Welcome to the new era of coronavirus SIEM. As this pandemic continues to wreak havoc across the world, businesses face a problem unlike any faced before; namely, how to maintain a consistent layer of security information and event management over a completely remote workforce.
The coronavirus outbreak requires both a different mindset and a new set of cybersecurity tools. As the editors of Solutions Review, we dedicate our energy and expertise to helping enterprises make sense of their cybersecurity needs.
Therefore, we present our Coronavirus SIEM Survival Guide. We don’t know how long this crisis might persist, but we can help you fortify your digital perimeter in the meantime.
The Coronavirus SIEM Survival Guide
Visibility Matters More Than Ever Before
As stated above, the coronavirus drives enterprise workforces apart. Employees have little choice but to work from home, which of course expands and scales your IT environment. However, while this proves necessary to flatten the curve of coronavirus infections, it complicates business’ cybersecurity. Visibility is the life-blood of modern cybersecurity; you can’t possibly protect what you can’t see.
Moreover, hackers take every advantage of every unmonitored spot in your network. In the time of on-premises work, hackers would use notorious weak spots such as the Internet of Things (IoT). Now, hackers have their pick of unsecured devices and poor online behaviors from which to initiate their attacks.
Next-generation SIEM solutions help alleviate this problem by increasing visibility across the entire network. While your enterprise shouldn’t try to deploy a new SIEM solution across the entire IT infrastructure at once (this leads to information overload and can lead to serious burnout), you can glean more information as it expands. In fact, SIEM can gather security event information from the most sensitive databases regardless of their location; this prevents potentially devastating cyber attacks from going unnoticed and unmitigated.
Coronavirus SIEM Includes Contextualized Alerts
Legacy SIEM and next-generation SIEM alike both provide security alerts when it detects a threat. These alerts help direct your IT security team’s investigations, thus possibly speeding their incident response and remediation efforts.
However, a common legacy SIEM challenge involves the number of alerts security teams receive each day; depending on the size of the IT environment, alerts could number in the hundreds or thousands. Obviously, this can overwhelm even the most dedicated security team and bury legitimate incidents in false positives.
The problem often lies with the system’s inability to recognize a deviation from baseline behaviors (an employee logging in from a different device) from a distinct security incident (an employee attempts 60 logins from a device in a completely different country). Sometimes this could result from security teams failing to maintain their alert parameters. At other times, it comes from legacy systems not recognizing nuanced behaviors.
Thankfully, next-generation SIEM solutions can help investigators sort through the alerts and pare back their numbers. They do this through contextualization; this capability outlines the circumstances of the alert (who did what, when, and why it arouses suspicion) so team members can determine whether it merits a closer investigation.
Coronavirus SIEM must focus on reducing as many false positives as possible. As a side note, your security team should adjust your security parameters for alerts to accommodate the new reality of work-from-home.
Get as Much Intelligence as You Can
The new reality of work from home also means that hackers are adapting their attacks to fit the new normal. They won’t wait for the virus to abate before restarting their attacks. Instead, they will restructure their malware and identity-based attacks to take advantage of the decentralized landscape.
Thus, your enterprise needs the latest information on threats. A next-generation SIEM solution can connect your IT security team with multiple threat intelligence feeds. These can help your team recognize threats as they make moves in your network. The importance of responding to threats quickly and completely matters more now with so few direct eyes on your premises.
How to Learn More
Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.