Security Information and Event Management systems are considered a “must-have” in many industries. They are effectively a horizontal security tool that improves security posture and improves visibility regardless of the domain specifics. Or at least it seems so at first.
The reality is somewhere in between – yes, the majority of SIEM features are transferable across industries (and that’s great because you can hire people from any industry to set up or monitor a SIEM). But there are inevitable industry specifics. We classify them into three different categories – industry-specific data sources, compliance, and threats.
Industry-specific data sources (integrations)
Every organization may have an active directory, firewalls, web servers, and antivirus software, but not every organization has a core banking system, SCADA, or medical equipment. A good SIEM must support these verticals by flexible agents or collectors that can fetch and normalize these industry-specific data sources. A core banking system may be tough to integrate if it’s a legacy system from the 80s. Medical equipment and software may communicate in specific formats like DICOM/IHE/FHIR. SCADA systems may be quirky in producing externally consumable logs. A SIEM must be built with understanding these industry-specific integrations
Industry-specific compliance
While there are horizontal standards and regulations like ISO27001 or GDPR, there are industry-specific regulations as well – HIPAA (and a set of local healthcare laws in EU member states) cover the security and privacy of handling medical data, PCI-DSS, PSD2, GLBA and others are specific to the financial sector. The NIS EU Directive designates specific requirements for critical infrastructure. An industry-tailored SIEM has to support compliance reporting as well as additional requirements like strong log integrity, or data masking.
Industry-specific threats
The threats facing the financial industry are related to financial fraud (e.g. credit card abuse, which it shares with the e-commerce sector), the threats to the healthcare sector are about privacy and availability of patient data, and critical infrastructure is often targeted by nation-state advanced persistent threats for geopolitical reasons. A SIEM must cover these diverse threats in order to be cross-industry applicable.
A knowledgeable enough consultant or integrator can get any tool to do any job, but the problem is that these people are rare and expensive – it’s best if the tool (in this case – SIEM) can handle the industry specifics without too much supervision. The ability to handle those specifics may be the difference between a successful and a failed SIEM project and that’s why we at LogSentinel have a deep understanding of our customers’ industry problems and have solutions prepared to address them.
Bozhidar Bozhanov is a senior software engineer and solution architect with 15 years of experience in the software industry. Bozhidar has been a speaker at numerous conferences and is among the popular bloggers and influencers in the technical field. He’s also a former government advisor on e-government, transparency, and information security.
