Security Information and Event Management (SIEM) systems are vital to each organisation. They transform simple event logs from various applications to detailed, in-depth behaviour analysis thanks to advanced visualizations and analytics and sometimes machine learning and AI. They contain a palette of aspects covering the most crucial information security issues. The final goal is achieving full information security and regulation compliance, keeping company information and brand reputation safe, as well as continuous improvement of the company and its assets.
SIEM systems can ensure that anomalies can be detected, changed or even prevented. The problem, though, is that many systems tend to be SIEMs only at just a few aspects. This way it is very hard to locate what your business really needs. Implementing SIEM causes tons of hours dedicated to configuration, synchronization and testing. If you require a wider portfolio of services which the vendor does not fully correspond to, then you need to invest some more hours for implementing another SIEM system.
This is the reason why it’s so important for a SIEM system to cover as many aspects as possible, including: features to monitor, detect, analyse data and collaborate on incident responses to anomalous events. Modern SIEM systems pay special attention to the data protection aspects of their features.
Using SIEM Software for Achieving Compliance
The technical aspects of regulations ( e.g. GDPR, SOX, FISMA, HIPAA, etc) require paying better attention to the way companies store their personal data. SIEM systems can ease the process of storing evidence of compliance. They also ensure advanced threat detection of malicious activities. This way the processes become manageable, and the data protection officers of medium and big companies can get a better visibility over the processes within the organisation, as well as to take measures for preventing security incidents.
Furthermore, security analysis is being run continuously, which in one hand improves fraud and anomaly detection by machine learning, and in the other hand monitors for security incidents 24/7, sending notification alerts if any detected.
How Blockchain will Transform SIEM Into a Next Generation Security Solution
Blockchain has proven to be a future-proof technology for keeping immutable records. This technology eliminates the possibilities of tampering, which is the main reason why cryptocurrencies caused a huge investment hype.
The best way to apply blockchain in technology, however, might be somewhere else. Proof of origin and proof of evidence has always been a struggle. When it comes to Security information and event management (SIEM), the top problems to solve are:
- Ensuring that no events can be deleted or modified, even by system admins
- Preventing breaches of confidential information
- Leveraging technology that is advanced enough to detect potential problems in time
This technology, combined with advanced cryptographic algorithms, lay the foundations of cost-effective, sustainable solutions that protect all company assets.
Top SIEM Software Features covered by LogSentinel
LogSentinel’s main focus is on protecting data integrity. This in turn helps protecting personal data and company information, achieving regulatory compliance and ensuring that no evidences can be deleted or modified.
To deliver a high-quality solution, LogSentinel is using blockchain-based technology and fraud detection. LogSentinel can be considered a SIEM tool as it fully covers its characteristics. The table below illustrates a mapping between typical SIEM characteristics and the corresponding LogSentinel Features:
|SIEM Software characteristics||LogSentinel Features|
|Log Collection||✓||SentinelTrails collects logs via RESTful API, and keeps them securely using advanced blockchain technology|
|Log Analysis||✓||SentinelTrails support AI-driven log analysis focusing on fraud and anomaly detection|
|Event Correlation||✓||Using a correlation key, every log event can be set up in a way corresponding to the business processes available at the Sentinel Trails dashboard. This feature allows easy tracking and visibility, as well as DPO-friendly way of illustrating data-related processes|
|Log Forensics||✓||Thanks to the blockchain technology, the logs available at SentinelTrails are practically unmodifiable. SentinelTrails meets the audit trail requirements of multiple standards and regulations: GDPR, PSD2, PCI-DSS, ISO 27001, HIPAA, etc.
The blockchain-enabled secure time-stamping and logging ensures that your data is tamper-free/tamper-evident, time-stamped Qualified Time Stamps and/or Qualified Electronic Signature and securely logged in two blockchains. You can use it for forensics, security audits, and proof of GDPR compliance.
|Application Log Monitoring||✓||Every application can be logged and monitored separately as well as summarized|
|Real-time alerting||✓||SentinelTrails supports real-time alrerting, covering alerts concerning detected anomalies or suspicious activity.|
|User Activity monitoring||✓||LogSentinel captures user actions, including the use of applications, system commands executed, check boxes clicked, text entered/edited, or any other actions you would like to keep track of.|
|Dashboards||✓||The dashboard of SentinelTrails provides full visibility of all processes and applications. It also shows activity per actors and action types|
|File integrity monitoring||✓||All action types concerning files – deletion, modification, etc., can be easily tracked.|
|System and device log monitoring||✓||SentinelTrails keeps track of log files and search for known text patterns and rules that indicate important events.|
|Log Retention||✓||You can set up the log retention periods based on the specific business needs|
Examples of SIEM rules protecting personal data
As previously stated, SIEMs can help detect different kinds of issues related to information security. Some of these issues are vital to the organization as they affect confidential data, or can even lead to personal data leaks. Below we have showcased some of the common security alerts that help organisations take control over their data holding assets:
|Repeat Attack-Login Source||Early warning for brute force attacks, password guessing, and misconfigured applications.||Alert on 3 or more failed logins in 1 minute from a single host.||Active Directory, Syslog (Unix Hosts, Switches, Routers, VPN), RADIUS, TACACS, Monitored Applications.|
|Unauthorized Data Transfers||Warning for unauthorized data transfer||Alerts if more than 10 files / 10 MB of specific types are copied to USB drives or sent as email attachments to non-company domains||Active Directory, Monitored applications|
|Unauthorized Data Transfers by privileged users||Warning for unauthorized data transfer||Alerts if a user switches from their normal account to a privileged one, then performs an abnormal data transfer to or from an external service.||Active Directory, Monitored applications|
|Unauthorized changes in production database||Warning for unauthorized login to a production database||Alerts if a A user logs in remotely outside the normal business hours, then makes repeated attempts to connect to a production database as an administrator||Production database, monitored applications|
|Virus Detection/Removal||Alert when a virus, spyware or other malware is detected on a host||Alert when a single host sees an identifiable piece of malware||Anti-Virus, HIPS, Network/System Behavioral Anomaly Detectors|
|Virus or Spyware Detected but Failed to Clean||Alert when >1 Hour has passed since malware was detected, on a source, with no corresponding virus successfully removed||Alert when a single host fails to auto-clean malware within 1 hour of detection||Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events|