There are several methods to keep the processes in processing IT data secure and simple.
One possible measure for this is security information and event management. This term combines SIM for collecting IT-related information and SEM for collecting IT-related events.
This collection point is intended to provide a holistic overview of the IT security infrastructure and simplify vulnerability analysis.
Sources of information include firewalls, servers, routers, IDS/IPS and applications. Log files and protocols are collected from these sources so that they can then be correlated, granulated and evaluated. There are also news reports from outside, status reports from devices and notifications about physical abnormalities, such as a fan failure in the server room. This logging runs 24/7 in the background.
Related events should be represented visually in order to create improved risk reporting. This is intended to ensure that the log files collected are traceable and can be checked retroactively should an unusual incident occur.
To do this, it is logged from which IP addresses data was accessed at certain times and which protocols or which web services are running. SIM and SEM, together as a SIEM, offer a management solution that is tailored to the requirements and needs of the company.
Unusual patterns and dangerous trends become visible in the SIEM and can be actively eliminated. This includes, for example, incorrect login attempts. Thanks to the collection of log files and the subsequent correlation and evaluation, SIEM can be used to find out whether it is just an employee who has entered his password incorrectly five times, or whether there are actually hundreds of requests per second and possibly one Brute force attack is affected. By granulating these log files it is also possible to exclude false positives. Potentially affected devices can be isolated and quarantined directly from the network so that if malware is infected, it cannot spread further.
In order to set up a SIEM, you need information and key figures collected in advance. For this purpose, the Miter database can be used, for example, to record a collection of vulnerabilities as rules and procedures and to identify potential attacks at an early stage. Based on this, improvements are continually being made.
To get the most out of a SIEM, it is recommended to set up a Security Operations Center (SOC). ProSec GmbH can help you set up a SOC and advise and support you from day 1. A structural analysis will be carried out in advance to determine your needs and give you the best possible support. The operations of the SOC are simplified by the SIEM. This combination offers a powerful and goal-oriented IT security solution.
The aim of the SIEM is to reduce data overhead, save costs and be able to better allocate existing IT resources. The SIEM is also intended to ensure that reports and reviews are accessible. If necessary, these can be forwarded to management or the executive board. If the company is required to report (e.g. a KRITIS), these reports and reviews can also be forwarded to the BSI after careful internal review.
