IT infrastructure of a contemporary company is a complex mechanism that includes а multitude of corporate systems: network monitors, antiviruses, applications, databases, operating systems of servers and PCs, Active Directory, Exchange. Technically, any event in the system gets logged (protocoled). But it is impossible to track, analyze, and react timely to all events without an automated system.
SIEM can gather information almost from every source:
Collection and processing of events from different sources
The sheer number of event sources nowadays is so high that it’s impossible to manually control all events in the infrastructure. And this might lead to the following risks:
And SearchInform SIEM, as an aggregator of information from different devices, solves this problem. The system unifies the data and provides a secure storage for the data.
Event analysis and incident processing in real-time
SearchInform SIEM does not just correlate events, but also evaluates their significance: the system visualizes the information focusing on important and critical events.
Correlation and processing based on rules
A single event is not always indicative of an incident. For example, a single failed logon might be just accidental, however, three or more attempts probably indicate a password-guessing attack. To identify really critical events, SearchInform SIEM uses rules that contain a whole range of conditions and take into account the most diverse scenarios.
Automated notification and incident management
Automated notifications and incident management enable SearchInform SIEM to fulfill its main purpose: Create conditions for information security officers to rapidly respond to incidents. The solution provides automatic detection of incidents.
Administrator of a mail server can reconfigure the system to get access to email of a top manager or other employee. SIEM will promptly react to the incident and notify information security department.
Employees who do not change passwords for a long time or give it to someone else are also at risk. Besides, an administrator can temporarily rename someone’s account and give network access to intruders. SIEM will inform you if it detects such incidents.
There are situations when events, seemingly harmless, together can pose great threat. For example, when someone sends a password to a top manager’s account. This event will not attract attention but, if later this account accesses critical resources, the system will alert to the incident.
One savvy employee was trying to copy client base in an unusual manner. The employee’s account did not have rights to obtain data from CRM. The employee created a new DBMS account and tried to get information directly from the database. One of the SIEM policies managed the access of new accounts to the database, and the system immediately notified specialists about the violation.
Upon the system installation, the information security staff gain access to 300+ ready-made rules – security policies. Users can edit and customize existing rules and create their own policies. Out-of-the-box security policies scan the following data sources:
Sophisticated mechanism of SIEM operation boils down to the following algorithm:
SearchInform SIEM* collects information from various sources, analyses it, discovers threats,
and alerts the designated info-security staff.
*For informational purposes only. Part of the described functionality of SearchInform SIEM is under revision. The project for the system capabilities expansion is being implemented in the format of co-financing based on the vendor's own funds and the Russian fund of information technology development grant.
IT infrastructure of a today’s company is a complex mechanism that includes many corporate systems:
Every system is a source of personal, financial and corporate data that violators aim to obtain.
The company can be endangered both by actions of system administrators (unauthorized granting of access rights, creation or deletion of accounts, firewall disabling) and by vulnerability of the products through which violators can get access to a company’s data.
Collecting events from different sources:
network hardware, PCs, security systems, OSs
Analyzing data and making corellations,
Remembering incidents and notifying in real time