Security information and event management (SIEM) is a crucial part of threat management. Here’s why more organizations are turning to SIEM as a Service.
We see headlines about data breaches every week. But just how many sensitive data records are actually being exposed? Try 160 million in 2015 alone — a big jump over 2014 (68 million) and 2013 (61 million).1 And that’s just reported events.
Then there’s the cost: An average $158 per stolen or lost record3 — meaning that 2015’s price tag topped $25 billion.
Meanwhile, enterprises have little time to respond. More than two-thirds of cyberattacks require just days to progress from network compromise to data exfiltration.2 (See Figure 1.)
Now, a growing number of enterprises are turning to SIEM as a Service. The objective is to offload event monitoring and response to managed services providers with the expertise to optimize the effectiveness of SIEM.
“SIEM is an essential security measure for any organization, but it requires certain skillsets to manage and provide effective threat monitoring and alerting,” says Chad Atchley, CompuCom® vice president of Cloud Technology Services. “For many companies, finding people with the right expertise can be challenging and expensive, resulting in tool deployments that don’t adequately identify threats to their environments. SIEM as a Service is a solution to this challenge and makes sure that SIEM operations aren’t a weak link in your security defenses.”
Wanted: SIEM Expertise
SIEM involves software that monitors your IT infrastructure for unusual activities, such as anomalous network traffic, that could indicate a cyberattack. It then either alerts security staff or takes automated action with the goal of preventing system interruption or data leakage.
Security experts consider SIEM as essential to threat protection as firewalls, antivirus (AV) and other security measures. In fact, Gartner expects SIEM tools “to remain a central point for enterprise security monitoring.”4
Organizations are now offloading SIEM for two key reasons. The first driver is a significant and growing security-skills gap. (See Figure 2.)
Leveraging a managed security provider is a good way to solve this problem, as providers of security services can attract the most committed security professionals and keep them trained on the latest attacks and defenses.
The second driver is limited resources, in terms of both budget and focus. “Purchasing, implementing and managing a SIEM solution in-house can be expensive and challenging,” Atchley notes.
That’s true for large organizations that need to protect vast IT infrastructures. But it’s also true in a different way for smaller organizations that have experience with a lower number of security events. SIEM tools get better at predicting events by seeing more anomalous behavior. The more events they’ve seen, the more quickly and effectively they prevent data breaches.
With SIEM as a Service, organizations of all sizes can benefit from data on a wide range of network behavior. “An effective managed SIEM service can deliver a Fortune 50-class security solution to organizations of any size,” Atchley says.
What should you look for in a managed SIEM service? Atchley offers guidelines:
- Security expertise — Make sure your SIEM managed service provider has many years of experience delivering security solutions and services. It should leverage best-in-class tools and partner with other best-in-class providers to offer the most complete solution.
- Around-the-clock service — Your provider should have a global presence, with the ability to monitor and respond to security events around the clock. “Your data assets don’t shut off at 5 p.m., and neither do cyberattackers,” Atchley says.
- Data, data, data — An effective SIEM service will leverage vast incident data — not just the data within your own organization, but also aggregated data from large numbers of previous security incidents. That allows for effective analytics and rapid recognition of network events consistent with a cyberattack.
For example, CompuCom’s SIEM services integrate Intel® Security’s McAfee® Enterprise Security Manager (ESM) as a cloud-hosted and cloud-delivered solution. “CompuCom is the only service provider to deliver Intel’s SIEM solution as a cloud-hosted, managed service,” Atchley points out. “That brings the same capabilities and analytics of the largest organizations to companies of any size.”
- Reports and analysis — A good SIEM provider will deliver dashboards and regular reports on issues such as the top threats observed in your environment, systems that may be vulnerable, as well as potential security events detected, how they were addressed and what the outcome was. At the same time, not all unusual data traffic is a security event. A good SIEM provider will have tools and experience that let it differentiate between a false alert and an actual cyberattack.
- Response and supporting services — An effective SIEM provider won’t just identify and stop an attack. It will also determine where there are vulnerabilities and help prevent events from occurring in the future. Likewise, look for a provider that offers broader IT services that can help improve your security posture. For example, “effective configuration of hardware from the data center to mobile endpoints can go a long way toward preventing data breaches,” Atchley advises.
Finally, your SIEM service should integrate with your existing security policies and processes. “You shouldn’t have to make major changes to incorporate SIEM,” Atchley notes. “But as your service provider analyzes network-activity logs, it will uncover configuration and behavior issues that could point to changes in rules or process flow.”
SIEM as a Service won’t be the only defensive weapon in your data security arsenal. You’ll still need basics like AV, encryption and configuration management. “SIEM is the equivalent of putting a motion sensor on every window and door of your IT landscape,” Atchley says. “No security portfolio should be considered complete without it.”
1 Privacy Rights Clearinghouse data
2 “2016 Data Breach Investigations Report,” Verizon, 2016
3 “2016 Cost of Data Breach Study,” Ponemon Institute, June 2016
4 “Security Information and Event Management Architecture and Operational Processes,” Gartner, February 2016
CompuCom® is a registered trademark of CompuCom Systems, Inc.
Intel® and McAfee® are registered trademarks of Intel Corporation.
Verizon® is a registered trademark of Verizon Communications, Inc.
All data cited in this article is used by permission.