IT security is an issue that no one can ignore. Threats are multiplying, attacks are evolving. Your business must be protected effectively against the risks that it faces. However, it is often hard to have a clear view of one’s Information Systems’ security.
There is a solution to this: SIEM or “Security Information and Event Management”. A SIEM tool collects, analyses, monitors, and correlates data about your systems’ security, archives it and creates reports.
Your information system is the body of your business
Your information system is like the human body. It is a set of tools (organs), networks (veins, arteries, nerves, etc.), and technologies that, when set up in a certain way, form a complete, homogeneous, functional whole that meets one or more objectives: life for the body, operating and increasing your business for your information system.
The first level of protection is building and operating your system. Just as the human body adapts to its environment, you must create your Information System so that it is secure and functional for your business and your stakes. For this, analyse the risks and draft an Information System Security Policy (ISSP) as recommended in the GDPR. Then, build your architecture according to this, to have a homogeneous ensemble that fits your needs.
The second level of protection is constituted of “innate” defence mechanisms. These are good practices for developing and configuring your system, such as data encryption. For example, just as skin contains melanin to filter UV, follow good access filtering practices when configuring your information system.
The third level of protection is made of “specific” defence mechanisms. These are the security tools that you install on your Information System such as firewalls, web application firewall, and anti-malware. They are like the lymphocytes in your body, spotting attacks and blocking them when they can, often before symptoms appear.
However, as you know, these defence mechanisms of the immune systems are not always enough to protect us humans from illness. This is where healthcare gets involved: doctors, hospitals, and pharmaceuticals bring their expertise to improve our protection. In the same way, security best practices and tools are not enough to protect your Information Systems effectively. This is where SIEM comes in. However, it is only effective if the three levels of protection detailed previous have been put in place!
While the human body or an Information System adapts to its environment, it is the opposite for their external protection mechanisms: healthcare and SIEM are “configured” and adapted to meet your specific needs, goals, and constraints.
SIEM, your Information System’s general practitioner
Imagine that your brain gathers all attempts at contamination, all failures of your antibodies and the changes taking place in your body that could be dangerous for you. Then, imagine that all this information is sent in real time to a team of doctors working just for you.
- Your file includes the raw history of contamination attempts and your immune system’s responses.
- One of the doctors constantly monitors your data to flag any suspicious element so you can react quickly if your antibodies are not fast or effective enough.
- Another studies your long-term health, observing trends and suggesting solutions to cover any risks to which you may be exposed.
- A third doctor produces regular reports to your insurance provider to show you are in good health.
This is a broad outline of what a SIEM does for your information system!
Real-time collection and analysis of computing threats
SIEM is made up of an initial brick, SEM or Security Event Management. It registers all information about your Information System’s security by gathering logs from your server, network, devices, security tools, in short, all the elements that comprise it.
This raw computing data is stored without modification to keep a trace that can be useful legally in post-penetration cases, for example. This is “evidentiary value”. This data is then aggregated by filtering rules that sort it, to keep only the most relevant. The challenge is to keep enough data not to ignore dangerous behaviour, while setting aside any false positives and noise that would reduce the system’s effectiveness. Finally, this data is standardised so that it can be sorted, compared, and analysed.
The SEM then correlates all this information in real time to warn of any dangerous behaviour and notify your Security Manager so that they can react immediately and protect your Information System. The advantage of SEM is that it allows for a finer analysis of these events and can, therefore, spot more threats than the security tools installed on your architecture. Using the console, you can see what is happening on your Information System in real time.
Archiving and historising security events
In addition to SEM, which collects and analyses security events in real time, SIEM also consists of SIM (Security Information Management). This second brick gives you an overview of your information system and its security, so you can carry out further analyses so that your protection continuously improves.
All data retrieved and correlated by the SEM is sent to the SIM which places them in a central repository and keeps a complete history of it. Unlike the evidentiary value discussed above, this data is already standardised and ready to be used.
For example, this history lets you make more advanced correlations. So, if your system is compromised by a threat that was not blocked, you can find the source of the attack and the actions the hacker took and in what order. This can be very useful in forensic analyses, and the evidentiary value is never very far!
Continuously improving your computer protection
Beyond these specific cases, SIM allows you to conduct medium- to long-term studies to expose trends and give you a better view of the risks your business faces. Are you a target for opportunists, or are targeted attacks seeking out your system? Are you the subject of DDoS attacks looking to damage your image or turnover, or are you targeted by penetration attempts that look to steal your data? Are hackers targeting your website or your internal system?
All this information helps you adjust your security policy and your risk analysis (required in the GDPR) consequently, so you are better protected against the threats that you face. The SIEM produces regular reports at your convenience so you can easily track the changes in your risks and your protection.
Certain SIEM systems even allow you to replay attack scenarios of which you were a victim while testing new protection rules so that you can find those that best fit your business before putting them into production.
Eugenics is a very sensitive and controversial practice when applied to humans — and we are not here to give an opinion on the matter — but totally advisable when it comes to your Information System! Always look for perfection in your system’s security, even if 100% security does not exist.
Compliance and reporting
At a time when security standards and certifications are booming, SIEM is becoming a key part of your Information System. It is a relatively easy, and in any case unique, way to meet several security requirements (log historisation and tracking, security reports, alerts, etc.) and to prove your good faith to certification or monitoring authorities.
Additionally, this computing security system allows you to automatically generate reports specific to your standards and certifications thanks to the specific data repository that you will have created. This way, it is much easier to keep your certifications.