It has long been recognized that log files contain the breadcrumbs of what has occurred on your network and provide the trail of events that occurred in the event of a breach. This technology has grown substantially over the last 15 years, from a simple log collector to the Security Information and Event Management Systems (SIEM) that are currently available. Today’s SIEMs are more powerful, with built in queries, real time alerting and threat intelligence to provide IT staff with actionable items. The growth of the SIEM market was driven by compliance requirements such as SOX, PCI DSS, HIPAA, etc, however the ability is for more than checking a list for compliance, and is also used for assisting with detection, analysis and mitigation of security incidents.
An SIEM will ingest the log files from every device and applications, depositing this information in a datastore of some form, and then allowing an organization to create reports/queries based on their requirements, as well as configuring real time alerting for activity that has been identified as “malicious” or suspicious. Most SIEM’s will also include a large library or pre-configured reports specific to regulatory/compliance requirements.
With the growth of big data, a number of the SIEM vendors include security analytics and behavioural analysis of your network, baselining normal activity, so that triggers can be initiated when abnormal activity occurs. These triggers can be as innocuous as sending an email to the security staff with an actionable item to removing a device from the network to stop the movement of malicious activity or malware.
Network and endpoint monitoring are additional features recording activities such as USB or other removable media (providing DLP), monitoring changes to registry, file integrity monitoring as well as looking for activity when a user may be attempting to escalate their privileges on the network.
While traditionally this technology was used only by large enterprise organizations, it has become an essential security product for any company.
Symtrex’s product portfolio includes SIEM products designed for the SMB’s through to global organizations. For information feel free to contact us, or review LogRhythm, Fortinet’s Accelops, Balabit, and Alertlogic.