{"id":51680,"date":"2024-07-12T11:44:45","date_gmt":"2024-07-12T15:44:45","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=51680"},"modified":"2024-07-12T11:44:45","modified_gmt":"2024-07-12T15:44:45","slug":"siem-for-medium-businesses","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/siem-for-medium-businesses\/51680\/","title":{"rendered":"What SIEM is and how it protects medium-sized businesses"},"content":{"rendered":"<p>A medium-sized company is an attractive target for cybercriminals. It operates on a scale that\u2019s large enough for the company to pay a substantial ransom if its data is taken hostage. Meanwhile, its approach to information security is often an inheritance from the time when it was much smaller. Hackers can come up with a tactic to bypass the company\u2019s basic protection and compromise the network with little to no resistance. The damage done by such incidents averages <a href=\"https:\/\/www.kaspersky.com\/blog\/it-security-economics-2020-part-2\/\" target=\"_blank\" rel=\"noopener nofollow\">around $100,000<\/a>. The regulatory side of things also cannot be ignored: cybersecurity rules and regulations have been proliferating around the world, and so have the fines for non-compliance.<\/p>\n<p>Businesses are often cognizant of these threats and willing to allocate more resources to their infosec teams. How do you take your corporate security to the next level without excessive outlay? Here\u2019s a little spoiler: deploying a SIEM (Security Information and Event Management) system is key.<\/p>\n<h2>Layered protection<\/h2>\n<p>A company\u2019s long-term goal should be to build layered defenses in which different tools and controls complement one another to significantly complicate attacks on the company and limit the attackers\u2019 options. A company with 500 to 3000 employees is almost certain to have the basic tools and the initial protective layer: access control through authentication and authorization, endpoint protection (popularly known as \u201cantivirus\u201d), server protection including email servers, and a firewall.<\/p>\n<p>The next thing to do is supplement, rather than replace, this arsenal with more advanced cybersecurity tools, such as:<\/p>\n<ul>\n<li><strong>A system for comprehensive monitoring and correlation of security events <\/strong>from a variety of data sources (computers, servers, and applications) in real time across the entire infrastructure<\/li>\n<li><strong>Tools for obtaining enhanced information <\/strong>about possible incidents or just suspicious activity and anomalies<\/li>\n<li><strong>Incident response tools<\/strong>: from investigations in accordance with regulatory requirements, to isolation of compromised hosts and accounts, vulnerability elimination, and so on<\/li>\n<li><strong>Advanced identity management tools<\/strong>: from centralized user management and role-based access control, to a single authentication portal with MFA<\/li>\n<li><strong>Tools for improving visibility and manageability <\/strong>of IT assets, attack surface management, and patch management<\/li>\n<\/ul>\n<p>Having all of these at the same time is out of the question, so implementing these measures will need to be prioritized and broken down into phases. That said, comprehensive monitoring forms the basis for many other information security tools, and therefore, SIEM implementation should be close to the top of the list.<\/p>\n<p>This equips defenders with brand new capabilities: detecting attackers\u2019 malware-free activities, spotting both suspicious objects and suspicious behavior, and visualizing and prioritizing infrastructure events. Proper use of SIEM can relieve the workload on the infosec team, as it spares them the need to spend time handling isolated events, logs, and other artifacts manually.<\/p>\n<h2>What a SIEM system is and why a medium-sized company needs one<\/h2>\n<p>SIEM solutions have been used for comprehensive IT monitoring in corporate infrastructures for two decades now. These solutions are composed of a number of components that collect, store, organize, and analyze telemetry, and allow responding to incoming events. Thanks to SIEM, an infosec employee can receive most alerts in a single console, easily link different aspects of an event (such as file creation, network activity, and account login) into a single entity without having to dig through five different data sources, and respond promptly to these events. The high degree of automation saves the infosec team a great deal of time. What you used to do manually just by walking over to a coworker\u2019s computer becomes too much effort as the company grows in size.<\/p>\n<h2>Key SIEM components for medium-sized businesses<\/h2>\n<p>The architecture may differ between SIEM systems, but the key elements are always the same:<\/p>\n<p><strong>Event sources<\/strong>: these aren\u2019t part of the SIEM, but they serve as providers of information. Anything that generates logs as it runs \u2013 whether it\u2019s an operating system, EDR agent, business application, or network device \u2013 can be a source.<\/p>\n<p><strong>Collector<\/strong>: this is typically a separate service that receives logs from telemetry sources for processing in the SIEM.<\/p>\n<p><strong>Log normalizer and storage<\/strong>: these are elements of the SIEM platform core. The normalizer transforms and adapts the logs it receives from a collector to make them suitable for use, search, and analysis. Centralized data storage significantly simplifies detection and investigation of incidents, as well as the provision of incident information to regulators.<\/p>\n<p><strong>Event correlation<\/strong> is the heart of SIEM systems. This is the key step where disjointed events contained in different logs are correlated, merged if found to be associated with the same activity or different stages of a single activity, and prioritized. Prioritization is driven by <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/threat-intelligence?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener nofollow\">threat intelligence<\/a> available to the defenders. This is what can serve as the basis for writing a rule that won\u2019t ping the infosec team every time a PowerShell script runs, but will raise an alert if a script runs with command-line options characteristic of a targeted attack.<\/p>\n<p><strong>Dashboards and alerts<\/strong> are a purely visual but important part of the system that helps make sense of heaps of data, easily find what you\u2019re looking for, quickly drill down into an incident, and learn about issues or suspicious events in time.<\/p>\n<p>A steep price used to be a real barrier to SIEM adoption by medium-sized businesses, as the products were aimed at larger companies exclusively. This has now changed with the advent of new solutions that no longer target just the enterprise segment of the market, such as our <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/unified-monitoring-and-analysis-platform?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Unified Monitoring and Analysis<\/a> platform.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"mdr\"><input type=\"hidden\" class=\"placeholder_for_banner\" data-cat_id=\"mdr\" value=\"51264\">\n","protected":false},"excerpt":{"rendered":"<p>Medium-sized businesses increasingly find themselves on the receiving end of targeted attacks. What tools does one need when basic security proves inadequate?<\/p>\n","protected":false},"author":2706,"featured_media":51681,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[2673,2464,4228,131],"class_list":{"0":"post-51680","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-edr","10":"tag-siem","11":"tag-strategy","12":"tag-tips"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/siem-for-medium-businesses\/51680\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/siem-for-medium-businesses\/27704\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/siem-for-medium-businesses\/23019\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/siem-for-medium-businesses\/27868\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/siem-for-medium-businesses\/33846\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/siem-for-medium-businesses\/33511\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/siem\/","name":"SIEM"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/51680","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=51680"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/51680\/revisions"}],"predecessor-version":[{"id":51682,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/51680\/revisions\/51682"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/51681"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=51680"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=51680"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=51680"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}