SIEM (Security Information and Event Management) and Vulnerability Assessments are at different ends of the IT security spectrum. SIEM highlights where things went wrong, whereas VA aims to proactively identify weaknesses and prevent intrusions in the first place with a daily audit.
But can SIEM and VA work together? And does one make the other redundant … or are they a synergistic partnership?
SIEM. Realtime security monitoring of IT assets, with retrospective reporting.
SIEM takes a holistic view of the entire IT infrastructure. Once configured, an SIEM system can detect the difference between ‘how the network should be running’ and ‘how the network is running’. The difference between those two states can be configured to trigger an alarm.
Of course, the ability to make that comparison means that the SIEM solution has to be accurately configured in the first place or it will either a) produce false alarms or b) not alarm genuine alerts.
And as corporate networks evolve, that necessarily means that the SIEM solution must always be considered a ‘work in progress’. As the harmonics of the network change, then the SIEM has to be constantly re-tuned.
SIEM is a major investment in both time and money (more about costs below). But a major appeal for corporates – especially those taking online payments and highly regulated industries where a SIEM is mandatory for compliance – is that SIEM provides visible due diligence processes. In the event of a breach, security managers can usually go back through the SIEM records and work out exactly how the breach happened.
In that respect SIEM reporting, which is largely retrospective in nature, often has more value as an investigative tool than as a realtime alarm system.
“SIEM systems are typically expensive to deploy and complex to operate and manage. While Payment Card Industry Data Security Standard (PCI DSS) compliance has traditionally driven SIEM adoption in large enterprises, concerns over advanced persistent threats (APTs) have led smaller organizations to look at the benefits a SIEM managed security service provider (MSSP) can offer.”
TechTarget. See reference link below.
Vulnerability Assessment. Daily proactive checks to identify IT security weaknesses.
If SIEM is the National Security Agency equivalent of IT security – with a vast infrastructure of listening posts all over the world monitoring events – then Vulnerability Assessments are more like the smart special agent who can prevent problems from happening in the first place.
Based on a list of security threats which are updated daily, the vulnerability audit will scan the network servers for software and configuration flaws (encompassing aspects like missing patches, misconfigurations, access and password policies, malware, etc.) that could give hackers access to the network.
For many network security managers with SIEM installations, a vulnerability audit is the smart way to stop intrusions from activating the might of their SIEM investment.
With SIEM, once alarm bells start ringing it is a very loud and disruptive event. But a daily vulnerability audit can shut the door to unauthorized intrusions before they even happen.
For example, some online hacking courses have tens of thousands of ‘students’ who might decide to test their skills on your network. You don’t want a major SIEM alert to be triggered by a kid in downtown Moscow who happened to discover that one of your software configurations was out of date.
SIEM and Vulnerability Audits. The difference in cost.
Not only are SIEM and vulnerability at opposite ends of the time spectrum (the former being retrospective, the latter being preventative), they also have very different costs.
The typical SIEM installation will cost in excess of $100,000. Plus there is a significant manpower cost in configuring SIEM so it is tuned into the normal functioning of your IT infrastructure.
In the case of Elastic Detector from daily vulnerability audit from SecludIT, the cost is a flat $10 to $15 per server, per month. Configuration is largely automated and typically takes one person less than an hour from start to finish. Thereafter the software is hands free.
Using Vulnerability Audits to complement SIEM installations.
So, should companies who have invested in SIEM also consider having a daily vulnerability audit?
We believe the answer is yes. These approaches actually are complementary.
You see, one of the benefits of a daily vulnerability assessment is that – for a modest cost – it can prevent the resource-heavy SIEM system from giving frequent and false alarms, most often when it’s too late. Moreover, the vulnerability assessment results will contribute to feeding the SIEM with valuable information.
And for companies who are about to install SIEM, a vulnerability assessment is doubly-important. This is because you have to configure SIEM to recognize the network in its ‘normal state’ … and that state should not be one which is full of security holes.
So a daily vulnerability audit can help to keep the ‘big beast’ of SIEM in harmony with the network.
If you’ll allow us to briefly promote our own vulnerability assessment software, the highlights of Elastic Detector are:
– It examines clones of servers, so network performance is not degraded.
– The checklist of security threats is updated on a daily basis, with prioritized reporting (typically more than 100 new threats added per week).
– SecludIT provides remediation sheets and fix tips. So even non security specialists can implement fixes.
Reference used in this article on SIEM and vulnerability assessments.
Tech Target / SIEM Definition