Conversely too much information in any context soon drowns out what’s pertinent and relevant.

The same holds true for information security.

So are you in the dark about the events and activities on your infrastructure, or swamped by information from logs, management systems and security devices? Or somewhere in between?

In an IT environment there are no ends of sources providing low level information on what is occurring on their corner of the infrastructure in the form of raw log data. If managed correctly, organised, processed, and presented in the correct format to the correct people this information provide an insight into the Security Posture of your environment.

Luckily solutions for log management and correlation exist and are commonly termed Security Information and Event Management (SIEM) platforms.

SIEM technologies are generally divided into two primary functions

• Security Information Management – This centres on log collection and compliance reporting. This is a key function where compliance is a primary driver of the SIEM solution

• Security Event Management – is the monitoring and correlation of security related events from multiple sources to flag a security event, its priority level, and source information. The sources of information used are typically, network and security devices, server platforms, OS and Application Logs

So if you have a PC infected with Malware attempting to send SPAM out of your organisation, a modern SIEM will be able to see this event from, the firewall logs blocking the traffic and the flow statistics on the Routers. When flagged as a Security Event the SIEM will have already correlated the AD, DHCP, and Network Syslog, and be able to present the username, IP address, and network Port of the offending machine in the alert, allowing for quick remediation without major manual investigation.

SIEM platforms have been around from many years and are traditionally deployed on public facing infrastructure particularly if the system is processing financial transaction and is subject to PCI-DSS compliance.

But there is merit in extending this principle and solution to the rest of the enterprise network. We are seeing more and more interest in this approach in our customer base, mainly due to the dissolution of the network perimeter with mobility solutions, and the development of shared service serving, staff, customers, contractors, and partners on the enterprise network. SIEM provides a method to police, report, investigate, and audit activity on your infrastructures.

To date implementing a SIEM solution hasn’t been particularly cheap or easy, many SIEM solutions architecture and price point are targeted at large global companies, and are unsuitable for the Irish markets typical scale and budgets.  A SIEM solution also requires a complimentary operational model to action and potentially triage events raised by the system, this has again presented a challenge to many organisations.

This is why eircom have developed a Managed SIEM service that lives in the cloud, and provides as consumptions based pricing model for delivering and operating a SIEM solution. The operations piece is delivered by eircom’s highly accredited security professionals.

The customer will have access to a dashboard that displays the current security posture of your infrastructure and can easily generate reports to answer any audit requirements.  The solution is an enhanced SIEM which blends traditional information feeds with proactive assessments of infrastructure’s operational state to better judge the presence and impact of malicious events.

With this product eircom are making the benefits of Security Information and Event Management available and affordable to our customer base to enable them to better secure their critical information.

You will see more information on this product in the press over the coming months, if you would like more information in the interim, please contact me @ mcarry@eircom.ie.

Martin Carry is eircom’s Security Solutions Principal. Connect with Martin on LinkedIn.