Is IT security without a SIEM still a valid option?

Kiel – Security information and event management (SIEM) systems are often cited in the context of a security strategy. At the SIEM workshop by Consist Software Solutions GmbH at this year's Rethink! Security in Hamburg, questions arose about how much sense SIEM makes and at what point its use actually pays off for a company.

Does every company need a SIEM?

IT security always likes to be determined at the technical component level: firewalls, intrusion detection, vulnerability scanners, virus scanners, anti-virus software, web filters. But security concepts also always have to involve processes and people for them to work. Without a doubt, a SIEM system can provide a high level of transparency about activities on the systems used. You can see at a glance where security-critical activities are taking place, trace them, document their processing, and get reports on the current situation: in today's complex system environments, that's a real help. In this context, the question that confronts companies is "Do I need a SIEM, and if so, what type?"

Threat

That depends on the threat situation and the evidentiary requirements imposed by legal regulations. Nearly 100% of all attacks are carried out with valid access data. On average, 40 IT systems are affected. Even more astoundingly, attacks are only discovered after an average of over 200 days, and the first notice of compromise comes from third parties in 67% of cases. The continuous monitoring of system accesses and data flows in your own IT is a key factor in detecting attacks or bad behavior by users (insider threats) quickly and handling them.

Simplification

To a certain degree, this kind of monitoring can be implemented using central log and permission management. For larger system landscapes, however, you should ask yourself whether automated processes wouldn't be more cost-effective, since they allow a reduction in manual checks. If a SIEM is used, IT security only needs to worry about suspicious cases (incidents) and can even investigate them directly in the SIEM.

Legal compliance

It may not be possible to meet legal requirements without a SIEM. The IT security laws still don't mandate one, but no later than the implementation of the EU General Data Protection Regulation in May of 2018, and especially for KRITIS companies, it will be difficult to comply with the increased requirements without automating the detection and notification processes. The monitoring of activities in compliance with both labor and data protection law is possible with a SIEM, since alarms for security incidents only take place when normal IT system usage is violated.

With a SIEM it is significantly easier to maintain transparency. The options for clarifying security incidents are more versatile and easier to manage. Modern methods like machine learning, user behavior analysis or threat lists provided by a SIEM make it possible to specifically generate incidents (alarms) on deviations and outliers. Less rule maintenance and fewer false alarms are the pleasant consequences.