In security, SIEM is sometimes hailed as a ‘holistic’ approach – while others look upon it as a box-ticking facet of security, there for compliance purposes rather than actually defending from and reacting to security incidents. With so much confusion over the issue, the Guru felt it was time to sit down with someone who knows the topics inside out – enter Graeme Stewart, managing director at LogPoint UK & Ireland. We were lucky enough to be able to pose some questions to him on all things SIEM to demystify the subject.
ITSG: What is SIEM?
GS: To explain simply, SIEM (Security Information and Event Management) is a technology that reconciles security information in order to provide real-time analysis and security alerts. All network information, from routers to web servers, generates logs regarding what is happening on a network.
The more complex the device, the more sophisticated the information is contained within these logs. Organisations are spending billions of pounds protecting this data from external parties; a SIEM solution helps businesses make greater use of this wealth of data so IT analysts are able to detect security incidents and provide enhanced business intelligence.
ITSG: How does it work?
GS: In theory, every device connected to an IT network generates logs. The problem is that these logs are all generated in a different format. It’s similar to attending an EU Summit whereby officials are not wearing a language headset; everyone is speaking to each other in a different language. The information is available, but nobody is able to understand it.
A business’ IT structure may utilise multiple vendors and systems, all of which are generating different types of information. SIEM takes this information and ‘normalises’ it, effectively converting it into a single language. This then lets users analyse security data in context, allowing departments to make informed decisions based on the information available.
ITSG: How has this form of technology come about and where did it evolve from?
GS: This technology has evolved from older generations of Systems Management technology. Many years ago, security professionals were only interested in generating vast amounts of security logs so they could understand what was happening within their network. For as long as computers have existed, users have always wanted to monitor their systems to extract value from the information logs.
Back in the 90’s this was known as data mining, and in modern times, this process has allowed websites to make intelligent decisions based on the sheer amount of data that is available. This can especially be seen in the advertising industry, for example, whereby Facebook is able to examine users’ profile details and based on the content a person likes or shares, is able to advertise similar products that may be of interest to that specific user. In essence, this is how a SIEM functions.
ITSG: What kinds of data are most useful in apprehending cyberattacks?
GS: In general, most data could be used to help businesses make intelligent decisions, if utilised correctly. In regards to security, if a company has been collecting security logs over a number of years, it can review a previous virus or cyber-attack that has taken place. This is useful because every cyber-attack has specific characteristics attributed to it. This data therefore enables businesses to identify whether they’ve previously had the ‘symptoms’ of a virus, investigate any previous potential breaches and thus help prevent further attacks of a similar nature. Unfortunately, this is something that the majority of antivirus technology is unable to do because when deploying an anti-virus system, it will only function from the moment of installation until the licence expires, looking forward rather than backwards.
ITSG: How do SIEM systems assist with compliance?
GS: Almost all government organisations have a requirement to hold logs and events for investigatory purposes in a tamper-proof way that can be used in a forensically appropriate manner. Many CIOs within organisations see compliance as a ‘tick box exercise’, not understanding the true value a SIEM solution could provide. We want to educate the market regarding how businesses can utilise this data and do something more valuable with the information obtained.
ITSG: What kind of advancements do you foresee in this field of security in the coming years?
GS: SIEM is an extremely intelligent tool, and should be considered as much more than just a box ticking exercise. For example, a SIEM solution can identify that an employee has logged into a database in which he or she has no authority to do so, which could result in disciplinary action. If the SIEM solution is also plugged into the HR infrastructure, it may notify the user that the employee is on annual leave, and therefore the security situation must be addressed in a completely different way.
The additional context the system can provide is where SIEM will become increasingly useful to businesses going forward, helping companies to make more informed decisions. We believe the future of SIEM involves more than just compliance. This is a tool that, in a world with more data than ever before, helps sift through the noise to make the most intelligent security and business decisions.
About Graeme Stewart, Managing Director of LogPoint UK & Ireland
Graeme leads the UK team for LogPoint, an innovative Danish SIEM vendor whose intuitive, adaptable solution is already deployed across Europe and Scandinavia.
Graeme is passionate about improving organisational information security with a practical, real-world approach, and has been involved in multiple industry and Government initiatives to highlight the importance of cyber security to Board and Public Sector executives. He has 20 years’ experience in IT and organisational data security with management roles at McAfee, Sophos, ClearSwift, PGP and Symantec. Graeme is a published thought leader, and an accomplished public speaker and media spokesperson.
About LogPoint
Founded in Denmark, LogPoint is a SIEM specialist with over 300 clients across Europe experiencing its technology since 2008. LogPoint SIEM collates millions of data logs from the disparate systems in your organisation and extracts meaningful information from them that you can act on.
Users enjoy how easily it adapts to stay in sync with client needs, from surpassing compliance demands, to seamlessly defending against cybercrime and fraud, and optimising IT operations. LogPoint’s SIEM software is NATO standard EAL3+ certified, costed on a direct affordable basis and flexible to suit your changing requirements. The scale-as-you-grow principle allows for quick and easy visualisation with only a few resources – no matter how vast the IT landscape, no matter how dense the data. With headquarters in Copenhagen, its sales and support offices are located throughout Europe and its partnerships reach across the globe.