Using Intelligence Capabilities of SIEM Platforms to Secure Networks

A well-configured SIEM platform can help organisations achieve cyber resilience by dispensing actionable intelligence based on correlated event data from audit logs.

The world is vastly interconnected and most of the population depends on technology for daily activities, whether personal or otherwise. While this interconnection has its benefits, it also has its fair share of drawbacks as far as information security is concerned.

Organisations are particularly attractive targets to attackers in an era where the proliferation of IoT (Internet of Things) and IIoT (Industrial Internet of Things) is insurmountable.

It may prove difficult for organisations with a large attack surface to maintain a clear view of their security posture and monitor potential attack vectors that may be used by unauthorised users. This is where Security Information and Event Management (SIEM) platforms such as IBM QRadar, LogRhythm, and Splunk come in. In this post, I’ll be evaluating three features that I believe are essential to the security intelligence capabilities of SIEM platforms.

Log Management

Networks today are comprised of more devices than ever and it is common to find devices such as security cameras, biometric access systems, and wireless sensors connected to the network. Because it is critical to maintain an adequate audit trail, most devices generate logs that can be voluminous depending on any number of factors. In addition, network devices log events differently, and it would be tedious to analyse raw data from each source one by one. SIEM platforms address this challenge by aggregating the logs and interpreting raw event data from the different sources, making it easier to visualise network activity in a centralised dashboard.

Real-Time Event Monitoring and Correlation

Organisations should at the bare minimum have clear oversight of the events occurring on their network. SIEM platforms are designed to give a homogenous view of network activity by monitoring real-time event data from logs, which can then be used to highlight anomalies with the aid of correlation rules. In the case of unauthorised access, for example, a SIEM platform can be configured to alert administrators or analysts when employees who left the organisation attempt to access network resources. A Security Operations Center (SOC) is just the kind of setup that allows 24/7 monitoring of SIEM activity by security analysts. Any breaches and anomalies detected as a result of event correlation can then be escalated and responded to as appropriate.

Vulnerability Management

Patch management is a big buzzword in the industry, but not all patch management policies and strategies are created equal. Things tend to fall through the cracks, whether due to ignorance or human error. Many SIEM platforms are now capable of presenting organisations with an overview of their risk portfolio as a result of unpatched vulnerabilities in devices on their network. Most SIEM platforms can be configured to ingest vulnerability reports from scans by platforms such as Nessus and Qualys to give a global view of the exposure of IT assets to potential compromise. In addition, the vulnerability management capabilities of SIEM platforms can enhance information security compliance in organisations.

More can be said about SIEM platforms without a doubt, but it’s indisputable that log management, real-time event monitoring and correlation, and vulnerability management are some critical features that can promote network security.

What are your thoughts? Let's have a discussion below.