Security Information and Event Management systems are considered a “must-have” in many industries. They are effectively a horizontal security tool that improves security posture and improves visibility regardless of the domain specifics. Or at least it seems so at first.
The reality is somewhere in between – yes, the majority of SIEM features are transferable across industries (and that’s great because you can hire people from any industry to set up or monitor a SIEM). But there are inevitable industry specifics. We classify them into three different categories – industry-specific data sources, compliance, and threats.
Industry-specific data sources (integrations)
Every organization may have an active directory, firewalls, web servers, and antivirus software, but not every organization has a core banking system, SCADA, or medical equipment. A good SIEM must support these verticals by flexible agents or collectors that can fetch and normalize these industry-specific data sources. A core banking system may be tough to integrate if it’s a legacy system from the 80s. Medical equipment and software may communicate in specific formats like DICOM/IHE/FHIR. SCADA systems may be quirky in producing externally consumable logs. A SIEM must be built with understanding these industry-specific integrations
While there are horizontal standards and regulations like ISO27001 or GDPR, there are industry-specific regulations as well – HIPAA (and a set of local healthcare laws in EU member states) cover the security and privacy of handling medical data, PCI-DSS, PSD2, GLBA and others are specific to the financial sector. The NIS EU Directive designates specific requirements for critical infrastructure. An industry-tailored SIEM has to support compliance reporting as well as additional requirements like strong log integrity, or data masking.
The threats facing the financial industry are related to financial fraud (e.g. credit card abuse, which it shares with the e-commerce sector), the threats to the healthcare sector are about privacy and availability of patient data, and critical infrastructure is often targeted by nation-state advanced persistent threats for geopolitical reasons. A SIEM must cover these diverse threats in order to be cross-industry applicable.
A knowledgeable enough consultant or integrator can get any tool to do any job, but the problem is that these people are rare and expensive – it’s best if the tool (in this case – SIEM) can handle the industry specifics without too much supervision. The ability to handle those specifics may be the difference between a successful and a failed SIEM project and that’s why we at LogSentinel have a deep understanding of our customers’ industry problems and have solutions prepared to address them.
Bozhidar Bozhanov is co-founder and the CEO at LogSentinel. He is a senior software engineer and solution architect with 15 years of experience in the software industry. Bozhidar has been a speaker at numerous conferences and is among the popular bloggers and influencers in the technical field. He’s also a former government advisor on e-government, transparency and information security.