Many organizations understand the value of capturing and correlating log events from different security platforms and have invested heavily in Security Information and Event Management (SIEM). SIEM technologies allow organizations to combine custom use-cases tailored to their business with distributed threat intelligence and incident management. To get the most out of your SIEM, pause to consider the following:
Are you using your SIEM to identify and track high-risk users?
As the threat landscape changes, organizations are complementing their advanced technical controls, like Next Generation Firewalls, with strong user awareness programs. They are also conducting regular phishing campaigns to identify high-risk users that are more likely to introduce entry points into secured networks. Organizations should consider capturing log data from those users’ workstations and writing custom use-cases to track those users’ activity as well as conducting threat hunting exercises based on the output of recent phishing campaigns.
Are you writing rules to track and alert on policy violations?
A well-managed SIEM can be a great tool for reporting on adherence to your organization’s internal written policies. Most organizations have documented security policies but rarely conduct a gap analysis to truly gauge if users understand and are following those policies. Use-cases that identify policy violations can help organizations understand when targeted training is needed or if a fundamental change to the policies is required.
Is your SIEM identifying systems with configuration issues or systems that are configured outside of your approved baseline?
A key component of any mature security program is creating a configuration baseline for systems. These baselines typically include things like disabling unnecessary ports, installation of endpoint security solutions, and ensuring systems have updated security patches. Once you have an approved baseline, it is important to have the ability to report on systems that fall outside of the approved baseline and apply compensating controls to reduce the risk of those systems. A great example of this would be understanding the controls that BioMed or other non-managed systems are missing and segmenting these systems from your private network.
Fortified Health Security develops comprehensive SIEM solutions to increase cybersecurity for healthcare organizations of every size and scope. Want to hear more? Contact our team today.
Fortified Health Security is committed to strengthening the security posture of healthcare organizations. In the spirit of Cybersecurity Awareness month, we will be posting daily information for you to consider when maintaining your organization’s cybersecurity program.