Corporate security strategies have evolved to take into account their growing needs in terms of automation of compliance reports, incident detection and especially incident response. They increasingly rely on teams of experts, SOCs (for Security Operations Center) and specific tools to support their processes.
In SOCs, the daily analytical tools are continually being upgraded to adapt to the changing nature of cyber threats, particularly with increasingly sophisticated methods of attack, as is the case with phishing. Among these tools, one stands out as central: the SIEM, or Security Information and Event Management.
Let’s first take the time to understand how a SIEM works before focusing on how it can be used to optimally block these new phishing attacks.
The value of a SIEM
A SIEM is a system for management of information and security events. To begin with, it is a tool that collects all traces (logs) of the activities of the different components of the infrastructure, then sorts and stores them. This centralization of data, and in particular data relating to security events, gives the SIEM a potential ability to detect attacks that would have gone unnoticed despite the presence of high-performance equipment such as EDR software (for Endpoint Detection and Response). An EDR can identify known security vulnerabilities (especially from CVEs) but unfortunately does not have a global view of an attack.
Some SIEMs can claim to block new attacks (if they are still in progress), since the correlation of information from all applications, all user behaviors and all access to internal or even external data, shows anomalies.
Although SIEMs have existed for many years, the first ones only targeted large enterprises with substantial resources and large teams of analysts (SOC). However, recent strengthening of SIEMs with supplementary tools such as SOAR (Security Orchestration Automation & Response) tools have enabled the emergence of SIEMs adapted to smaller sized businesses.
Today there are SIEMs in different forms: software to be deployed locally, physical or virtual dedicated appliances or cloud-based services. The SOC is therefore no longer necessarily located within the company, but can be rented as an external service, for better cost control. In addition, many SIEMs are enriched in a modular way, with dedicated Marketplaces, which aim to strengthen the analysis and treatment of data by expert tools, adapted to the specific needs of an organization. It should be remembered that a SIEM only makes sense if its design is entirely inspired by the specificities of an organization. In other words, the effectiveness of SIEMs is intimately linked to the specific hierarchy of collection agents, the choice of priorities for the inspection of events and the weighting of anomalies. The work of administrators is essential to develop a system profile and to identify abnormal operating conditions. Indeed, a statistical correlation engine, even the most powerful, will not yield any usable results if the tool is not correctly calibrated.