This page is part of a Security School lesson, featuring a selection of expert technical content on this topic. Explore more in this school:
2. - Integrating SIEM with incident response: Read more in this section
- How to integrate SIEM system capabilities with incident response
Explore other sections in this guide:
How to integrate SIEM system capabilities with incident responseDate: Jun 19, 2014
In this webcast Mike Rothman, president of the firm Securosis, takes on the issue of integrating today's SIEM systems with incident response methods to help you identify advanced attacks faster, understand what damage was done and mediate that damage.
On the heels of many high-profile breaches, Rothman notes, there's been an upsurge in efforts to better respond to any sort of attack, and to be sure you have the right tools and procedures in place to contain the damage.
SIEM has been evolving for over a decade, driven by the increasing need for more data in order to respond to the evolving threats to your system. SIEM captures data so that it's available to be used in incident response and today it's more flexible and supports more use cases than ever before. The data that SIEM systems gather is crucial for if your operations team is going to have the information they need for post-attack remediation.
The nature of the attacks coming at systems today requires IT pros to take a broader view of threat management than in the past, one with a heightened focus on investigating the compromises that do take place. Rothman reviews the many ways in which SIEM now works differently to get the information required for investigation of the assaults that do occur in the enterprise system.
In the closing slides, Rothman remarks on some notable recent developments. In recent years, for instance, IT budgets have gone from primarily funding prevention and detection methods to focusing on funding investigation -- a budget item that was starved for too long, in Rothman's opinion.
Another development is the change in focus away from trying to stop attacks, which is simply becoming too difficult. The focus is now on more gracefully finding and containing any damage an attack causes. In other words, today detection and investigation, not prevention, are the key arbiters of security success. Of course, IT teams still aim to prevent attacks but Rothman says it's clear now that no security system will ever be 100% successful in that effort.
In response to this reality, SIEM technology is evolving rapidly in terms of both scale and capabilities for detection and investigation use cases. The SIEM tools that work best are ones that accelerate and streamline the investigation workflows; this enhances threat intelligence capabilities, allows the creation of malware profiles and helps the IT crew search for indicators of attack in their system.