How SIEM Can Help Protect Today’s Borderless Enterprise

With more and more employees working from home, the network perimeter has virtually disappeared. Firewalls, intrusion prevention systems and web gateways can’t protect endpoint devices that are connecting via the public Internet and not using a VPN. Furthermore, remote workers may not follow security best practices when they know their behavior isn’t being scrutinized, increasing the odds that threats will enter the network.

In this “borderless” environment, organizations should expand their security monitoring activities to encompass the extended enterprise. A security information and event management (SIEM) system can aid in this effort by capturing and correlating security data and analyzing it for signs that an attack is taking place.

SIEM is a security management platform that provides administrators with a single, holistic view of all security-related data. In essence, SIEM tools collect any data that may affect security, regardless of its origin, across the enterprise network. Data generated by servers, network hardware, security systems and end-user devices is sent to a central analytics engine for inspection.

Individually, solutions such as intrusion prevention and endpoint security focus on certain types of data. SIEM unifies and correlates the data from these and other systems so it can be analyzed from a single interface. This makes it possible to detect complex attacks that exploit multiple vulnerabilities.

It also helps cybersecurity teams cope with the overwhelming number of security alerts that are generated in the typical IT environment every day. The volume of alerts is so great that security pros ignore many if not most of them, forcing organizations to react to security incidents instead of proactively dealing with threats. SIEM systems translate alerts into actionable intelligence that enables IT teams to prioritize their investigative efforts.

Here’s a simple example. Let’s say that a hacker is attempting to access the organization’s VPN using stolen credentials. The SIEM system notes that the hacker’s IP address location is in a foreign location and associated with some failed login attempts. The SIEM issues an alert with details of the location, credentials used and what was accessed during the session. Instead of poring over log files, the incident response team can quickly investigate and take steps to mitigate the event and increase the security of the organization’s VPN policy, user accounts, and/or authentication.

Despite its benefits, SIEM is not without challenges. In the early stages of deployment, SIEM systems tend to create alerts for events that aren’t serious. In other words, there is a lot of noise right out of the gate, and correlation rules must be fine-tuned to make the system work more intelligently.

When many alerts turn out to be false positives, busy IT teams are going to ignore them. This can lead to a breach that could have been prevented, or a wasted investment because SIEM technology is ineffectively used. Because of that, Gartner estimates that 20 percent to 30 percent of SIEM deployments fail.

Remote work was already a growing trend prior to the COVID-19 pandemic and is undoubtedly here to stay. SIEM can help protect today’s borderless enterprise by collecting, correlating and analyzing security event data beyond the network perimeter to rapidly detect threats.