The webinar is available on demand on our YouTube Channel.
SIEM was originally developed to give a better understanding of what was happening within an IT infrastructure, from a general, operational point of view.
The technology has changed over the years. “Next Generation SIEM” now endeavours to be relatively simple to use so you’re able to get the value out of it as quickly as possible.
SIEM itself is a very powerful, big data analytics platform, allowing you to view everything that's going on within the infrastructure. What you get out of the platform depends on where your focus is.
We're in a situation where there are lots of security threats, for which most organisations are instigating point controls, looking at various elements:
- Intrusion detection protection
These individual products are fulfilling a function, but when it comes to being able to detect activity going on within the network; or to see whether there has been a breach, it becomes difficult when it’s necessary to go to individual products. The SIEM platform allows for a central view of exactly what’s going on with your security architecture.
From a from a compliance point of view, you’re able to report and control on compliance regimes through the SIEM platform.
From an operations point of view, because the SIEM offers an overarching view of what's happening, you can see if systems are being used effectively, eg are they patched at the appropriate levels. It’s then potentially easier to make better decisions about further investments, as you can see what's working and what's not.
You can then start to use information to set strategy for an organisation.
Logpoint is a collection of software which can be deployed on premise, or in a virtual environment or in a cloud environment.
To maximise the platform’s potential, as much infrastructure (whether from a security perspective or general IT infrastructure) should point at the platform. A log source is effectively any IP address that is generating a log file:
- internet of things
- servers databases
- CCTV cameras
- door access systems
- telephony systems
The power of a SIEM platform is the ability to correlate those data sources against one another. eg, if we know when someone's accessed the building from the door access system, we can see where they're logging on from their endpoint but also we can see from an HR database, we can correlate against that to see whether they are actually in the office.
Being able to correlate against those data sets allows for a much better level of understanding of what’s happening.
Log files are presented to the platform from numerous different sources, with different structures and languages. At this stage the log files go through a process of normalisation. Effectively what this does is translate all the log files into a common language within a common taxonomy.
This means that when searching and reporting, only one factor needs to be entered in order to search across the entirety of the estate – so a common taxonomy is an absolutely key part of platform.
At the collection stage there are other areas that give more information and an ability to understand exactly what is going on.
Log files can be enriched at this stage, by subscribing to various threat feeds to understand where the known bad sites are, where the Tor nodes are, or potential threats from outside of your organisation
That information can be appended to the log files right up at the collection point, allowing for the extraction of a lot more intelligence from the log files.
It's also at this stage we can do some routing so you can decide how much or how little of the log files you want to keep. You can also decide where you want to keep the log files. You may decide to put all logs related to firewalls in one area , webservers in another, maybe log files related to compliance in a particular repository, giving you control as to how you're storing and supporting the platform.
Typically we find that organisations will store log files on fairly fast storage for a limited period - potentially up to about 30 days.
After that 30-day period, probably for compliance reasons you still need to be able to retain and maintain those log files so they can then go off into tiered storage architecture.
From a Log Point, perspective we can mount to any storage, whether that's a NAS or a SAN or even in some element of glacial storage. It doesn't matter where the log files are within that storage architecture; they're still fully indexed and so that means they're all fully searchable and reportable on, no matter where they are. That's a key part that helps you manage your storage costs related to the storing of the log files.
With clever searching and reporting, this is where your start to get the true value out of the product. As with a lot of technologies there are a lot of developments within SIEM technology generally.
We're seeing more and more usage of some of the advances within machine learning and AI to help provide additional value.
LOGPOINT - HOW IT WORKS
Process supporting non technical UI
As a powerful data analytics tool, it's important that you allow as many people as possible to have access to the platform for them to be able to do the sort of searching and reporting that they require.
We have a way of effectively giving a very simple front-end GUI to people to allow them to have access to the data that sits at the back.
eg a HR department quite often will put requests into IT to understand what particular individuals have been up, what systems they have access to, what files they've had access to; when they're logging on and when they're logging off.
For the IT department to constantly respond to those kind of requests can take up a lot of time and resource. What the SIEM platform can allow you to do is effectively divest some of that power out to the HR department.
Unlock business value of stored events
If we can provide teams with a really simple front end that has the complex searching and reporting already pre-programmed into it, they can just put in potentially the employee number or National Insurance number of an individual and the platform will turn all the information that they require in the format that they require it. It allows you to absolutely divest some of that power out to individual business units.
The platform itself is fully audited. You understand exactly who has access to what. As it's permissions based, you define who has access to what, and at what level of detail.
Data privacy is a key. If you are very concerned we can set the platform are so effectively it obfuscates out any very sensitive data within the platform. If somebody needs to see that they would have to put a request in to a data owner to be able to unlock that particular record .
User and Entity Behavioral Analysis
Part of the development around machine learning is UEBA - User and Entity Behavioral Analysis. Effectively that's using machine learning and complex algorithm structures to be able to understand what normal looks like within your infrastructure - effectively benchmarking normal activity.
UEBA sees when something out of the ordinary happens, so effectively it's starting to allow you to understand where the anomalies are and where potential threats are coming into your into your organization.
LogPoint is a Scandinavian organisation, founded in the mid 2000’s and focused entirely on SIEM.
UEBA is a key area of development and support is included, not just around bug fixing but in trying to ensure that you get exactly what you want out of the product , eg if you are trying to run a complex reports or a complex search you can just raise a ticket and you will have access to world-class SIEM experts to help you develop searches and reports.
LogPoint were the only new entrant into the Magic Quadrant late last year. Having opened a number of offices in the US, Logpoint are hoping to see over the coming years a move into the Leading category.
Effectively TripAdvisor for SIEM, users independently rate against various categories.
Simplify SIEM - Implementation
- Ease of Use
- Single Taxonomy
- Speed of deployment
No Data Limit - Licence
- Predictable pricing
- Fast ROI
- 24/7 support
World Class Support
- Customer first culture
- Gartner peer insights
- Only EAL3+ solution
To watch the demo and explore the LogPoint demo in more detail, please view the webinar – the demo begins after 25 minutes.