by Jasmine Chennikara-Varghese, Greenlight Technologies

Security breaches are costly. Just ask Target, Equifax and dozens of other large organizations who have experienced data breaches in the past few years. To improve the ability to detect and respond to security incidents, companies are implementing more mature cyber security processes to defend their cyber landscape and to satisfy compliance requirements. As a result, SIEM (Security Information and Event Management) solutions have become the go-to approach for many cyber security teams.

SIEMs have been successful in knitting siloed network and device data together to give a cohesive picture of what is happening in the cyber landscape. SIEMs can collect a variety of device and network data such as system logs, firewall logs, IDS alerts, packet data, and flow data. Designed to enable the non-expert to analyze the cyber landscape, many SIEMs offer a number of correlations to provide intelligence on malware propagation, vulnerability scan results and other indicators of compromised systems.

As SIEMs are maturing they need to also have visibility into the applications operating within the cyber landscape. However, using the SIEM to delve into the user activities and transactions of critical business systems is challenging due to the lack of common data formats and the diversity of the transactions and events in these complex applications. Without application level information, the SIEM has limited insight into which users are accessing sensitive data, making system configuration changes and modifying master data. Thus a typical SIEM probably cannot alert you when an admin user created a new privileged user account which just accessed 10,000 credit card records in your ERP system.

Oftentimes the business applications you need to monitor already have some internal logging and auditing capabilities that can be leveraged to understand the application activities. But even with that data available, when a breach does happen, it can take hours, days or even weeks of arduous sifting through logs and audit data to understand the extent of the breach. Extracting and normalizing the application activity data is no easy task especially for custom applications or specially configured applications. To ingest the application data into the SIEM can require application experts to work alongside security teams to build extractors, log learning rules and correlation rules in the SIEM to find events of interest. This can become a time-consuming, resource-intensive undertaking and requires continuous maintenance as applications are updated and new applications deployed.

Greenlight Application Security Monitoring is built with an expert understanding of business applications to extract, normalize, analyze and alert on the user activity and transaction data. The enriched data from Greenlight empowers the SIEM to provide seamless visibility into network, device and application layer activities. And when a breach does happen, the right data to help understand the impact of the breach is at your fingertips.

Your SIEM is only as good as the data you feed into it. Contact us to find out how Greenlight can make your SIEM better.