threats. A fine-tuned SIEM solution helps to:
Mitigate advanced persistent threats
APTs can be categorized as low probability and high severity risks. The biggest danger of an APT is that intruders can actually stay anchored in a corporate network for many months and even years. Their resulting activities may be extremely damaging, as APTs cause not only huge data leaks and financial losses but also ruin organizational reputations and lead to the dissipation of customer loyalty.
Armed with a SIEM system, companies can reduce the risk of an APT by detecting attack symptoms at the initial stages and can apply instant measures to mitigate them. This way, a SIEM solution allows organizations to thwart an attack and stop hackers before they launch sensitive data exfiltration or steal money.
Reinforce vigilance against existing vulnerabilities
It’s hard to find an organization with no IT vulnerabilities! Since corporate networks transform constantly and security employees change, it is possible to overlook necessary upgrades and patches, so organizations have to live with a number of explicit vulnerabilities. If a company doesn’t know about them, the risk of potential exploits becomes serious.
A SIEM solution allows the identification of all the vulnerabilities that exist and prioritizes the most critical ones. A SIEM solution expanded with vulnerability and risk management tools minimizes the risk of unknown vulnerabilities by discovering security holes both in the software and hardware.
Reducing risks of insider threats
Employees’ vulnerable behavior / behaviour often causes serious information security risks. Though corporate security policies aim to reduce the risk of insider threats, it’s difficult to make all the employees respect documents at every moment of their working activities. A SIEM system can be adopted to enforce corporate security policies and reduce the risks of insider threats. By implementing a SIEM solution, security administrators can persistently register users’ actions and detect security policy violations by gathering real-time data throughout the entire network. This way security administrators can identify users’ negligent behavior and sort out critical offenses that can lead to dramatic breaches.
Managing SIEM-related risks
By acquiring a SIEM solution, companies might think that all their security issues get solved. Unfortunately, that’s not true, since a SIEM solution itself cannot protect a network from attacks but rather provides a centralized information repository on security events that can be used to stop an intrusion. However, to get this information, a SIEM system should be configured in line with a corporate IT infrastructure. A non-configured or misconfigured SIEM solution may overlook important security events, thus making information risk management less effective.
Organizations should pay particular attention to:
- Log source misconfiguration. Most of out-of-the-box SIEM solutions can process data coming from a number of default log sources. Usually, it takes the additional efforts of a SIEM specialist to configure custom log sources and ensure proper data normalization. When log sources are misconfigured, a SIEM just cannot get any data from them, and thus cannot reflect the network’s real condition.
- Performance issues. A SIEM solution should be periodically monitored by a SIEM administrator to prevent its deactivation, storage bottlenecks and other issues that affect a system’s performance. A disabled SIEM system just won’t fulfill its functions and may overlook a multitude of log events that can be potentially real threats.
- Correlation rules misconfiguration. Usually SIEM solutions provide quite a number of out-of-the-box correlation rules. However, with no fine-tuning they produce endless flows of false-positives or just aren’t fired if a critical sequence of events isn’t supported by standard rules.
Managing information security risks has become a vital task for companies of all sizes and industries. To be successful in their risk reduction mission, organizations have to translate their formal strategies into real actions with the help of a holistic security solution, such as a SIEM system. Providing a constant monitoring of an IT environment, SIEM software is able to centralize efforts of managing information security risks, thus ensuring the accomplishment of the information security risk cycle.
Sergei Tchesnokov is a Senior SIEM Consultant at ScienceSoft. Serguei is an IBM certified Security Professional with a 9-year background in security information and event management and a 16-year work experience in information technology. Sergei’s portfolio includes projects on architecture design, integration, and deployment of security solutions based on IBM Security QRadar SIEM, IBM TSIEM/TCIM and IBM Security Identity Manager (SIM) for healthcare, banking, financial and governmental organizations.