The desire for greater efficiency ensures that companies interlink their IT systems, industrial plants and business processes. For hackers, this connected world is attractive. Through multiple gates, they penetrate the systems, damage hardware and software, manipulate data or completely cripple services and functions. Without targeted and coordinated countermeasures, many companies are helplessly at the mercy of this threat.
A system that analyzes and processes security incidents in applications and network components in real time can change that.
Security Information and Event Management (SIEM) promises to take IT security to a new level. In many cases, however, Germany lacks experience with this methodology. Companies that want to build a SIEM efficiently should therefore consider the following steps:
Step 1: No security without a SIEM roadmap!
IT governance, for example by defining process and management structures, ensures that IT optimally supports a company’s strategy and minimizes potential risks. Therefore, companies should first extend the existing information security directive to the topic of "SIEM": Who is responsible for the operation and for the downstream incident processing? For which assets should the monitoring be set up? The clearer the answer, the better. Otherwise, there is a risk that misunderstandings will arise and it will not be possible to check whether the stated objectives have been achieved. Both cause higher costs and delay performance.
Governance also includes processes. In order for the SIEM to be operational as quickly as possible, a company must define processes, e.g. for incident processing. In the worst case, the SIEM generates alarms or so-called "offensives", but there is no one who cares. It is therefore necessary to clarify which technical and human resources are available.
If the technical and personnel resources are not available internally, an MSSP (Managed Security Service Provider) approach is suitable. TWINSOFT is happy to support you here with its different MSSP models.
Step 2: Which SIEM tool is best for me?
In the meantime, there are many providers of SIEM software on the market. Among the larger ones – based in the USA – are Splunk, QRadar, Alienvault or Logrhythm. Among other things, TWINSOFT has specialized in its partner LogRyhthm, as this partner stands for state-of-the-art and next-generation SIEM and UEBA and offers optimal solutions for SMEs. As a purely European provider, we recommend, for example, Logpoint, which stands for maximum security with their EAL3+ certifications and revolutionize the market with their innovative and future-oriented technologies.
Who is the right partner for your own IT infrastructure should be well thought out. A professional requirements analysis helps here. Based on the assets to be monitored and the events derived from them per hour, a meaningful pre-selection for a SIEM tool can already be made.
TWINSOFT will gladly support you in your selection.
In addition, companies should clarify two questions: First, can an already existing incident management tool be easily connected? Secondly, where are the log data better stored: in the cloud or on-premise? A thorough requirements and market analysis protects against wrong purchases, saves time and ensures that the SIEM tool fits into the system landscape.
Step 3: Dovetail SIEM and infrastructure!
Once the license has been acquired, the system must be integrated into the existing infrastructure. Most SIEM tools have a wide range of possible interfaces. And most IT assets already generate a lot of log data by themselves. If the SIEM tool is finally also connected to the solution for incident processing, it is ready for use.
Until the SIEM has become an integral part of the security infrastructure, however, some hurdles must be overcome. Thus, each company has to define for itself how it deals with the – usually quite high – number of "false positives". Also, not all necessary logs will be available to be processed in monitoring.
Conclusion:
Practice teaches – you need a strategy, enough resources and knowledge of your own infrastructure for a SIEM project to be successful and profitable and operational.
Interested? For questions, the SIEM experts at TWINSOFT are at your disposal
Julian Steinbichler
Senior Product Manager
