Blog: SIEM

We've all done it before — searched for instructions on something we feel like we should be able to do ourselves. Whether it's how to tie a bow tie, how to change your oil, or how to repair a smartphone, people are constantly looking to do things for themselves. Naturally there are tasks beyond our actual ability, but can you blame any of us for trying? We have the information, resources, and always the desire to save money. That being said, one of the things that is likely beyond DIY abilities is combating cyberattacks for your business.

There are a seemingly unlimited number of cybersecurity solutions created to help businesses protect the personal and financial information of their customers. These services are best supported by cybersecurity companies, but far too often business owners and IT managers look to buy the tools and attempt to do it themselves. But can you really learn everything you need to about technologies like SIEM and then defend against cyber-attacks?

This blog will explain why you not only need cybersecurity tools, but also cybersecurity vendors to provide you with effective solutions.

SIEM Systems Need Constant Management

Depending on the SIEM system, there are different approaches for cybersecurity monitoring and protection. No matter if the SIEM tool is made by Intel, IBM, or Fortinet, the overall goal of being notified of attackers is the same. However, one may have a larger range of coverage for devices and log types, while another may have a specific log manager that picks up different events. Whatever it may be, the solution will collect information and present an analysis, but to optimize your security there should be someone managing the system full-time.

Let's say you want to build a shed in your backyard to protect some equipment and toys from the rain, and you have a hammer, plenty of nails, wood, and a few other tools. Unfortunately, nothing will get done if you don't pick up the hammer. While it is great that you have the necessary tools and supplies, but you will never build a shed to protect your equipment and toys if no one is utilizing the tools. It is the same with these SIEM services, or tools — without full-time personnel, ideally from a professional cybersecurity company, you are at risk of missing critical notifications and real threats.

Why Cybersecurity is not a DIY Product

If you don't necessarily think this is the case and you feel confident that you'll be able to check up on the program every now and again, you might want to reconsider. There were 668 million breaches in the U.S. just last year alone (the year before, there were over 1.5 billion breaches); this means that over 668 million times confidential information was exposed without permission. Also, 38% of the world's cyberattacks are targeted at the United States. While we are legally required to secure our customers' information, these numbers alone highlight the magnitude of the problem and the necessity to invest in a solid cybersecurity company's services. With a constant attack from unseen sources, are you really all that confident that you'll be able to manage it all yourself?

Let's again assume you are determined in doing this all yourself. Are you proficient in programming Java or C/C++? Do you understand web application technologies? Linux operating systems? Telephony technologies (analog and Voice over IP)? Okay, well…maybe you don't but you can learn, right? If that is the case, are you planning on learning on the fly from a couple of online videos? We don't want to discourage you from learning, but we need to be realistic. Installing a SIEM program and then following a manual to figure out how to make everything work is about as easy as putting a 4th grader, who is just able to read decently well, into a college-level biology and expect them to do be successful. The information is right in front of them, but can you really expect that?

Maybe we aren't giving you enough credit and you actually do understand all of these things — if that is the case, good for you for sticking with this blog and reading all the way to here — but can you handle reading all the analyzed data for every device for your entire company every day? That's where the benefit of hiring a cybersecurity company to manage the entire SIEM system for you comes into play. Not only will you have a service that is customized to your business, but you will also have a team of experts constantly reviewing your system for dangerous activity. With just the SIEM tool at your disposition, you may be alerted when a breach is detected but what will you do from there? A Managed Security Provider like this will not only notify you but also assist with a solution.

The wisest approach when you are looking to improve your company's cybersecurity is to not only purchase one of the many tools that are on the market, but make sure you also have a cybersecurity company on your side providing you with all the support you need.


 

The world of cybersecurity has had some fundamental shifts in the past several years that have made the vast majority of companies unprepared for today's threats. The extensive use of malware, for example, has dramatically reduced the value of traditional security solutions, such as firewalls, IDS/IPS, and anti-virus software. These solutions that used to adequately prevent attacks are now very limited in their risk mitigation value. Many organizations have not updated their cybersecurity technology and solutions to stop today's threats. It's like monitoring your front door for a break in while someone comes in through the back window.

Even companies that have taken cybersecurity seriously have not always been led the right way by cybersecurity vendors. In the past, an organization who was serious about cybersecurity was told that they needed 24x7x365 monitoring - paying for really smart cybersecurity professionals to watch the alerts and events as they happen in real-time so they could respond at a moment's notice to malicious events.

But legacy technologies have relied mostly on human review, not machine intelligence. A common metric for a traditional Managed Security Service Providers (MSSP's) is to have a security engineer for every 30 devices under management. In the U.S., the average cybersecurity professional makes $116,000/year. This means the cost to monitor a single device is $322/month, forcing traditional MSSP's to charge between $500 and $1500/device/month to be profitable. Does this sound like your MSSP?

At those rates most customers can only afford for a few devices to be monitored; usually the firewall, IDS/IPS, and possibly a Windows domain controller. When asked why they don't need to monitor more devices, these MSSP's would state "As long as you are monitoring the choke points, you are safe."

Using the home security system analogy, imagine being told that monitoring the front and back doors are enough and then having your child kidnapped through a bedroom window. No choke point only security system would detect that, allowing the worst-case scenario to happen without your system even tripping. Home security systems relied upon a few choke points because it was very expensive to run wires to the whole home (especially after it was already built). However today many home security systems use wireless technology which has made it possible to place multiple sensors throughout the house without the use of wires. This makes the cost of securing the entire home from multiple threats much less expensive.

Thankfully, IT cybersecurity has evolved as well. Automated correlation and analytics from a properly deployed, configured, and tuned Security Information and Event Management (SIEM) solution has the ability to increase the ratio of devices per cybersecurity professional exponentially. Today, SIEM technology can quickly and efficiently find the "needle in a haystack" with far less human interaction. This dramatically reduces the number of cybersecurity professionals needed for a traditional Security Operation Center (SOC) which means a lower cost per device for customers. With a lower cost to monitor each device, we can now monitor more devices. Rather than just monitoring choke points, we can monitor all of the windows, doors, and rooms; which is really what was needed from the beginning.

When all of the critical devices are being monitored and correlated, you can now stitch together pieces of information across different systems and areas of the network to give you a much more accurate picture of what is happening. In other words, the more devices that you monitor, the more accurate the monitoring becomes and, therefore, the better economies of scale can be achieved.

So, what should a customer monitor? It's still a good idea to monitor the firewall and IDS, but we need to go beyond that and focus on today's threats. Routers, servers (especially Active Directory servers), wireless access points, and endpoint security solutions should all be monitored. With current SIEM technology, you can monitor all of these systems for about the same price as you used to be able to monitor just the firewall and IDS/IPS.

Monitoring only choke points and smaller areas of a network will not protect your organization from today's threats. Cybersecurity monitoring is more important than ever, but real risk mitigation comes with a holistic approach to monitoring all of the possible security events from every possible device. Stop only monitoring your front door for a break-in and assuming that your business is safe... because your back window is open.

Contact Technology Sales at 806-698-9600 or email techsales@conetrix.com if you want to improve your Cybersecurity Monitoring and Response solution AND lower the annual cost.