What is your Security Plan? Part 4 of 4
Have you taken a step back to look at what you and your organization are doing to address IT security today? In the first of this four-part series, we highlighted a few things you should be concentrating on regarding email security and training your end users to know what is and what is not a phishing attempt, while also keeping your machines fully patched. In the second part of the series, we focused on Next Generation FireWalls(NGFW), Web Application Firewalls(WAF), and Denial of Service(DoS). In the third part, we focused on Advanced Endpoint Protection. In this final part of the series, we will dig into how you can work Security Information and Events Management (SIEM) and Security Operation Center (SOC) into your security plan.
A Security Information and Events Management (SIEM) system aggregates logs from many, or all of the critical devices and services (Cloud, SaaS, etc.) within your environment. Many of the SIEM products on the market today go a step further and correlate events that are related into a single event. Some of the more powerful SIEM products also incorporate Performance and Availability Monitoring (PAM) into the aggregation of logs.
A Security Operation Center (SOC) is usually staffed 24x7x365 with trained security professionals that are equipped to interpret and respond to the alerts that are generated from a SIEM, or other security specific tools. These individuals can assist with remediation steps when a security incident is detected. While it is possible to employ individuals within a company to fulfill these roles, it is increasingly more cost effective to outsource this function to a third party.
A simple example to tie these concepts together is a company that has a firewall, switch, and a few servers, of which one is a Microsoft SQL(database) server, all sending their respective logs to a SIEM, which is being monitored by a SOC. Imagine a case where somehow a hacker from a foreign country has gained access to the SQL server and has just performed a query which dumped a table containing all the Social Security Numbers of your customers. In performing this query, the SQL server CPU spiked to a high level that is not normal for that time of day. The SIEM could potential throw up multiple alerts in this case. When the SOC personnel respond to the alert they would see all the logs related to this incident in a single place. They would see logs from the firewall which would prove that the SQL server has an open connection to a foreign country. They would also see that the SQL server service was the reason the CPU spiked. In addition, they would also see a query was run that dumped all the SSNs. Having all this information in one place now allows the SOC to contact the appropriate personnel and discuss intervention and mitigation possibilities with a full explanation of what happened.
It is important to note that a SIEM is a great first step and the SOC component can be added at later date. If you do not have anything today, a SIEM may be a cost-effective addition to your Security Plan without adding the 24×7 SOC option.
The IT security landscape is rapidly changing and Thrive can help you navigate the enormous number of options available today. Please contact us for more information on updating your Security Plan.