SIEM is not an IDS/IPS and does not protect you against cyber attacks
There is a lot of confusion in the cybersecurity field regarding the use of SIEM (Security Information and Event Management) to secure networks. Wrongly, they are assimilated to those tools allowing to detect cyber attacks that target organizations. Obviously this is not the case and it is only after a security incident (ransomware, etc.) that many organizations discover it.
What is a SIEM?
SIEM is basically a tool for aggregating security data and information. SIEMs collect and store logs from various network sources, such as servers, databases, telecommunications equipment, firewalls and other security systems. Each action that an organization wants to track must be identified and then configured and activated in the IT environment by a technician. From the SIEM, it will then be possible to view the aggregated data or correlate it to detect instances of cyber attacks for example.
Most SIEMs offer a dashboard in which the collected data is organized and presented to the user for analysis, correlation and decision making. SIEMs also store data for a period of time defined by the organization (e.g., 1 year), which allows security teams to dive into the collected data for investigation purposes, if necessary.
SIEM detects only basic intrusions
SIEMs are provided with rules that detect some basic malicious scenarios, for example: failed login attempts, suspicious logins from an administrator account, creation of a user account, etc.
Then it's up to you! You must create your own detection rules (commonly called use cases) to improve your SIEM and make it more efficient. You can also create new rules from existing rules, which is called correlation.
With the explosion in the number of cyber threats since COVID-19, it is unrealistic today to define all the attack scenarios an organization may face. Furthermore, SIEM is a passive tool that does not have the functionality to block cyber threats.
Effectiveness linked to the expertise of the person configuring the SIEM
It is important to remember that the efficiency of a SIEM is closely linked to the level of expertise in operational security of the person who configures it. If you have it configured by someone who has no expertise in operational cybersecurity, consider that the detection capacity of your SIEM will be low.
If you deploy a SIEM with its default configurations and don't evolve its rules, you won't be very protected.
Lack of 360 degree network visibility and blind spots
Deploying a SIEM in a network is a difficult and painstaking task.
- You must first identify what types of relevant events should be logged and sent to your SIEM. It's not a good idea to send all events to your SIEM as this may saturate your network and your SIEM database.
- You must then configure each machine in your IT estate to log these types of events and send them to your SIEM.
The way SIEMs are deployed increases the risk of blind spots in your network.
- If you forget to log events on a machine of your IT park (server, database, computer, etc.), the SIEM will have no visibility on its security. Therefore, you will not know if the machine is under attack or not.
- If an attack exploits an event that you have not logged, your SIEM will remain silent and you will not know that you are under attack. For example, if you do not log antivirus shutdowns, your SIEM will not know if an antivirus was maliciously shut down. This is widely used in ransomware attacks.
- A SIEM will not provide visibility into attacks that target industrial operations technologies and control systems (OT, PLC, etc.) because it was not designed for that.
SIEMs are very often deployed for compliance and not for security
Very often the implementation of a SIEM is linked to a compliance obligation. For example, you must have a SIEM in your network to comply with the PCI DSS payment card industry standard. Using the SIEM may also be a requirement of your cyber insurer. It is also possible that some of your partners may require you to have a SIEM in place to do business with you.
If you have the SIEM in place, you check a box and you are compliant. But you are still not protected against cyber attacks because the SIEM is not an intrusion detection system.
Why some cybersecurity monitoring service providers (SOC, MSSP, MDR) use SIEMs
Some security monitoring service providers actually build their offerings on SIEMs. They will handle the deployment of the SIEM and its configuration. Very often the SIEM will be activated with the default configuration, which is minimalist in terms of protection. This level of service will correspond to organizations that want to have basic security. Indeed, it is always better than having nothing in place.
Also note that a SIEM deployed internally or by your external monitoring service provider must be maintained. If you install a new server and don't inform your external provider to include it in their monitoring, you have just created a blind spot in your security management. And that blind spot can be fatal to you.
SIEMs for compliance, IDS/IPS/NDR for security
If your goal is compliance, deploy a SIEM and check the box. You can manage it in-house or have it managed by an external outsourced vendor.
If your goal is to protect against cyber-attacks, you absolutely must deploy an Intrusion Detection System (IDS/IPS/NDR) such as Streamscan's CDS which has been selected as an innovation by the Federal. CDS is a patented technology (U.S. patent) that captures all traffic entering and exiting a computer network and analyzes it for suspicious behavior, anomalies, and signs of attacks via AI and signatures. It provides 360-degree visibility into network security and automatically discovers machines communicating in your network, eliminating blind spots. Malicious attacks and traffic detected by CDS are blocked in your firewall to eliminate their impact.
Finally, if you are forced to deploy a SIEM for compliance and you want to really protect yourself against cyber attacks, you can deploy an IDS/IPS/NDR in addition to your SIEM. These 2 technologies are not incompatible.
Find out how our CDS and MDR service can keep your network safe
We're confident that after seeing the results of our MDR remote security monitoring, you won't want to leave your network unprotected. So we're offering a free 30-day evaluation that includes:
- An information session
- Configuration of the CDS in your network
- Free 30-day evaluation and proof of value
Talk to one of our experts or call us at +1 877 208-9040.