Maybe you’re among the 22% of SMBs (Small and Medium Business) that plunged right into remote work without a cybersecurity plan. You do have a few safeguards in place, but you are realizing that it might not be enough. Whatever the reason, it is time to consider adding SIEM and SOC to your business’ cybersecurity plan.
What is SIEM and why do I need it?
Security Information Management:
Think of a log file as a digital journal of sorts. If you need to recall what you were working on last Friday afternoon, you might do a quick search in Outlook to see what emails you received or sent. Or you could check your browser history in Chrome or Edge. These are both examples of personal digital logs. Now, think about your corporate network. If you’re a small business, you might just have a few computers, a modem, and a firewall. But each of those devices keeps several distinct kinds of logs of their daily activities and network traffic. If you expand that small business network to include a server or two, Active Directory and Office 365, we have just tripled the amount of data being generated. But those log files are not helpful to your business unless you have someone, or something, reading them. That’s where SIM, or Security Information Management, comes in. Imagine we could collect all these log files and data generated by your business network into a single repository, and then analyze that data intelligently. That is the power of SIM.
Security Event Management:
While Security Information Management focuses on analyzing the aggregate of network data, Security Event Management refers identifies red flags and other specific indicators among the many events that are logged in your network. A trained Security Analyst can quickly skim over pages of logged data and pinpoint those few entries that are worth investigating more thoroughly.
So now you are thinking, “Well, aren’t you going to get a lot more helpful information if the general trends and specific events are analyzed together?” This is SIEM.
What is an SOC and why do I need it?
SOC stands for Security Operations Control. While your SIEM system may be alerting you about trends and events that need your attention, your SOC gives appropriate attention to each incident. In extreme cases, an SOC can immediately remove an infected workstation from the network to protect your data and systems from further harm. In most cases, the SOC can identify false positives or recommend remediation where needed.
SIEM and SOC, better together:
Here’s a concrete example of SIEM and SOC in practice. If your computer starts responding slowly in the middle of the day, you may think nothing of it. You do not know if it’s just your PC, or if it’s your whole network, and frankly, you have other important business matters to attend to. But if that slowness is being caused by a spike in network traffic, that would get immediately flagged by your SIEM and investigated by your SOC. If there is truly a security incident taking place, your SOC will take remediating action right away and give you the information you need to make further decisions.
Does my business really need SIEM and SOC?
Many SMB decision-makers are reluctant to add additional items to their corporate IT budget. We get that. You want to keep operations lean; you need your IT to “just work” without constantly being nickeled and dimed on extra features.
On the other hand, a recent Verizon report on data breaches found that almost a third or 28% of data breaches in 2020 involved small businesses. Maybe you are among the 67% of SMBs that experienced more than 4 hours of downtime last year because of a security incident, reported in the CISCO 2020 CISO Benchmark Report. You may need to deploy SIEM and SOC on your network to keep your commitments to your customers, clients, or a government regulating agency.
The good news is that SIEM and SOC are probably much more attainable than you think. If you quickly Google for an SIEM solution, most of what you find is designed for large corporate enterprise and requires hiring a full-time on-site security engineer. But if you’re already using Office 365, Active Directory, or both, deploying an SIEM and SOC solution can be both simple and painless.
Introducing SIEM and SOC for Small Business
AIE utilizes a cloud-based SIEM solution with managed SOC. We provide 24/7 monitoring of endpoint, network and Microsoft 365 environments as the primary sources of threat detection. This data can be integrated with Active Directory and antivirus activity and logging for additional detection and threat intelligence. Also worth noting is that this SOC is capable of proactively quarantining machines in question of infection or hacking in order to contain any potential spread of malicious activity within the network.
AIE’s managed SOC opens tickets and takes appropriate actions when potential threats are detected. Some examples of this are:
- Network: Communication passing through firewalls to/from IP addresses known to be malicious
- Endpoint: Suspicious files and tools, new account creation or elevation of privilege, suspicious logins from IP addresses known to be malicious, brute force login attempts
- Office 365: Suspicious logins from location where the user account is not generally logged in, new account creation or elevation of privilege
Of course, SIEM and SOC are just two critical ingredients of your SMB’s cybersecurity protection plan. AIE offers full security services for both cloud and on-premise networking, at a fraction of the cost of large-scale corporate enterprise cybersecurity solutions.
Want to talk to a real person about your business cybersecurity needs? Give us a call for a free consultation!