Skip to content

No Alert, No Action - The Importance of a SIEM

SIEM Blog 2024Cybersecurity and medicine are surprisingly similar in their evolution and current operating models. Both started with one tool or doctor having to treat any problem. It wasn’t effective, and harmful things happened as a result of the simplicity, but it was the only option available.

As time passed, cybersecurity and medicine have evolved to complex models that rely on layered approaches, including functions ranging from the general to the minutely specific, with an extensive network of supporting elements operating the systems. Yet, while the medical world has settled on the idea that this layered approach results in the best possible outcome, the cybersecurity world seems to have become enamored with the shiny new objects reminiscent of early, now outdated tools – that being the do-it-all solution.

That’s what I want to talk about in this blog: why my colleagues in cybersecurity need to realign themselves to the medical world. They need to abandon the silver-bullet solution and return to using best-in-class, enterprise-grade solutions supported by the reporting and alert capability of a Security Information and Event Management (SIEM) solution.

Here’s why:

Over time, we learned that more problems must be solved for the human body and robust enterprises alike. With so many systems and entry points to monitor and treat, we needed specialists who would handle the specific problems.

Both require a layered approach with countless components we hope we never need, but that doesn’t remove their necessity.

Unfortunately, things go wrong – bones are broken, and hackers try to hack.

When things go wrong, patients want access to the best specialists, from cardiologists to orthopedic surgeons. Depending on the situation, these specialists work concurrently in their domains to solve complex problems.

Good cybersecurity requires the same layered approach, especially for federal government agencies. This strategy provides redundancy and resilience by deploying diverse security measures across an organization’s infrastructure, including firewalls, antivirus software, intrusion detection systems, and data loss prevention (DLP) tools.

However, we’ve only talked about the specialists. The body and the enterprise must be constantly monitored for signs of danger that need further investigation.

In the medical world, your general practitioner (GP) monitors your overall health, knows you and your quirks, and determines when it might be necessary to go to specialists. While the GP can manage minor things like administering tests and treating the flu, their real value comes when something majorly goes wrong. They send you to the right specialist(s) and oversee your entire care.

Yet, no matter how good the GP might be, specialists are still needed for their expertise. Furthermore, starting with a cadre of appointments with specialists who may only need to send you somewhere else is inefficient.

In cybersecurity, the SIEM plays the GP role.

SIEMs aggregate and analyze data from various sources within an organization’s IT infrastructure and direct analysts to the specialized tools required to address alerts. They identify patterns associated with known cyber threats through predefined rules and signatures, including malware signatures, known attack methods, and indicators of compromise. This proactive approach allows security professionals to address known vulnerabilities promptly, mitigating the risk of successful cyber-attacks. Addressing known vulnerabilities, the organization can now leverage automation, simplifying and optimizing critical processes throughout the security lifecycle. Machine learning algorithms (non-sophisticated AI) enable advanced threat detection by analyzing patterns and anomalies, while automated incident triage streamlines response efforts.

This streamlined approach reduces the exposure window, minimizes manual intervention, and ensures a rapid and consistent response to known vulnerabilities. Instead of the security team needing to monitor a multitude of software solutions constantly, the SIEM does the monitoring and gives the team time to focus on the unknown threats where their time is more needed.

Again, the medical world similarly aligns as the GP looks for signs that might require the specialist's attention. If the specialists had to be looking for signs of heart or neurological concern constantly, they would lack the time to research new treatment protocols or perform life-saving procedures. Don’t ask the brain surgeon to take out a sliver.

As I mentioned in my opening, despite the successful, well-developed model, replacing a whole portfolio of tools can be tempting as new do-it-all cybersecurity solutions hit the market.

However, while the new tools may have one dashboard that acts like a SIEM, they can never provide the same level of protection to large enterprises that best-in-class solutions designed for specific tasks can – all with the SIEM as the master control center. Just as the most well-certified or experienced general practitioner isn’t able to replace the highly trained specialists. To put it another way, you don’t want your general practitioner performing a triple bypass surgery, and you don’t want your all-in-one cybersecurity tool trying to detect and remediate attacks for a multi-billion-dollar enterprise. The risks are too high, especially when they jeopardize the mission of federal government agencies.