We have built our LogSentinel SIEM around some core principles and we’d like to share and explain them.
Every organization can get value from SIEM
SIEM is considered expensive and complicated and generally not fit for smaller organizations (and “smaller” can mean anything from a hundred up to two-three thousand employees). But these organizations have a lot of IT systems in place and SIEM, as a type of product, is applicable to them.
We have built LogSentinel SIEM with the clear understanding that customers won’t have a big security team. They’d either have one or two people, or nobody will be dedicated to security alone – general IT and sysadmin people are tasked with security in many organizations, and in order to obtain value from a SIEM, the product has to not rely on security jargon, or prescribe complex processes.
Every organization can benefit from having visibility over their IT infrastructure, every organization can benefit from being alerted on malicious IPs poking around or on insiders doing suspicious things. The complex part is for the SIEM to be powerful yet simple. To give many things out of the box and not require full-time employees to manage and use it.
Alternatives, like managed SIEM or SOC-as-a-service, may seem nice, but that shifts the problem of cost and simplicity to the managed service provider. That’s why we offer, together with partners, managed SIEM and SOC-as-a-service that still allow the customer to invest in internal source people that learn and grow together with us.
Every organization can get value from a SIEM, regardless of its on-premises, cloud, or a managed service. And that value sometimes translates to millions of dollars saved thanks to the prevented security incidents.
Every security log is important
Time and time again we see SIEM and other security software only partially configured and many log sources are simply ignored. Either the product didn’t support it, or the integrator didn’t think it’s important, or they didn’t know how to get it working. And that’s a problem because if you only aggregate your ActiveDirectory and Firewall, but miss your Microsoft365, SAP and the accounting software, you are not giving the SIEM the opportunity to provide you with real security monitoring.
We believe that every security log is important, so we strive to collect everything. Database audit logs, firewall syslogs, ActiveDirectory logs, Microsoft365/Google Workspace logs, AWS/GCP/Azure logs, application-specific audit logs in wildly varying formats, videoconferencing (Zoom/Teams/Webex) logs. These logs exist for a reason, but you can’t manually go and inspect them. And they matter in the bigger picture that a SIEM aggregates. And we make it simple for you to connect them, by guiding the setup process.
We also consider every security log be an audit log, which is why we present it that way. The semantic “who did what on what, when” is applicable in 90+% of the cases. Access logs? IP x did a POST to /y at 10am. Firewall logs? IP x opened a connection to IP y. ActiveDirectory? User x authenticated at 11 am. And so on. Security logs don’t exist in a vacuum – they are always triggered by someone or something – an actor. And they represent an event. This treatment of security logs allows us to provide fine-tuned behaviour analytics – because every event has an actor, user or entity.
And finally, logs need to be protected. This is why we provide configurable cryptographic integrity protections for ingested logs so that you can be sure that nobody has tampered with them, and be able to prove that to 3rd parties (auditors, regulators).
Every security incident is preventable
This may sound contrary to the common security knowledge that “nothing is 100% secure”, but it isn’t. First, we need to clarify that while a SIEM is at the centre of your cybersecurity toolkit, it’s not a swiss army knife. It doesn’t replace firewalls, antivirus, DLPs, vulnerability management systems, but more importantly – it does not replace good security practices.
That said, SIEM is an enabler for better security. And with the right threat intelligence, rules and machine-learning based anomaly detection, integrations with other security software and a well-defined response strategy, the likelihood of substantial security is reduced significantly.
Security is often a balancing act – there’s no point in investing a million dollars to cover the last 1% of the risk. But the mindset, and the tools at hand, can make every security incident preventable – there is always something that could have been done to prevent the incident. You are never 100% secure, but you can go for years without any major security incident. And that’s the whole point of cybersecurity tools.
That’s how we see the role of our product in the broader security ecosystem. And that’s why we’ve made it simple to use, affordable and predictable. Security is not just for the multinationals and SIEM is a key component in any fight against cyber threats.
By leveraging the latest innovations in technology including blockchain and machine learning, LogSentinel helps organizations of all sizes to eliminate their blind spots and reduce the time and cost of incident detection and investigation.
If you wish to learn more about LogSentinel SIEM, use the button below to book a demo with us!
Bozhidar Bozhanov is co-founder and the CEO at LogSentinel. He is a senior software engineer and solution architect with 15 years of experience in the software industry. Bozhidar has been a speaker at numerous conferences and is among the popular bloggers and influencers in the technical field. He’s also a former government advisor on e-government, transparency and information security.