SIEM, SOC and Threat Hunting

Choose the Best Preventative Security Measures

Your infrastructure creates a lot of logs. Hidden inside these logs can be evidence of wrongdoing – be it external criminals or employees planning or committing fraud.

How do you extract evidence of illegal behaviour when it’s buried and concealed within millions, if not billions of records of perfectly legitimate business activity?

How To Effectively Sift Through Buried Wrongdoing

There are a number of ways to sift through data to ascertain security exposure: Security Information and Event Management (SIEM), Security Operations Centre (SOC) and Threat Hunting are all variations of the same concept. That is, a process for storing logs and other forensic evidence, and ignoring the good to investigate only the bad. Knowing which one is right depends on how your evidence is generated and what your tolerance level for breaches is.

Using SIEM For Basic Security Control

A SIEM is mostly an automated log solution with out-of-the-box and customisable correlation rules. If out of the box, the rules don’t take into account your risks, the value of your assets and how your business processes interact with your technology. However, IT but can make some fairly good assumptions about detected hacking activity.

A SIEM, for example, can detect when an account has had multiple failed log-ins, followed by a successful login. It can then follow the activity of the user after the login is ready for a security analyst to determine whether someone forgot his or her password or the account was ‘brute forced’.

Use SOC To Maximise Security Control

However, a SOC goes further to provide real time response to events. Rather than logging and correlating all activity after successful login, the SOC operator can determine the most reasonable course of action: Call the employee? Lock the account or watch the account activity in real time?

Use Threat Hunting to Weed Out Highly Sophisticated Attacks

Threat Hunting uses the same infrastructure but takes it further again. After the SIEM has missed a relevant event or a SOC operator has dismissed an event as benign, threat hunting looks for patterns of behaviours that may indicate a compromise. Was an admin account created through a command prompt? That’s not common. Is a computer visiting a blank website every 60 seconds? That’s more likely a remote access Trojan phoning home than a user with precise timing.

To book a consultation, contact us today

48877512_l.jpg

Choosing the right security control depends on the following:

  • A SIEM is a great way to boost your preventative security controls. It’s for your organisation if you are only expecting general and untargeted threats, and you’re unlikely to suffer catastrophic losses should a threat slip through. Setup costs tend to be reasonable, and ongoing operational efforts are minimal.
  • A SOC is a bigger investment if you store sensitive information. If a criminal is extracting your entire credit card database on Friday night, you will not want to wait until Monday morning to act. Running a 24 x 7 SOC can be expensive if you do it in-house. However, you can outsource these services to gain substantial economies of scale.
  • Threat hunting is for your organisation if you’re at serious risk of being compromised. For example, criminals wanting to sell fake but verifiable degrees can compromise university registrars. The criminal is more interested in inserting falsified records than extracting information. To protect you against this type of attack requires ongoing access. Organisations that expect stealthy, persistent attacks such as banks and governments are also ideal users of threat hunting.

Ask an Expert For Help

The forensic review of security information, whether through a SIEM, SOC or threat hunt, provides valuable intelligence on how well your preventative security controls are coping with contemporary threat landscapes. If you feel you aren’t getting the most out of your current preventative security controls, contact Content Security to help you deliver the appropriate level of information security assurance.

Need help choosing the best preventative measures?

To book a consultation, contact us today

Browse our other Network Security solutions:

Contact us today

info@contentsecurity.com.au

Call us

1300 659 964

Offices

Sydney:

Level 1 Suite 1.06, 1 Epping Road, NSW 2113 

Melbourne:

Level 4 Suite 430, 838 Collins Street, VIC 3008

Brisbane:

Level 3, 231 George Street, QLD 4000

Request a today

Subscribe to our newsletter