Pratum Blog

For those not familiar with SIEM (Security Information and Event Management), it is a security strategy that seeks to efficiently consolidate and manage network data. The centralized view of all data makes it easier to identify security threats and track them throughout an environment. This is often done through a SIEM solution, an application that gathers data and organizes it into a manageable repository.

SIEM Solution

One of the major advantages of a SIEM solution is log consolidation. Modern day networks, especially on an enterprise scale, can generate more logs than a person would know what to do with. The great variation in devices, and the different ways those devices log information, make finding relevant data a daunting task. This is where a SIEM solution can make an IT professional’s life a little easier. It becomes more efficient to identify and track security incidents when all information is found in one location. Also, with the logs in one place, a SIEM application can correlate the data between events from different devices to create a clearer picture of what is actually happening.

Reacting to Malicious Traffic

A concern for all networks is malicious traffic. We can’t always prevent criminals from attempting to attack our systems, but we can add safeguards to detect malicious or unwanted traffic and prevent them from entering our network. A SIEM solution exponentially increases the chances of successfully identifying this type of behavior due to its advanced correlation between so many different types of logs from various devices. Without SIEM, identifying a handful of malicious logs that were generated in combination with thousands of others per second drastically reduces the ability to identify anything accurately.  

Handling Malicious Traffic without SIEM 

Managing alerts and incidents without SIEM can be unwieldly. You may get an alert from your antivirus, or see in a report from your firewall, that traffic determined to be malicious has been detected entering your network. This information is helpful, but it doesn’t tell us how the traffic entered our systems, what else it has gotten access to, or if it is still an issue. At this point your options are to either keep an eye out for other indicators of virus or malware activity, or you must manually access the logs from each infected device and sift through the data to find common issues.

Addressing malicious traffic can be done manually, but it is not very efficient and can be rather ineffective. Fortunately, there are technologies available that simplify this type of work. You may be saying to yourself “I bet the SIEM option is more costly,” but when you take a look at all of the benefits and cost saving from SIEM, you will see that the manual method can be much more expensive, not to mention if a breach occurs and goes undetected.

Relying on only a handful of independent alerts from a firewall or AV server is comparable to only having one or two smoke detectors in your home or business.  A fire could be burning through half the building before any warning or detection occurs.  

Malicious Traffic with SIEM

Let’s look into that same malicious traffic, but this time using a SIEM client. Remember, the SIEM solution aggregates and manages all incidents, from every device, in one spot. This correlation gives us a better understanding of what is happening in the network. In a matter of seconds the SIEM solution is able to recognize patterns in malicious events and triggers alerts when incidents are recognized. Previously, with a non-SIEM solution, this correlation could take hours.

SIEM streamlines the process by parsing relevant information and displaying it in an easily manageable format. The client’s front end can then be used to access relevant log events. From there you can quickly search for more events based on device criteria, such as source IP, destination IP, hostname, etc., and determine how the malicious traffic entered the network as well as the severity of the threat.

Key Takeaways

If your organization is still managing logs from a number of independent locations and struggling to correlate data between various devices, it is time to consider switching to a SIEM solution. Here are a few things to think about when planning your next move.

Weeding Out False Positives

The consolidation of log events allows SIEM to correlate data and discover false positive. The classification of false positives allows you to remove unwarranted incidents from your alerts. This ensures that you will not waste time constantly reacting to false positives or ‘noise’ within your environment.

Addressing Real Threats

For real threats, you can utilize SIEM to identify each device involved in an incident. From there you are able to strategize your responses to the threat. Doing this quickly and efficiently can mean the difference between a major outbreak on a network and a minor isolated, remediated incident.

Cost-savings

SIEM is a cost saver. Between the time saved managing alerts and incidents and the mitigation of a critical data breach, SIEM is a viable business decision.

Have more SIEM questions?

Source Code Escrow process

Source code escrow is a process by which a company that wants to sell cloud applications or Software as a Service (SaaS) can provide peace of mind to their clients. It is also a way for clients to hedge their bets to ensure business protection. The SaaS provider agrees to put their source code in escrow with an independent third party. In the event of bankruptcy, insolvency, receivership or other pre-determined business situations, the client may request access to the source code so that the application can be brought in house with the client, and business can resume.

Software Licenses of the Past

In the past, clients purchased perpetual licenses for business critical applications, deeming source code escrow unnecessary. The licenses were installed on systems owned and managed by the clients. If the software vendor abruptly closed their doors, the client could still continue their day to day business. The source code was not needed by the client because the compiled application was running just fine in its current environment.

Software Control Now and in the Future

In the SaaS world, however, that same business critical application is now totally dependent on the vendor. The software is running on hardware owned by the vendor. Should that provider go belly up, clients are left with nothing. They may not even have access to their data for a migration.

There are a lot of different source code escrow services. Some offer full review and testing of the code to make sure it works after every upload. Others are simply an independent third party repository that will work with the courts to release code should a triggering event occur. Offering source code escrow as a SaaS provider shows your clients you are committed to their success, regardless of what happens to you. As a SaaS client, making source code escrow a contract term will provide needed assurance that your critical business can continue in event of a catastrophic failure at your vendor.

The use of a virtual Chief Information Security Officer (vCISO) is becoming more popular. Organizations realize that information security is not only critical to protecting their company, it can also help drive profitability when applied correctly.

Virtual Executives and Their Role

The use of virtual executives is common in other fields such as finance and law. A virtual Chief Financial Officer (vCFO) or outsourced general counsel may be used on an interim basis, when a full time position isn’t warranted, or during a search for a full time replacement. A vCISO can provide an organization with the strategy needed to identify risks. They are also great for finding solutions that align with business objectives instead of relying on fear, uncertainty and doubt to drive information security initiatives.

The Battle Between Strategic and Hands-On

As with any other aspect of business, you typically have two camps. The “big picture camp” and the “detail oriented” camp, or the “strategy” versus the “hands-on”. Rarely do you find an individual who likes to, and is efficient at working in both camps on a daily basis. Their thought process is different. The way they work is different. Their approach to security and privacy is different. That is just the way people are made.

Many organizations try to find a single body to fit the role of both the executive and the staffer. While this may work for some organizations or individuals, there is always a trade-off. One side of the equation is always unbalanced. You either don’t get enough of the “hands-on” or enough of the “strategy”. That’s the nature of a split role. However, a virtual CISO can provide the executive level strategy needed to keep business objectives in focus, while considering information security projects and tactical moves.

Getting Both Strategy and Hands-On With a vCISO

Sometimes organizations are just beginning to build out their information security program and need help in many areas. Pratum can offer a blended vCISO security program where your company has access to both the executive and staff level roles in the exact balance you need. Our vCISO programs can provide a CISO, penetration tester, security engineer, policy writer, code reviewer or any other combination of security professionals to meet your needs in a cost effective manner. Our clients get a level of flexibility and expertise that would not be possible any other way.

For help with talking to your executive team about a vCISO Security Program, download "An IT Director's Guide to Communicating Security Needs with Executives".

Do you think your business could benefit from a vCISO?
The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.