The modern enterprise is at war, a continuous battle taking place at the edge of the network, with security appliances attempting to keep intruders at bay. Some attacks are able to penetrate the defenses and infiltrate the network. Considering the technology involved, the layering of threat prevention systems and the sophistication of defenses, one would think an intrusion would be impossible.
However, the nature of network security is reactive -- threats are detected and then, hopefully, blocked. Obviously, reactive technologies are not completely effective, especially if one fails to rely on gathered intelligence, trends, and the potential of the enemy. Many security administrators, along with security product vendors, make the same mistake: They base their defenses on what an attacker may do, not what the attacker can do.
Simply put, modern security systems rely on signature-based and heuristic engines to combat threats, yet only have milliseconds to make a decision and can only detect problems with static code.
What is SIEM?
Strengthening security takes a proactive approach, one that can only be fueled with proper intelligence gathering techniques. Enterprise security vendors are seeking to provide that intelligence with Security Incident and Event Management (SIEM), which gives administrators an upper hand in the intelligence-gathering and forensics process. After all, the best defense is often a good offense, where trends and attack profiles can be identified and then stopped before a full-blown incursion occurs.
So, what exactly is SIEM and how does it help the harried administrator shore their defenses against intrusion? In all actuality, SIEM is nothing more than a way to centralize what is happening with security on the network and offers a converged view of all security products participating in the defense of the network.
That unified view of network security gives administrators an edge. From one console, they are able to ascertain the security status of the network, observe attempted breaches in progress, and identify anomalies that may precede an attack. In essence, SIEM becomes the intelligence tool needed for effective combat.
While that may be a somewhat simplified description of SIEM, one cannot dismiss the power that proactive management brings to the table for security.
Getting the most benefit from SIEM
Nevertheless, SIEM has to be used correctly to provide any true benefits. Many adopters make the mistake of implementing SIEM and then just defining triggers for alerts. The truth here is that triggers (and their alerts) are still a reactive ideology. To fully leverage SIEM, one has to live in the technology, and actively monitor what is happening, while regularly running analytical reports to identify trends or attack profiles.
The simple fact of the matter is that most orchestrated attacks begin with probes or other queries against the defenses. Identifying those traffic anomalies can lead to building a defense before an attack commences, and that my friends is where the real power of security technology lies.
