Cyber Security Monitoring is a responsibility of all businesses. You aren’t just defending against malware and hackers, you’re also battling with an unrelenting avalanche of data from your networks and cloud services.
One of the biggest challenges in cyber security is dealing with the staggering volume of information that comes from activity on systems and making sense of it in order to turn raw data into intelligence – to derive warning signs of attacks, understand the nature of faults or provide evidenced reports to stakeholders.
Back in 2005, Gartner coined the term ‘security information event management’ (SIEM). They used it to describe a traditional security monitoring system that meets audit and compliance needs. However, as information security has evolved so too have the demands of the SIEM. In addition to streamlining your compliance reporting, you need to have:
- Security threat detection;
- Timely alerting & reporting, and;
- Incident response capabilities.
What does this mean for your Security Operations?
You must have the capacity to process volumes of data at speed, draw on threat intelligence and detect behavioural anomalies.
Huntsman Security’s Enterprise SIEM: An Overview
Reducing your time at risk – high volume, real-time cyber security monitoring
When it comes to reducing cyber risk, time is absolutely critical. The longer your business is exposed to threats the greater the potential for damage. Consequently the more information that can be processed quickly, the greater the context for threat validation and resolution.
Huntsman Security’s SIEM provides real-time collection, management, processing and analysis of log, system, transaction, network, intelligence and activity data at very high speed (100,000 EPS). It continually monitors security controls and enterprise environments, and flags incidents immediately so analysts can investigate and respond.
Where attacks or malware detections have come from dedicated security defences or detection/sandbox systems, the SIEM takes details of the attack or malware directly and examines target hosts for signs of suspicious or predicted activity/traffic and system changes.
Our technology automatically gathers diagnostic data to enable your security team to rapidly understand the surrounding context of an alert, allowing them to clear benign alerts and false positives with complete confidence. Along with proxy or gateway logs and network traffic captures this identifies the spread of an active attack or infection in the environment where a “patient zero” or vulnerable system leads to the infection of other hosts as the attacker moves laterally.
Cyber security monitoring to detect anomalous activity
Behaviour Anomaly Detection (BAD) gives your organisation the ability to detect ‘never seen before’ activity; the widest range of misuse, breaches and anomalous behaviour across your network, systems, users and application environments.
This means your security team can investigate and take action on outliers, advanced persistent threats, insider attacks, and command and control activity that indicate a breach has occurred – while there is still time to make a difference.
Huntsman Security’s BAD automatically creates a dynamic baseline of normal behaviour and activity that allows the monitoring of data sources for unusual events, trends and patterns. Enterprise SIEM monitors netflow data and traffic patterns (including DNS logs and external connections) to track normal patterns of traffic flow between systems. Most commonly this would be between user systems or clients and servers, so the presence of malware or an attacker that was moving/connecting between systems within the workstation address ranges would be a detectable anomaly – especially if combined with other indicators of compromise such as user account/privilege abuse activity, external “phone home” traffic from proxies etc.
Where malware detections have come from dedicated malware detection/sandbox systems, the solution will take details of the malware detonation directly from the gateway and examine target hosts for signs of suspicious or predicted activity/traffic as well as registry key and file system changes. This, along with proxy or gateway logs, is then used to detect the spread of malware or an active attack in the environment where the “patient zero” had connected or infected other hosts that exhibit similar host compromise modifications and/or other cases that were apparent through similar patterns of activity.
Threat Intelligence gives context
Enterprise SIEM ingests external threat intelligence together with internal observations to automate the analysis of the broader threat information for richer situational awareness and event contextualisation. This delivers unparalleled real-time clarity about indicators of compromise and threats, their severity and likely impact – and significantly improves the quality of incident response and security decision-making.
Simplify compliance reporting with cyber security monitoring
Huntsman Security’s SIEM has in-built support for most national and international compliance standards. Your team can save considerable time and resources in meeting its compliance reporting requirements, particularly if your business is subject to more than one regulation.
Our technology consolidates a wide range of security, activity, compliance and management information – taking collected raw data, alerts and context and translating them into enriched business information for real-time dashboards, ad hoc business intelligence and scheduled reporting.
Enterprise SIEM translates operational security metrics into meaningful intelligence to provide real-time visibility of your organisation’s risk posture to stakeholders, support decision-making, and highlight the impact of security issues on business areas.
A scalable solution to grow with your needs
Our technology’s architecture is modular, which means your organisation can simply add capacity as it needs. This flexibility extends in multiple dimensions to support increases in data flow rates and storage volumes within the processing engine, storage repositories and the display interface.