Security School

Browse Sections


This content is part of the Security School: Improving security management with SIEM
Manage Learn to apply best practices and optimize your operations.

How to integrate SIEM system capabilities with incident response

In this webcast Mike Rothman, president of the firm Securosis, takes on the issue of integrating today's SIEM systems with incident response methods to help you identify advanced attacks faster, understand what damage was done and mediate that damage.

On the heels of many high-profile breaches, Rothman notes, there's been an upsurge in efforts to better respond to any sort of attack, and to be sure you have the right tools and procedures in place to contain the damage.

SIEM has been evolving for over a decade, driven by the increasing need for more data in order to respond to the evolving threats to your system. SIEM captures data so that it's available to be used in incident response and today it's more flexible and supports more use cases than ever before. The data that SIEM systems gather is crucial for if your operations team is going to have the information they need for post-attack remediation.

The nature of the attacks coming at systems today requires IT pros to take a broader view of threat management than in the past, one with a heightened focus on investigating the compromises that do take place. Rothman reviews the many ways in which SIEM now works differently to get the information required for investigation of the assaults that do occur in the enterprise system.

In the closing slides, Rothman remarks on some notable recent developments. In recent years, for instance, IT budgets have gone from primarily funding prevention and detection methods to focusing on funding investigation -- a budget item that was starved for too long, in Rothman's opinion.

Another development is the change in focus away from trying to stop attacks, which is simply becoming too difficult. The focus is now on more gracefully finding and containing any damage an attack causes. In other words, today detection and investigation, not prevention, are the key arbiters of security success. Of course, IT teams still aim to prevent attacks but Rothman says it's clear now that no security system will ever be 100% successful in that effort.

In response to this reality, SIEM technology is evolving rapidly in terms of both scale and capabilities for detection and investigation use cases. The SIEM tools that work best are ones that accelerate and streamline the investigation workflows; this enhances threat intelligence capabilities, allows the creation of malware profiles and helps the IT crew search for indicators of attack in their system.

View All Videos

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

It possible to Improve Security Information and Event Management (SIEM) with IT Process Automation.. I found article that talk about it