Why the SIEM system is no longer a luxury and how to implement it quickly

Source: https://cobaltstrike.net/2022/03/31/why-the-siem-system-is-no-longer-a-luxury-and-how-to-implement-it-quickly/

Why SIEM systems are needed and why their importance is increasing now

Key foreign vendors (IBM, HP, Microsoft, Oracle, Fortinet) have left the market – and this is not the end of the process. This creates a lot of risks for Russian companies. That foreign suppliers will start disabling the functionality remotely. That they will stop providing services without waiting for the end of the expiration of licenses. That the iron will fail. Insider risks are growing, for example, due to the use of VPN services, the download of which has increased by 1268% since the end of February! The problems of software update control are relevant in combination with the opposite risk that the same update will make a useless piece of hardware out of the equipment.

What should an IT and information security specialist grab for? How much time should he spend switching from the console of one security solution to another?

SIEM systems in this situation acquire a completely new relevance, because they allow you to work with all logs from one window, as well as see the relationships between these logs, recognizing an incident in their chain, notifying an information security specialist about it.

That is, the SIEM system will collect and show in one window:

  • what equipment and software costs;
  • which ports are open;
  • what kind of software without an update;
  • security of the equipment.

What to pay attention to when choosing

A modern SIEM should be able to collect logs from all critical information sources, normalize data, create correlations, identify incidents and notify specialists about them. At the same time, the system should have a significant number of already built-in rules for detecting incidents, this can be checked during testing. The IT infrastructure inventory function is critical in the system, because you can’t protect what you don’t know about.

Ask the vendor how long the system will actually start working: the implementation dates vary, perhaps you don’t have a month or even six months to wait. It is also useful to ask what qualifications should be a specialist who will need to work with the system (whether he needs to know programming languages and how much, whether he needs to get a certificate and undergo training).

What to do if you need to replace a foreign SIEM with a Russian one

Import substitution in the information technology sector is not such an acute problem as in related ones. But in the case of a SIEM system, the situation is burdened: the implementation here can take months, and in a situation when the company has IT and information technology specialists already busy – even longer.

“Serchinform SIEM” in this situation can be a solution, because we developed it “boxed”, with the ability to deploy the system quickly – in one day.

  1. It’s easy to get started. The interface of “Serchinform SIEM” is understandable to anyone who has ever opened “word” or “excel”. We have made the creation of rules in the graphical interface — it is simple and understandable for the user. There is no need to single out a single person to work with the system.
  2. Universal preset rules. They provide a fulcrum at the first stage so that work can be organized from the first day of implementation. The SIEM administrator will immediately show the result to the management and continue to adjust to the needs of his company. More than 300 rules are available “out of the box”.
  3. The system has all the most necessary connectors, as well as a custom connector that allows you to connect any source using simple scripts. You will also find templates of these scripts written in PowerShell in the “box”.
  4. No need to buy additional individual modules — the entire declared set of functions is available in one solution. Often customers are faced with the opposite situation and miscalculate at the start — as a result, the calculated purchase amount turns out to be much larger.
  5. Free setup help. Long–time clients of Serchinform know about our implementation department – these are highly qualified specialists with experience working with hundreds of clients. Therefore, they, like technical support engineers, take on a significant part of the worries. This allows you to successfully implement solutions, even if your company has a shortage of specialists in the IT or information security department.

The system can always be obtained for a month of free testing.

What “Serchinform SIEM” can do

Now the system works with 30+ types of information sources, including products from our line: DLP system “Serchinform CIB”, DCAP system FileAuditor. We are constantly increasing the number of connectors, and for those sources for which there are no connectors yet, we have created a simple and convenient Custom Connector. It solves the problem of connecting SIEM to software that does not send logs via Syslog, for example, to any self-written program. The connector can be written independently on Windows PowerShell.

Serchinform SIEM has implemented support for the SNMP protocol, which significantly expands the ability to control different types of equipment. This will be useful not so much for information security as for IT.

SIEM has a network scanner that visualizes the entire infrastructure: configurations of computers, routers, switches, printers and other equipment. You can detect open ports and track unauthorized attempts to connect new devices. Incidents can be displayed on customizable dashboards – panels where you can customize any number of personal widgets from 13 ready-made templates.

It is believed that it is difficult to write your own rules in SIEM. We have implemented this through a simple editor, it makes life easier for specialists. This year we have added several logical operators that allow us to identify complex correlations. For example, if a person has not passed through the ACS, but is working at a computer, this is a reason to figure out whether it is sanctioned remote access or intrusion.

On April 7, we will hold a stream in which our and independent experts will take part – listen and find out if you need SIEM.

Start a discussion …