Photo Credit: everythingpossible © 123RF.com

By Joseph Alecci, CISA, CISM, CISSP, CRISC, CEH, Associate Director, IT & Cybersecurity

 

In today’s technology environment, financial institutions are consistently searching for ways to secure their network. However, many institutions do not take full advantage of monitoring tools that may enhance their security and safeguard their network. For these institutions, a Security Information and Event Management (“SIEM”) system may provide the additional protection needed.

What is a SIEM system and how does it work?

SIEM is a specific type of system that provides institutions with a real-time analysis of any suspicious activity or anomalies within a network and seeks to generate useful insights from numerous events and other types of data. In addition, a SIEM system centrally gathers, stores, and then generates and analyzes logs from the perimeter (e.g., VPN gateways, IDS devices, firewalls, etc.) to the end user. Furthermore, the system can monitor for several types of security threats in real time for early and quick attack detection, containment, and appropriate response. Logs that are generated by systems are key sources of data, which include network devices, servers, domain controllers, and other security devices. The logs and reports that are retained provide the financial institution’s IT staff with important forensic analyses. The common sources of logs that a SIEM ingests include, but are not limited to, the following:

• Web filters
• Wireless access points
• Data Loss Prevention (“DLP”) systems
• Antivirus or other endpoint security software
• VPN concentrators
• Intrusion Detection Systems (“IDS”)/Intrusion Prevention Systems (“IPS”)
• Firewalls

Once the data has been gathered, it is then reformatted so that the system can make sense of what was collected. With the use of analytics, the data is then analyzed to discover new trends and detect any threats that have been discovered. This allows institutions to pinpoint any security breaches and investigate alerts.

Why are SIEM systems important?

As the IT security field grows, becoming more complex and difficult to manage each day, financial institutions should consider utilizing SIEM systems to assist in several different areas, including the following:

• Compliance: In our current environment, almost all financial institutions are required to follow regulations such as HIPAA¹, SOX², FISMA³, PCI-DSS⁴, GLBA⁵, etc. With the assistance of SIEM systems, compliance requirements can be addressed directly and indirectly. The reporting abilities from SIEM systems provide audit support to verify whether specific requirements are being met by financial institutions.
• Forensics: If a financial institution experiences any type of security breach, the investigative process may be long and drawn out. SIEM systems store and protect previous logs and provide tools that quickly navigate and correlate the data. In addition, SIEM systems have the ability to automate the monitoring of logs, correlation, pattern recognition, alerts, and forensic investigations.
• Operations: The operations area within an institution is normally split among different groups (e.g., the Network Operations Center (“NOC”), Security Operations Center (“SOC”), server team, etc.), and each group uses its own tools to monitor and respond to events within an appropriate timeframe. This may, to some extent, make information sharing difficult as problems arise. A SIEM system has the ability to pull data from different systems into a single report, which allows for efficient collaboration in large financial institutions.

A SIEM system can help a financial institution improve its network protection as well as the monitoring process within its IT infrastructure. With dozens of vendors that provide SIEM solutions, selecting the best fit for your financial institution is of key importance and is a topic worth exploring in the future.

To learn about acxell’s Internal Audit and Risk Management Services and how we can help your institution, email WhatsYourRisk@acxellrms.com or call 877-651-1700.

 

Comments