Andrea Danti - Fotolia
How to get the most out of your SIEM system
When it comes to threat protection, antivirus software is no longer enough. Data center admins need cloud-based SIEM to ensure their environments are fully protected.
To ensure data security and data center health, it is vital for admins to consistently evaluate and audit security information and event management systems.
There are more components to data management than there were in the early days of antivirus software, and hackers have become increasingly malicious. The days of being able to run basic antivirus software and assume security is taken care of are gone.
New zero-day threats emerge on a daily basis. To combat these threats, organizations must move on from the occasional signature file update to operational procedures that implement constant software updates based on cloud-based services.
What makes a good security information and event management (SIEM) system? According to BMC Software, the four main parts of a standard SIEM system are log management, security event management, security information management and security event correlation.
Pattern recognition and holistic monitoring functions are essential to make these four modules work. Known patterns provide a baseline for the SIEM system to check new events against an organization's own white and black lists, as well as its own -- preferably cloud-based -- database of events.
An up-to-date SIEM system should also use heuristics to identify zero-day problems. Depending on what events the software finds, it can isolate the data streams causing the pattern, such as a distributed denial-of-service attack; offload the traffic; quarantine the activity; and lock out a potentially malicious data stream.
SIEM should also aggregate data to bring enough information together for pattern recognition to take place. Without a full knowledge of what events are happening across a platform, SIEM won't work properly, as admins have an incomplete view of data center activity.
Using SIEM as a window into the data center
A typical data center network has thousands of nodes that create their own data on a constant basis, such as servers, storage systems, routers and access devices. As IoT and edge computing systems see increased adoption, they only add to the number of connected systems and network nodes.
On top of this is the implementation of hybrid cloud-based systems. Admins might not have direct access to the hardware, but licensing agreements can provide access to the data. A good SIEM system provides all the necessary insight into data center activities and can help troubleshoot issues no matter the hardware's location.
At a basic level, a SIEM system must aggregate a database and provide an overall view of all the current event data across the data center. Vendors either use database aggregation or advanced log management systems to achieve this.
Admins should look for systems that can pre-filter data to minimize the size of any resulting master database for optimal storage and application performance.
Admins must also regularly evaluate SIEM system capabilities. If an old suite still relies on occasional pattern recognition signature updates, does not manage hybrid environments well, does not support data aggregation well or purely focuses on one type of security, then those SIEM tools need an upgrade.
Vendors such as LogRhythm, AlienVault and Splunk are upgrading their offerings to use cloud-based frameworks and are implementing artificial intelligence capabilities as a way to lower costs, accelerate implementation time and provide available data beyond logs.
If admins already use a fully capable system, they must make sure their SIEM software does not block updates or access to cloud services; these services and updates are essential to protect your data center.