As IT infrastructures have become more sophisticated and complex, so have the cyberattacks that attempt to infiltrate them. Advanced persistent threats (APTs) are capable of sneaking past defenses and operating undetected for weeks or even months. There are often signs that an attack is taking place, but organizations lack effective tools for monitoring threats and correlating security event information, and in many cases just ignore the signs as false positives.
Many times these events go undetected due to the large volume of data coming from security tools, which all require a review of the individual toolset dashboards and reports. This piecemeal approach can lead to gaps in security due to the lack of correlation as well as an overabundance of log files and alerts.
In a Ponemon Institute study released in 2015, surveyed organizations said they received an average of 16,937 cyber security alerts each week. Only 19 percent of those alerts were considered reliable and only 4 percent were actually investigated. Survey respondents reported spending almost 21,000 hours a year, on average, analyzing false negatives and positives.
Security information and event management (SIEM) systems are designed to identify statistical anomalies and translate cybersecurity alerts into actionable intelligence. In essence, a SIEM tool collects security-related data from a wide range of sources across the enterprise network, and sends it to a central console for review. Data from servers, applications, network hardware, security systems and end-user devices is correlated and analyzed for trends and patterns that may signal a security issue. Many times the logs from individual security tools may appear normal. However, when reviewed in conjunction with other system logs and against historical trend data, abnormal activity can be identified, and the proverbial needle in the haystack can be found.
SIEM systems combine the functionality of security information management (SIM) and security event management (SEM) tools. A SIM system simply collects event logs from various systems and stores them in a central repository. A SEM system includes analysis tools and centralized reporting for compliance. Together they create a comprehensive system for detecting and responding to malicious behavior.
Unfortunately, commercial SIEM solutions tend to be complex and expensive. Many organizations, particularly small to midsize businesses, lack the resources to implement them. Open source tools can be used to build a SIEM, but that requires significant time and expertise.
Fortunately, Kustodian has done all of the work for you with SIEMonster. Based upon open source modules, SIEMonster includes all the dashboards, plugins and incident response tools found in an enterprise-class SIEM solution. Yet the SIEMonster Community Edition is free to download with full documentation and no data or node limitations. Kustodian also offers a Premium Edition that adds advanced correlation and scheduled reporting for $4,999 per year.
SIEMonster can monitor a wide range of data sources for virtually anything that generates a log file, including SCADA data. The solution has been proven in an enterprise environment with more than 20,000 users.
Kustodian recently selected SageNet as its preferred partner in North America. SageNet can offer both the Community and Premium Editions of SIEMonster as well as a multitenant edition for managed security service providers. In addition, SageNet is offering a turnkey managed SIEM environment including 24x7x365 security event monitoring by highly qualified cybersecurity experts.
A SIEM can minimize the “noise” created by too many security alerts, but few organizations have the budget or expertise to deploy traditional SIEM solutions. With SIEMonster, organizations of all sizes can take advantage of real-time monitoring and alerting for their security event data. Contact SageNet for more information.