What size of business needs a SIEM service?
9 January 2020 | 0
What size of business needs a SIEM service? I’d like to reframe the question by paraphrasing Mark Twain: it’s not the size of the business that determines the need for a SIEM, it’s the size of the risk. Ultimately, any organisation, no matter how big or small, is vulnerable to attacks and breaches from outside, whether that’s intentional targeting by criminals who have identified something of value worth taking, or script kiddies trying their luck and scanning for open ports on the Internet.
In an ideal world, all companies would be able to analyse the logs generated by their firewalls, switches and routers, and sift through the information for signs of unusual or suspicious activity on their networks. In reality, few organisations have the resources to do this, in terms of manpower or hardware.
Security information and event management, or SIEM for short, is an early warning system for possible incidents. Think of SIEM like panning for gold: this is about throwing out the rocks and picking the nuggets of information that could indicate a breach.
Any suspicious activity in the logs then gets escalated to a SOC (security operations centre) where a trained analyst spots the tell-tale signs of compromise. Their experience and training enables them to distinguish between a false positive alert, like an employee who genuinely forgot their password and takes three goes to log in to their application, and a security incident like a brute force attack that tries lots of combinations of usernames and passwords to try and infiltrate a system.
By having a SIEM managed by a third party provider, businesses can be secure in the knowledge that they will see attacks happening in real time, which means they can take appropriate action to stop those specific threats – whether that’s a malware infection or a financial scam.
Leaving aside the question of size, a business is better off asking the question how its finances, operations, or reputation would suffer as a result of a security incident. A financial organisation might only have a handful of employees, but the nature of its business gives it a higher risk profile than, for example, a small paper manufacturer.
One of the biggest costs of a security incident is the business disruption and the damage to a brand as a result of any outage or loss of service. When you’re establishing yourself as a business, you want to build up a level of trust with customers; if that gets eroded because of a security incident that could have been prevented, it’s hard to recover from that.
Security spending should always be appropriate to the risk. A company may be small, and its security investment doesn’t need to involve large sums to do the right things. Many SIEM and SOC services offer a menu or suite of services that let organisations start with some basic monitoring and then as the business risk changes and the budget allows, they can add layers on top such as vulnerability scanning, intrusion detection, or firewall management.
Good security can be a managed investment over time, but it’s essential to start with a plan based on protecting what’s most important. Otherwise, as Lewis Carroll once said: “If you don’t know where you’re going, any road will get you there.
David McNamara, managing director, CommSec