Over the past few blogs we have studied some of the benefits of implementing monitoring solutions. While compliance drives this need for many industries, businesses will also find cost saving by uncovering breaches faster and decreasing overall investigation times. We have gone over the pros and cons of outsourcing the work. In the final part of this series we will summarize this information and discuss how Tandem Cyber Solutions approaches the topic.
Compliance has become one of the driving forces behind centralized logging, emerging from the burden of reviewing each system’s logs. HIPAA, IDSA, and PCI all have sections requiring periodic review of audit logs for each device on a network. For some organizations with limited complexity, meeting this need is tedious, however for companies with 20 to 1000’s devices, the task is impossible. Centralized log auditing has changed the way businesses approach cyber security, impacting not just compliance but the investigation process as well.
Once a breach occurs, the follow-on investigations are time consuming and in some cases, can prevent the use of computer systems until the investigation is completed. Without centralized logging, the forensic discovery process takes significantly more time. We are talking the difference between days and hours with a SIEM and months and days without centralization capabilities. This effort pales in comparison when we look at the time required to detect a breach when it occurs; without a SIEM this could take may take years or never happen at all. Compliance and visibility are argument enough for investing in a SIEM, but the technology alone will not solve a business’s cyber security woes.
Expert eyes are the reason centralized auditing can be a foundation piece to an effective cyber security program. Without the ability to decipher between good and bad, logs look like a foreign language. Much like a person who took Spanish in high school but ten years later must read a Spanish menu to order food. To the English speaker reading, most of the Spanish doesn’t make sense, they rely on the waiter to interpret the menu to find the best dish. Internal IT staff have the same issue, they need help interpreting logs and finding the bad guys. These experts should be able to readily identify fundamental attacks however, there is a limit to the knowledge a person can consume. Thus, a practitioner will have an area of focus such as forensics, web, network, or client-side. The best information security team will consist of a team of experts with various specialties, collaborating during incidents to provide the best insight possible.
This post wraps up our series on Information Security Monitoring and we hope you enjoyed the journey. Please post any experiences with SIEM solutions below and what you have found most effective (or not). As always, reach out to Tandem Cyber Solutions if you would like to discuss how we may help your business implement monitoring into a information security program.