SIEM is an acronym for Security Information and Event Management. It is a software solution which allows businesses to detect, analyse and respond to potential security threats across their organisation.

Security threats are detected by analysing behaviours and activities which are considered to be abnormal or suspicious, using threat rules and threat intelligence. Once a potential threat is detected, alerts are automatically created to allow security personnel to investigate and respond to the threat.

The SIEM solution allows businesses to understand the risks and threats to their environment, to manage and evaluate these, and put in place suitable responses to protect their digital assets and reduce security risks.

No. When used, SIEM should form part of an overall security strategy which may include, but not necessarily be limited to:

• Configuration of routers, firewalls, user and system security

• Regular patching and update of operating systems and software

• Backup and recovery strategies for all mission-critical systems and data

• End-point protection including anti-virus and anti-malware solutions

• Multi-factor authentication for logging into systems

• Cyber-security awareness

Data breaches and cybercrime can bring businesses to a standstill and damage brand, customer loyalty and the partnerships that a business has. All businesses are vulnerable to cybercrime. Gone are the days when you could just put in place a firewall and some anti-virus software, the cybersecurity threats of today are evolving and have become more sophisticated.

Reasons why an organisation may require a SIEM solution:

• To meet compliance requirements, where reports which address security events or reporting on data breaches is required. Without SIEM, the organisation would need to manually retrieve logs and compile reports.

• To protect sensitive data and systems which are managed by the business. Often businesses are unaware of attempted infiltrations until it is too late, and they do not have systems in place to detect and respond to malicious activities. The quicker the threats are identified, the quicker the response is, and therefore the more secure IT systems will be, reducing the overall risks to the business

SMEs (Small to Medium Enterprises) tend to be more vulnerable as they have far fewer resources to protect themselves than larger businesses. SMEs also face a number of challenges. Typically, SMEs don’t have the budget for enterprise security solutions or the inhouse expertise required to implement IT solutions. Hackers target SMEs as they can be easier to infiltrate, sometimes they are the weak point in a supply chain, and a way to penetrate larger enterprises who have stronger security.

Implementing SIEM can assist SMEs in spending their limited budgets on the areas which represent the highest degree of risk.

We realise that SMEs don’t have the big budgets that larger businesses have, so we have put together a cost effective solution, using Microsoft’s Azure Sentinel technology. Our solution includes pre-built threat rules from Microsoft as well as a set of customised rules and reports which we believe are essential for SMEs. We continually add to the threat rules as the threat landscape changes and new requirements are identified.

We design, configure and implement the solution within your Microsoft Azure system. You own the solution and the log data.

We work with your IT support staff and/or Managed Service Provider to escalate issues in accordance with procedures we determine with you.

Microsoft Log Analytics allows the retention of log data for up to 2 years within your own tenancy, so you are not at risk of losing data when changing IT providers.

Log data can be collected from a great many logging platforms including Azure, Microsoft365, Windows and Linux agents, SysLog are some of the more common ones supported.

Many MSP’s and Security Consultants offer 3rd party log collection and analysis solutions. Whilst sometimes more cost effective (and sometimes not), these solutions often mean you lose control of your log data. There are rarely options to exchange the log data between providers and if you decide to change, you’re faced with either paying both the old and new providers to maintain log data, or losing your history and starting again.

Microsoft and others have some great tutorials on setting up Log Analytics and Sentinel. Someone familiar with the Azure platform and good system administration skills can quite easily get some form of logging and analysis running.

However, here are a few reasons why this isn’t necessarily the best idea:

1. It can be difficult for a small team to be responsible for configuring and supporting an environment and then finding the time and developing the skills to also monitor system activity

2. Effective use of the Sentinel/Log Analytics platform requires Kusto Query Language skills and Azure workflows

3. Effective security requires “checks and balances”. If the person responsible for configuring and supporting devices is also the one responsible for looking for anomalies, then potential issues can be overlooked