Take advantage of our offer

SIEM including User Behavior Analytics

The central element for your IT security

Security Information and Event Management / SIEM

Detect and analyze: Analytics-based SIEM solution

Today’s security information and event management correlates all security-related data in real time, enriches it (threat intelligence), outputs actionable information, and enables rapid incident response.

What is a SIEM?

In Security Information and Event Management, two fundamental concepts are combined in a central instrument (Security Information Management and Security Event Management) in order to improve the general IT security of a company or organization or to make it possible in the first place.

A SIEM collects information from various sources (network infrastructure, IT security components, log files, Active Directory, …), processes it and makes the results available efficiently.

Taking into account external threats, security gaps are identified in real time and possible countermeasures are initiated.

Was ist ein SIEM Security Information und Event Management?

To be able to detect unusual behavior patterns, the ‘usual’ behavior of all users must be known. Stolen or weak passwords in particular often enable an attacker to gain access to an IT system in the first place. Disguised as a normal user, he can then move around almost freely. Attackers also take advantage of malware when taking over individual assets and can move laterally between assets from there, for example by listening in on network traffic, evaluating it and misusing the information from it. With the right user behavior analysis, even attackers who try to disguise themselves as employees can be exposed.

We know a great many attack scenarios, but as soon as new attack methods become known, they are analyzed in order to detect future attacks even faster and more precisely. Deception technologies (see there) are also used to lure attackers onto false tracks in order to keep them busy for as long as possible without any potential for damage, thus giving the implemented procedures the time they need to react adequately. It is always clear on the basis of which criteria an alarm was triggered.

The vast majority of intrusions into IT systems start at the end device, which is why it is particularly important to gather information about precisely these sensitive locations. The results from user and attacker behavior analysis are used together with threat intelligence to detect and indicate questionable actions at an early stage. Questionable actions on an endpoint could be, for example, deleting local log files or performing privileged actions.

Even after an averted attack, all information is available to analyze what happened before, during and even after the attack. Endpoint detection is possible in real time.

Shows detailed insights into the activities of the network and the devices connected to it.

This enables potential attacks against your IT infrastructure to be detected at an early stage and countermeasures to be initiated. Information for subsequent analysis of an attack or attempted attack is thus also available.

Many different systems, assets and users lead to countless different log files with millions of entries every day. These are analyzed, correlating information is merged and examined for possible security or even compliance violations.

Highly relevant events (e.g., possible threat situation) are submitted accordingly for immediate review.

Analyzing, detecting and preventing attacks is not enough. If an attacker manages to compromise the IT infrastructure, it is important to encourage him to stay. Special technologies – e.g. honeypots, honey users, honey credentials and also honey files – make the attacker believe that they are a possible lucrative target. At the same time, the attacker is prevented from penetrating deeper into the infrastructure at an early stage. While he is busy, the attack is analyzed until the attacker can be found, removed and possibly identified.

Critical files and information must be protected against unauthorized changes, and any authorized changes must be reliably logged or audited.

Various standards enforce such a procedure:

  • PCI Requirement 10: Audit logging and log management
  • NIST CSF Detect: User Monitoring
  • PCI, HIPAA, GDPR: File Integrity Monitoring (FIM)
  • Automation

A wide range of activities can be automated:

  • Containment of threats on endpoints
  • Decommissioning/reactivation of user accounts
  • Integration with ticket systems