I recently spoke at a Information Security related “Meet Up”, and at a local SBA type of gathering for small businesses here in Kansas. I truly believe that “Awareness is the first line of defense when it comes to protecting ones identity, data and business. With that in mind, I’m will to tell, teach, guide or draw out with a crayon what I know about Information Security, what options are available, what it should cost, and even how to monitor your kids computer, tablet and smart phone use.
During these two talks, I realized something VERY sobering. Though everyone at both were comfortable with technology, and many were actively working in I.T., many had no clue about the what they could do to help protect themselves or business. They weren’t aware!!! So, I think we in the InfoSec world kind of have a responsibility to share what we know with the business community at large. More importantly, with the average end-user or home user. Remember, these are the people who eventually will be an end-point on your network as the newest employee, or their home computer may become a node in the botnet that’s scheduled to attack your network.
IT’S A WAR GOING ON PEOPLE!!!! VIVA INFOSEC!!!!
OK, OK, OK, I will try to leave the comedy out of it……I did say “Try”.
During these presentations, one question that stood out, is “
What exactly is a SIEM and to be honest, why do I need one?”.
In today’s dynamic and highly competitive world, business is dependent on information & technology. This creates a set of challenges and opportunities. However, it also now adds a new set of requirements for security, information management and compliance. The scope of these vary, based on the business, and set of compliance criteria that each business or set of data must meet. For many businesses, this is just too complicated, expensive or unrealistic. Actually, it’s a very reachable, viable concept that may be achieved via the SIEM.
So what is the SIEM, Security Information and Event Management?
A modern SIEM implementation ranges from simple and virtually free, to complex and quite expensive. Also, keep in mind that, there are no two implementations alike, and may be as unique as a fingerprint. In its most simplest form, it is a set of technologies that provide:
- Data collection \ Event Collection
- Normalization
- Indexing
- Asset Discovery
- Threat detection
- Vulnerability Assessment and Management
- Log Storage
- Correlation
- Unified view into your infrastructure
You may be saying, “Ok, Joe. That’s sounds great!!!! Uhhhh, but what does all that mean”?!
Well, it means that a SIEM in its can,
Step 1: Collect all necessary information in your environment, in whatever form it may be in.
Step 2: Turn the computerized or machine information into human language.
Step 3: Sort that information, based on how you tell it to, and store it in a database.
Step 4: Discover all the assets you have in your environment, and store that too.
Step 5: Tell you if there are any threats to those assets.
Step 6: Tell you if any of those assets are vulnerable to any know threats.
Step 7: Via BI,(Business Intelligence), or rules, or anomalies alert you when something just seems fishy.
Step 8: Display Steps 1 – 7 in 1, yes in 1 display, or dashboard, screenshot….use any term that fits. Give you the ability to SEE the results of 1 – 8
The caveat here is, the SIEM is only as good as what you put in it. As the old saying sates: “Crap in, Crap out”. The SIEM can potentially reflect not only your security readiness posture, but also the state and\or effectiveness of your processes, procedures and integration of teams and workflows. The SIEM can become invaluable based on how its implemented, maintained and managed. The scope of which, as a SIEM evangelist, I’d say is “infinite”. I know that’s saying a lot, but as your security model matures the possibilities are whatever the requirements state, and may even CREATE or add a service to your business model to offer to your clients or customers.
I will explore that more in the next post.
By Joe Piggeé Sr.