What is SIEM and why does it matter?
Our partner and Chief Information Officer, Sarah Ellis, sat down to discuss what Security Information Event Management (SIEM) is and why it is important. The conversation has been lightly edited. You can read a summary below.
Trey Hiller: Hi everyone, I am Trey and am joined by Sarah Ellis, who is one of the partners here at Clear Guidance and our Chief Information Officer. This week, we are going to discuss SIEM. Sarah, can you share what it is, why it’s important, and all the good stuff?
Sarah Ellis: To start off, SIEM stands for security information and event management. Quite a mouthful, but you might be hearing about this from your MSPs pushing it as something that will help keep your company safe, or at the very least, make sure that should the worst happen, you know exactly how to root out the bad guys. I'd like to describe what it does, and then I'll get to why it's really important.
First, what does SIEM do? If you have an event log of every single thing that happens on your network, the servers, e-mail, everything. With Microsoft and your firewall, it comes by default. Depending on how much information is going through, you could have anywhere from a week to 30 days on there. There is generally a finite amount of room, and once it’s gone, it’s gone. Not only that, but it can be deleted. If a hacker is in your system, one of the first things that the hacker might do is delete any evidence that they were there. Maybe the hacker wasn’t smart enough to delete that information, but it has been in your system for 2 months. Now, you as a company have no idea when I got in there because the logs don’t go far enough back. With SIEM, it takes those logs and, depending on the plan, can keep them anywhere from 90 days to a year. You also need to keep this log off-site. Keep them in the cloud or behind a barrier that a bad actor could never access and delete any evidence of what they’ve done. Recently, we had a client who had to file a claim, and the forensics team that was brought in to determine where the breach occurred, when it occurred, and such. This client did not have SIEM deployed, and luckily, we caught this hacker right away, and the hacker wasn’t very smart and gave himself away very quickly. That won’t always be the case. This client has a lot of activity every single day. There’s no way those logs would have been around, so luckily, the forensics team came in and they were able to use what we had because we stopped it immediately. When you file a claim in the future, and you know, it’s not if but when something is going to happen, and you go to file a claim, the forensics team is going to come in and ask for the logs. If you don’t have a SIEM solution, then you may not have the logs to show them, and suddenly, your claim gets much higher because they’re having to do a lot of extra legwork to investigate what happened. Why do you need this in particular is around cyberinsurance claims, right? We’re seeing more and more cyberinsurance companies, not outright requiring it yet, but we do believe that’s on the horizon. Again, the more claims there are, the more they end up having to pay out when they simply don’t have the answers right in front of them.
Trey Hiller: So, would you recommend this to your average client?
Sarah Ellis: Yes, I would. It’s not overly expensive, it’ll add anywhere from $5-$7 a month per person to your bill. As a long-term investment strategy, it makes total sense. If you have sensitive information at all that you work with, and I would say the vast majority do, then it’s especially important. We have started recommending it to all our clients and rolling it out as quickly as we can. We anticipate that within the next two years, it’s going to be pretty standard across the industry
Trey Hiller: So you think within the next few years, pretty much all law firms, financial firms are going to need some sort of long-term?
Sarah Ellis: If you don't want an outrageously high premium on your cyber insurance policy, yes, you will probably need this.
Trey Hiller: If your firm needs any help implementing SIEM or have any questions on how it works, we would love to be a resource for the firm!