How is Sonic helping with SIEM and why is having a compliant SIEM critical to DoD and Federal contractors?
Security Information and Event Management (SIEM) solutions are designed to provide automation and visibility for security-related data across your organization. SIEM is generally pronounced “seem” or less commonly “sim.”
SIEM is key to your cybersecurity compliance and does not have to be difficult if you leverage a trusted vendor. This article will provide clarity to SIEM and answer many common questions.
If you are a DoD contractor in the Defense Industrial Base (DIB)Â needing to report your SPRS Score, six of the security controls worth 24 SPRS points can be satisfied by the capabilities provided by a proper SIEM solution.
When it comes to SIEM solutions, there are many options. Vendors will often market their SIEM or security monitoring product to help you get compliant with Department of Defense (DoD) and Federal requirements like DFARS 7012, NIST 800-171, and CMMC… but fail to mention the SIEM they are trying to sell you is itself not compliant. Other vendors will offer you an unaffordable Government solution designed for large corporations and Government agencies. Peerless heard these frustrations from our customers, so we developed a highly compliant SIEM solution that solves the affordability problem for small and medium-sized DoD and Federal contractors.
What a SIEM does:
- Aggregation.  Combines security and activity logs from data sources across your organization. This includes from the cloud, servers, network devices (firewalls, VPNs, intrusion detection), and endpoint devices (laptops, desktops, mobile phones).
- Normalization. Processes and stores data from numerous data sources in a standardized format that enables analysis and investigation.
- Correlation. Connects the dots on activity across your organization, so it can be analyzed for suspicious behavior. This is often enough to trace the entire path of an attack.
- Analysis. Automatically identifies suspicious activity based on a pre-defined ruleset, statistical analysis, historical behavior analysis, and/or artificial intelligence / machine learning (AI/ML) models.
- Alerting. Notifies personnel based on the severity of suspicious activity or confidence threshold.
- Reporting, Log Retention, and Investigation. Provides dashboards, reports, and tools to provide a human analyst with enough information to determine the source of activity, the extent of activity, and whether it is a real incident or benign. Some SIEMs provide automation “playbooks” that can provide analysts with processes to follow and even automatically block suspected attacks.
- Â
Common SIEM and Security Monitoring Terms
The industry landscape for security monitoring can be confusing due to the different types of marketing buzzwords and branding that can mean completely different things depending on the vendor.
- MDR. Managed Detection and Response. All capabilities can be managed, so the meaning of MDR can vary wildly from managed antivirus to managed monitoring of everything. However, it typically has very limited capabilities that do not reach the aggregation, correlation, analysis, and reporting levels of SIEM.
- EDR. Endpoint Detection and Response. Typically limited to monitoring only endpoints and sometimes only antivirus logs.
- XDR. Extended Detection and Response. Typically includes behavioral analytics and threat intelligence. The meaning of XDR can vary wildly from a solution that monitors more than EDR (not just endpoints), to one that provides fancy analytics, to one that provides actual SIEM capabilities.
- SOAR.  Security Orchestration & Automated Response. Playbooks for automation of investigation and response activities. This is typically an add-on feature that is not required for compliance and integrates with SIEM. It can help analysts follow process and improve efficiency when responding to potential incidents.
- UEBA.  User and Entity Behavior Analytics. Uses algorithms and/or artificial intelligence / machine learning (AI/ML) to analyze events for abnormal activity. This is typically an add-on feature that is not required for compliance and integrates with SIEM. It provides another angle that can help with detecting intrusions or violations of policy.
What SIEM Can and Cannot Do
Contrary to what many vendors market, SIEM is very limited in its ability to measure your compliance against NIST, CMMC, ISO, or any other cybersecurity frameworks. It can only see activity on your cloud, network, servers, and devices. SIEM by itself does not document your environment, conduct vulnerability scans, or confirm technical configurations. It cannot satisfy the many administrative measures (such as policy, process, and training) that are required by security controls. However, SIEM can support “continuous monitoring” of security controls, providing evidence that certain controls are implemented and violations of certain controls are detected.
Why SIEM is Important for Cybersecurity
The compliance requirements exist because DoD and Federal contractors are increasingly being targeted with cyber attacks. Some of these attacks come from nation-state sponsored groups and can be very sophisticated, difficult to defend against, and hard to detect. It is critically important to detect if an attacker has gained access to your organization and data.
Recognizing the market has not been offering SIEM solutions that are compliant and affordable, Peerless leveraged our cybersecurity and engineering expertise to design and offer our own DoD compliant solution. We developed our SIEM solution to provide world-class cybersecurity capabilities of a next generation platform while being as efficient as possible, minimizing the increased cost of compliant operations.