SIEM Essentials QuizRead More
The Payment Card Industry Data Security Standard (PCI DSS) was created to secure credit cardholder data from theft and misuse. It defines 12 security areas in which companies should enhance protection for this type of data. The requirements apply to anyone involved in credit card processing, including merchants, processors, and 3rd party service providers.
The General Data Protection Regulation (GDPR) is Europe’s new framework for protecting security and privacy for Personally Identifiable Information (PII), which came into force in May 2018. GDPR applies to any legal entity which stores, controls or processes personal data for EU citizens, and focuses on two categories: personal data, such as an IP address or username, and sensitive personal data, such as biometric or genetic data
The SIEM itself can represent a risk under GDPR, because log data might contain PII. GDPR permits retaining data for “legitimate interest” (Article 6), which may allow the retention of log files for security purposes. Consult with your legal council to understand what data you can or cannot retain in the SIEM under GDPR provisions.
HIPAA is a United States standard pertaining to organizations that transmit health information in electronic form. It applies to organizations of all sizes, from a single physician to national healthcare bodies. HIPAA’s Security Management Process standard requires organizations to perform risk analysis, risk management, have a sanction policy for data breaches, and conducts Information System Activity Reviews—a key element of the standard which ensures all the other parts are in order.
The Sarbanes-Oxley Act of 2002 (SOX) is a regulation that sets requirements for US public company boards, management and accounting firms. It was enacted as a reaction to several corporate accounting scandals, including Enron and WorldCom. Two frameworks commonly used by IT organizations to comply with SOX are COSO and COBIT.
The SOX regulation focuses on making sure that an organization informs management, and is able to demonstrate, via SOX reporting procedures:
A SIEM can be helpful in gathering this data and recording it for SOX audits.
According to insider threat statistics provided in the Verizon Data Breach Investigation Report, three of the top five causes of security breaches were related to an insider threat, and insider threats go undetected for months (in 42% of cases) or even years (38% of cases).
Insider threat detection is challenging—behavior doesn’t set off alerts in most security tools, because the threat actor appears to be a legitimate user. However, a SIEM can help discover insider threat indicators via behavioral analysis, helping security teams identify and mitigate attacks.
There is growing awareness of internal security threats, first and foremost insider threats:
Most of the capabilities in this and the following sections are made possible by next-generation SIEMs that combine User Entity Behavioral Analytics (UEBA). UEBA technology uses machine learning and behavioral profiling to establish baselines of IT users and systems, and intelligently identify anomalies, beyond the rules and statistical correlations used by traditional SIEMs.
Privileged access abuse is a complex problem stemming from gaps in access control at organizations. Users with access to IT systems are able to perform undesirable actions, because they have more access rights than they need to do their jobs. According to the Verizon 2017 Data Breach Investigation Report, privileged access abuse was the third largest cause of data breaches and the second largest cause of security incidents.
It is very common for attackers to take control of user credentials or hosts within an organizational network, and carry out attacks stealthily for months or years. According to the Ponemon 2017 Cost of Data Breaches report, the average time US companies took to detect a data breach was 206 days. So a major goal for security teams is to detect and subvert attacks quickly.
Threat hunting is the practice of actively seeking out cyber threats in an organization or network. A threat hunt can be conducted on the heels of a security incident, but also proactively, to discover new and unknown attacks or breaches. According to a 2017 study by the SANS Institute, 45% of organizations do threat hunting on an ad hoc or regular basis. Threat hunting requires broad access to security data from across the organization, which can be provided by a SIEM.
Data exfiltration happens when sensitive data is illicitly transferred outside an organization. It can happen manually, when a user transfers data over the Internet or copies it to a physical device and moves it outside the premises, or automatically, as the result of malware infecting local systems.
Many organizations are using connected devices to manage critical operations. Examples include network-connected medical equipment, industrial machinery and sensors, and power grid infrastructure. Internet of Things (IoT) devices were not designed with security in mind, and many suffer from vulnerabilities. These vulnerabilities are difficult to remediate once the devices are already deployed in the field.
Next-generation Security Information and Event Management (SIEM) solutions, built in line with Gartner’s vision of a SIEM platform integrated with advanced analytics and automation tools, can make many of these advanced use cases possible. Specifically, User Entity Behavioral Analytics (UEBA) technology makes it possible to detect insider threats, perform more sophisticated threat hunting, prevent data exfiltration and mitigate IoT threats, even when traditional security tools don’t raise a single alert.
Exabeam’s Security Intelligence Platform is an example of a next-generation SIEM that comes integrated with Advanced Analytics based on UEBA technology—enabling automated detection of insider threats and mitigation of anomalous behavior that cannot be captured by traditional correlation rules.
If you'd like to see more content like this, visit the Exabeam Information Security Blog
SIEM Essentials QuizRead More
Evaluation criteria, build vs. buy, cost considerations and complianceRead More
SIEM under the hood - the anatomy of security events and system logsRead More
User and Entity Behavioral Analytics detects threats other tools can’t seeRead More
A comprehensive guide to the modern SOC - SecOps and next-gen techRead More
From correlation rules and attack signatures to automated detection via machine learningRead More
Beyond alerting and compliance - SIEMs for insider threats, threat hunting and IoTRead More
Security Automation and Orchestration (SOAR) - the future of incident responseRead More
How SIEMs are built, how they generate insights, and how they are changingRead More
Components, best practices, and next-gen capabilitiesRead More