How A SIEM Keeps Watch, Like Big Brother, But Over Your Network – Part I

Since 2000, our sole agenda is to provide Enterprise class perimeter security defense to the SMB market.  For two decades, we’ve been strong proponents of proactive defense – best way to defend a network is to block external threats, preventing them from entering that network in the first place.  Personally, I’ve never understood use of IDS as a perimeter defense mechanism.  If you ‘think’ it’s bad, well then, it more than likely is – block it, take no prisoners, ask questions later.

The world around us has evolved in ways we couldn’t ever have predicted 20 years ago.

Virtualization. Smart phone.  IoT.  Everything else that has literally exploded before our eyes from the past 20 years, have veered the course of technology towards new frontiers.  The unwanted but inevitable consequence of this has been an opening of our environment in ways no one had foreseen.  Case in point, many have claimed the perimeter is dead.  While this is mostly marketing jargon, in the hopes of selling you the next “big” security gadget, there’s some semblance of truth in that statement namely the perimeter has taken on a different shape, and a different meaning.

Think of it this way.

In the medieval ages, kings built castles and moats.  Today, it’d be ridiculous to do so.  Does that mean countries don’t have borders?  No, it doesn’t.  It simply means the world is more open, people move around more freely, and that putting up defenses only at the perimeter are no longer sufficient.  You need to also patrol internally, to stop those threats that somehow manage to slip through.

Similarly for cybersecurity.  We aren’t advocating (and never will) that we should stop patrolling the edges of our company.  We know for a fact these edges are so loose nowadays, that you must also increase internal patrol.  Activities within the network must be monitored, so too user activity.  Logs checked.  Threats sniffed, and so forth.

How do you do that?

Enter the concept of SIEM.

Traditionally meaning Security Information and Event Management, the SIEM is by no means a new concept.  The unification of security information and security event management has been attempted for a while, dating back some 10 years.  However, the initial attempts were (and often still are) nothing more than a collection of logs, with “experts” pouring over the same, to make sense of them.  A daunting and quite useless task, honestly, given the insurmountable amount of data (and that’s not even counting the unavoidable false positives).  So, for a long time, SIEM has remained mostly wishful thinking, something only companies with too much money in their pockets would consider; and likely something that didn’t bring much in terms of security anyway.

Not surprisingly, while the global cybersecurity market today is valued at about $130B, the SIEM market is but a mere $1.5B.  Really an insignificant sliver in the vast sea of cybersecurity solutions.

However, this is about to change.

And no, not because we now have a SIEM solution of our own.

Next week, find out how the landscape is shifting and steps to take in order to navigate your network around it in Part II.