It is 3:00 am and you get a call from your service provider that monitors your network for cybersecurity attacks. These are the calls you dread. The analyst tells you they are seeing a real-time MS-SQL injection attack. The attack is coming from a source in China to one of your servers. Your pulse quickens as you think through the scenario. “Which server?” you ask the analyst and they answer, “The name of the server is ‘Linux-Atlanta-Main.’” You then tell the analyst that the server doesn’t even have Microsoft, let alone MS SQL and you hang up. Unfortunately, this scenario happens all too often. An advanced calibrated SIEM is the solution to this issue.
In reality, most service providers are blind to the context of an attack, whether it can be successful, even what your systems are or what it may be vulnerable to. This lack of information leads to many sleepless nights for IT managers and staff at financial institutions.
SIEM with Advanced Configuration: The Solution
However, service providers can solve this problem by understanding the context of your systems and network. Rather than just ingesting the Syslog stream from your critical network devices and servers, an advanced SIEM solution can import the configuration of the device. Knowing the operating system, firmware, applications, services, etc., the SIEM can now take a more intelligent approach to the incident and alerting. Through this advanced configuration and context analysis, the SIEM can notify you when you need to take action and let you sleep when no action is required.
Just because the alert doesn’t require action now, you still need to know about it. That is why the SIEM will send you reports at whatever frequency you want with the non-critical information to manage the risk when appropriate. This fundamentally superior philosophy to SIEM is what can drive your current noise level to a near-zero false positive rate. To take advantage of this, you need the right SIEM and the right managed service partner. Few technologies offer the ability to ingest and index the configuration of monitored systems, and even fewer service providers have the expertise to tune and configure these systems to have the level of accuracy needed.
Because false positives are the enemy to all cybersecurity programs, beware of the following:
- SIEM providers that do not offer custom rule tuning.
- Providers that don’t continually tune the system to keep the noise level down.
- Solution providers that monitor very few devices or for very few incident types.
- Providers that can’t support the devices you use today.
- SIEM solutions that require you to deploy agents or replace your existing hardware stack.
- Salespeople that attempt to convince you SIEMs are easy to deploy or maintain with your existing staff.
A SIEM is an absolutely critical part of any financial institution’s cybersecurity program. Having it perform accurately is the key that only comes through expertise and context. Make sure you find the right partner.
Kevin Prince, Founder and CEO, StratoZen
Security 2020 author Kevin Prince is the founder and CEO of StratoZen, providing managed threat detection, response, and compliance solutions to organizations around the globe. With years of cybersecurity experience under his belt, Kevin is also the former CTO of Compushare (now Finastra) and Perimeter eSecurity (now BAE Systems). Before founding StratoZen, Kevin also founded Red Cliff Solutions, a financial services MSSP and served as a former trainer to FDIC, NCUA and FFIEC auditors.