For most organisations the drive to capture log data is compliance. There are a few exceptions of course, but for most of you this simply means capturing and storing log data.
But why do just that? Doesn’t that seem kind of pointless? If you’ve got to do that then shouldn’t you at least get something out of it other than ticking the compliance box? Don’t get me wrong, being compliant is a good thing and for some of you it’s key to your business. But compliance is only a minimum standard. It’s the least you have to do yet most of us stop there. Why? – That’s another subject for another time.
Most of the focus within SIEM is on the Security (yes I’m including compliance in this bit as well). There is a tremendous amount of security-related value that analysis of your data can bring, all the standard stuff like failed log-ins and privileged user monitoring to name a few. But there are a whole host of other things you can and probably should do but don’t because it’s above and beyond the whole compliance thing. I’m talking about things such as monitoring successful logins and log-offs and determining the time lapse between the two events – is it too short for a human to have done that? Are you getting a lot of logins and log-offs in a short space of time? This could be a sign that someone has got into your accounts and is trying them to see if they are valid. Or maybe you want to find that signal in the noise – comparing user behaviour over time and finding out who is doing something very different to their colleagues. Even simple things like monitoring business critical files and their movement within your organisation will add value to your organisation’s security.
However I want you to think about the rest of the letters in that acronym SIEM – Information & Event Management…
This is where you can really get some value from your data in areas of your business you might not have thought of. Wouldn’t it be good for your business to monitor your VOIP traffic? Logging and analysing who you are calling, call times and if they are premium or international calls. Maybe you’d just like an alert if someone’s calling the talking clock? Perhaps simply having that information to hand for your finance team to cross reference with your phone bill. Maybe you’d like to monitor the usage of resources in your business? So when renewal time comes around you will have the information you need to know if it’s worth renewing or if your budget could be better spent elsewhere. Maybe you don’t need that Super Fancy Malware Threat Defender 5000, but you do need a new core switch. Having real life usage information to hand will be a valuable tool in assessing where to spend your budget.
The right SIEM can do all of those things for you and more. It can and should be at the heart of everything you do. Data does have value but it’s how you use it that counts. So with all this additional value a SIEM can bring maybe you’ll get lucky and other areas of the business will contribute their budget to purchase the right SIEM. Money follows value, as they say….
By Andy Deacon, Security Consultant, LogPoint
You can read the original article, here.