SIEM (Security Information & Event Management) software is designed to assist organisations in detecting and reporting suspicious activity within their environment. SIEM solutions aggregate data in real-time from multiple sources within an IT environment and present the information via a single dashboard. SIEM solutions are useful; however, they also have many drawbacks.
SIEM solutions can be complex
Collecting the data and organising it into anything that you can derive real meaning from is no small task. In your organisation, you will either need to have an IT department that is an expert in SIEM solutions, provide training that gets them to that level or outsource help – all of which adds cost to deployment and operations.
SIEM solutions can take a long time to deploy
When most organisations are on the lookout for a SIEM solution, it is because they have an urgent requirement to take care of – whether that be related to a compliance regulation or data security requirements. In either case, they need real answers to questions about changes taking place in their critical systems as quickly as possible. SIEM solutions, due to their complexity, may take months to integrate into the IT environment fully.
SIEM solutions are a hefty investment
In a world where all departments of an organisation, in particular, IT teams, are under pressure to cut costs, SIEM solutions can be difficult to justify. There isn’t just a hefty licensing cost of a SIEM solution, but, because nothing is functional out-of-the-box, organisations will likely have to invest a significant chunk of their budget in implementing, maintaining and using them. In many cases, organisations have found that consulting fees have even exceeded the original licensing cost of the software
SIEM solutions generate much noise
SIEM solutions collect many logs that, in the grand scheme of security and compliance requirements, are generally meaningless. In fact, because SIEM solutions produce so many raw logs in their reports, it can take hours upon hours to gain a simple understanding of who made what change, when and where. In addition to this, SIEM reports are not capable of providing simple, yet valuable information; such as before and after values.
What are the alternatives?
Thankfully, real-time event detection and reporting solutions, such as LepideAuditor, provide a sophisticated and affordable alternative to SIEM solutions. Below is a summary of how LepideAuditor can help provide you with a similar level of detail that a SIEM solution will, but in a more actionable and meaningful way:
- It can detect and respond to interactions with critical data and provide an intuitive, real-time presentation of what data is being accessed, by whom, where and when.
- It can assist you in maintaining “least privilege” access, by displaying current permissions, how those permissions are granted, and report changes in those permissions.
- The threshold alerting feature can help prevent the spread of ransomware by detecting, alerting and responding to suspicious changes. For example, if X number of the same events (like a file being deleted) occurs over a defined period of time, you can execute a custom script to shut down the system, change the firewall settings, etc.
- It can provide real-time alerts to show when user accounts are created, deleted and modified. This can help prevent privilege escalation, keep track of permission history, and ensure that user accounts are not being created without a legitimate reason.
- It can monitor and alert on changes to privileged security groups.
- It can identify inactive user accounts and automate a response, such as moving or removing the account, as well as providing notifications and reports.
- It can alert and report on privileged mailbox access, to ensure that only the authorised user is accessing the privileged mailbox account.
- It can automatically remind users to reset their password and provide notifications when they are due to expire.
- It can take regular backup snapshots to save the state of Active Directory Objects and Group Policy Objects. These snapshots can be used to restore the modified and deleted Active Directory objects (even if they are not in “tombstone”, “logically deleted” state or AD Recycle Bin.
- It regularly checks the health of Active Directory, Exchange Server and SQL Server. It can send real-time alerts on resource consumption, starting or stopping of critical services and performance counters.
How can real-time event detection and reporting solutions help small business?
Historically it was mostly larger companies that used SIEM solutions. Large companies are typically required to maintain a more complex IT environment. Naturally, they will have more staff members, which means they might be logging thousands, if not millions of events every day. As you can imagine, having to track and respond to important events on this scale manually would be a monumental task. However, these days, with the introduction of low-cost, easy to use event detection and reporting solutions such as LepideAuditor, many of the features that SIEM solutions provide, are available to small businesses. For example, it is often the case in smaller organisations where full privileges are granted to only one user. However, when using a real-time detection and reporting solution, everything is recorded, and it’s not possible for any single person to manipulate the logs for whatever reason. Additionally, it is often the case where smaller organisations don’t have enough resources to hire a security specialist. LepideAuditor can, to some extent, mitigate the need for employing such specialists, as it can respond to suspicious events automatically.
How can real-time event detection and reporting help with regulatory compliance?
Event detection and reporting solutions are particularly useful when it comes to complying with regulations such as HIPAA, PCI, FISMA, SOX and other compliances.
Take an example of GDPR. While the EU GDPR is not yet enforceable, it is still well worth a mention as it is arguably the most important regulation that has been introduced in the last 20 years. The purpose of the GDPR is to replace the out-dated Data Protection Directive and will introduce a number of significant changes, such as increased territorial scope, tougher penalties, stricter consent laws, and extended data subject rights. Organisations will be required to adopt the “Privacy by Design” methodology when developing projects, and many organisations will be required to appoint a Data Protection Officer (DPO), who will assist with all areas of data protection and privacy. Finally, in the event of a serious data breach, organisations will be legally required notify the authorities within 72 hours of the breach occurring. If an organisation is not capable of providing sufficient documentation, detailing how and why the breach occurred, what measures were taken to prevent the breach from occurring, and what measures were taken to prevent the breach from spreading, they may be subject to a fine of up to 4% of annual global turnover or €20 Million (whichever is greater). Without a sophisticated event detection and reporting solution in place, providing such documentation within the specified time-frame will be much harder.
The choice of whether to deploy a SIEM solution or a comprehensive auditing solution will really come down to your IT environment, budget and manpower. If, after reading this article, you think that SIEM solutions are too complex and costly, I urge you to check out LepideAuditor – a powerful way of auditing, monitoring and alerting on critical changes to data and systems.