Skip to main content

Shining a light on IT security threats: Why SIEM is one solution you should know about

An invisible hazard is often more deadly than one you can see, which is precisely why many firms are working to increase visibility of their IT infrastructure and use this intelligence to ramp-up protection.

Last year, 88 per cent of UK businesses polled by Ernst and Young reported an increase in cyber-attacks, with nearly nine out of ten CIOs and IT leaders saying they believe external security attacks are growing.

At the top of the IT security agenda for many companies is the question of how to gain complete visibility of the security infrastructure and protect key business systems. Malware and advanced persistent threats need to be continually managed, beginning with their identification and execution of blocking strategies.

Other threats include identities and passwords, which need to be effectively managed and logged. Add to this demand for BYOD, cloud and network file shares and the security minefield can become even harder to navigate.

Need for rapid response

In dealing with security risk, one of the most pressing concerns IT teams face is their inability to visibly monitor the inbound and outbound threats to their infrastructure in real-time.

In many cases, IT still has to perform this task manually, which is both labour intensive and time consuming. Additionally, there is a high potential for human error, with the added risk that threats may not be dealt with fast enough and could escalate out of control.

Conversely, by working to increase visibility and track activity across the network, the IT department will greatly increase its chances of identifying emerging threats, as well as become more able to act decisively to prevent known problems from reoccurring.

SIEM: Real-time, estate-wide coverage

Over the last few years, increased IT automation coupled with changes in the way many vendors operate has helped in the battle to increase IT visibility.

Whereas previously, software solutions would consist of different server and firewall management platforms, these functions are now frequently combined on a single management platform, highlighting threats in real-time rather than forcing users to uncover them retrospectively.

In particular, advanced Security Information and Event Management (SIEM) platforms have become increasingly popular to sit on top of existing security technologies and log activities across the network, enabling IT to monitor real-time 'events' and activities more proactively and react where necessary.

Alongside network security, these threat-monitoring platforms can also be used to track and record physical security threats over the network, through the use of CCTV in public areas, for instance. Equally, the use of data leak protection software can also help guard against some insider threats highlighting, for example, instances where users are removing data or attempting to download a virus from a USB.

Operational advantage

A further advantage which SIEM offers is the opportunity to increase operational visibility through availability reporting. In essence, this works by continually measuring the capabilities of the various IT platforms to ensure that they are running within capacity.

If a business has distributed denial of service (DDoS) migration platforms, for example, SIEM can highlight malicious attempts to compromise the availability of a system or website.

Often, perpetrators of DDoS attacks will saturate the target machine or system with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable.

To defend against such threats, the SIEM platform is configured to know the exact number of connections per second that its web server can handle and prevent the connection rate from exceeding its maximum by limiting the number of connections made.

While the site or system under attack may not be able to satisfy all users at any one time, this safeguard will enable a continuous trickle to get through, maintaining continuity for the business.

Threat visibility and protection – an enterprise-wide requirement

While the latest technology can go a long way to mitigate the growing culture of threats faced by enterprise, it will only be truly effective if IT knows what to look for. As such, it's important to define use cases to maximise the increased visibility into systems and the broader IT infrastructure enabled by platforms such as SIEM.

By capturing policy violations, vulnerability exploits and anomalous behaviour across the infrastructure, businesses can more rapidly identify and combat both the emerging and well-defined threats which could otherwise potentially result in costly or damaging consequences.

Andy Aplin is CTO of Accumuli