Drive Better Security and Ops Effectiveness with Intelligent SIEM

20.06.23 05:50 AM - By admin

Introduction and Context:

Human nature tends to be reactive, and the traditional IT operations response mode has been to wait for something to break and then act. The adage “if it isn't broken, why fix it?” where incidents are often addressed after they occur has become unconventional and unwise. Consequently, in today’s hyper-connected services and data sharing environments, taking a wait and see approach has particular risks for companies proprietary data, trade secrets, personal identifiable information (PII) and intellectual property (IP). Traditional reactive modes are no longer sufficient, as they often lead to financial loss, investigation, reputational damage, and regulatory non-compliance. The security threat landscape is evolving to include malware-free attacks, up 71% in 2022, and Vishing involving human actors, and other more sophisticated techniques (Learn more: The State of Security 2023 (splunk.com), CrowdStrike2023GlobalThreatReport.pdf) 


A boutique financial technology services (fintech) company successfully implemented a Security Information and Event Management (SIEM) solution to mitigate threats and raise customer confidence in data security, and ultimately safeguarding their business while enhancing operational efficiency. 

Problem: 

The fintech provides a suite of white glove, everything IT infrastructure services to SMB investment management and hedge funds firms, including cloud services, investor reporting, data hosting and management, and portfolio reconciliation. The fintech sought to achieve SOC2 type II compliance to provide assurance to customers and at same time improve operational efficiency and reduce MTTR for incidents. SOC2 Type II is a Service Organization Control (SOC) audit on how a cloud-based service provider handles sensitive information. It covers both the suitability of a company’s controls and its operating effectiveness. Learn more here including how it is different from ISO 27001. 

To achieve an improved, proactive posture the fintech needed a solution where logs can be captured, correlated, and threat and operational analysis performed. This means centralize logging, including syslog and Windows logging, for all IT infrastructure devices. 

Ingenium Grex Solution:

Ingenium Grex deployed the Elastic Stack SIEM solution, chosen for its strength in log interrogation, anomaly detection, ability to ingest data streams from various on-premises and cloud infrastructure devices, reporting, and AI integration. Elastic Stack provides a comprehensive platform with an open-source foundation and an active developer community that continuously expands its capabilities. An on-premise solution was built because of the sensitivity of the financial data and terabytes of logs produced. The on-premise build was setup to also ingest log streams from multi-cloud hosted application, basically covering all IT infrastructure related services. Logs are ingested from the VMware ESX private cloud infrastructure, VPN hosts, firewalls, network routers, switches and Wi-Fi controllers, and Active Directory domain controls. Similarly, logs are also ingested from Azure and AWS cloud hosted services. 

The aim is to detect threats and operational errors and proactively address potential issues that could impact the security of customer data and the end-user experience. A great deal of time was spent tuning the system to zero in on high severity security events, and on operational events which are impactful to the end-user community. This is a time-consuming part of the implementation. With billions of events it is important to tune to surface only the log events that are impactful. 

The SEIM identifies and helps resolve access management issues promptly, prevent brute force attacks, and address password-related security threats. The goal is to reduce incidents and minimize Mean Time to Resolution (MTTR) and improve client satisfaction. 

Capabilities enabled: 

  1. Threat Detection and Prevention: Real-time monitoring and analysis of security events, facilitating the detection and prevention of cyber threats. It helps identify unauthorized access attempts, malware infections, data breaches, insider threats, and more.
  2. Centralized Log Management: Consolidates logs and security event data from all infrastructure devices, providing efficient analysis, correlation, and reporting capabilities; together enabling pattern matching, weaknesses, and anomalies. 
  3. Compliance and Regulatory Requirements: Helps meet stringent regulatory frameworks – SOC2 Type II, PCI DSS and GDPR.  
  4. Incident Response and Forensics: Quick investigation, root cause analysis, tracking of attack vectors, and gathering of evidence for remediation and potential legal proceedings.
  5. Insider Threat Detection: Detect suspicious activities by employees or privileged users, providing early warnings about potential insider threats. 
  6. Operational Efficiency: With automation and advanced analytics capabilities, end-user struggles, such as multiple PW attempts, are identified in the log data, surfaced, and the user is proactively contacted. 
    Importantly, the solution also allows the fintech to secure and optimize performance of future, purpose-built SaaS applications for clients. Additional human capital benefits are also realized in the operations center where junior staff can be trained to interpret events, reports and dashboards, therefore freeing the infrastructure experts to focus on strategic priorities. 

    This solution empowers the fintech to manage the security and health of their environment proactively, delivering peace of mind to clients and minimizing the number of incidents.  

    Lessons:

    1. Prioritize Compliance: Compliance requirements are a significant driver in executive decision making about improving the company's security posture, ensuring adherence to regulatory frameworks and industry standards for security integrity. This will increasingly be a baseline requirement for all companies. 
    2. Invest Time in Tuning: Tuning the SIEM system to focus on impactful and critical log events is crucial. With a vast number of events, fine-tuning helps surface actionable data and reduces noise. 
    3. Align with Business Goals: Collaborate with business leaders to identify baseline requirements, what’s important and what could be deprioritized, to ensure the available resources (including human capital) are efficiently used and aligned with availability and performance objectives of the IT infrastructure. 

    Jai Ragoo is a Senior Security Architect with deep experience in proactive posture management, threat analysis, operations incident response and efficiency, and their supporting infrastructure services. He is a Senior Advisory Consultant to Ingenium Grex. He can be reached at progress@ingrex.net.                                 

    Categories :