ARTICLE AD
For Kaufmann, managed services offer a first line of defense. The vendor can provide around-the-clock monitoring and is empowered to address threats without waking up Amedisys security staff in the middle of the night.
Along with immediate responses to security incidents, a relationship with a managed service provider can give organizations a leg up on recruiting, Kaufmann says.
“You’re not just bringing in people to staff a security operations center,” he says. “You can invest in employees at a higher level. You can hire advanced engineers. You can hire for expertise in developing an enterprisewide security strategy.”
How Does SIEM Help Spot Cyberattacks?
Guidance from the IRS suggests organizations evaluating SIEM systems should look for automated data analysis, near real-time alerts, actionable information and quick ramp-up time that requires little training.
These capabilities matter given the increasing sophistication of cyberattacks, Gregory says. Where it once took months to gain access via brute-force attacks that were relatively easy to detect, today’s attackers can crack an identity in seconds. “They’re gathering intelligence, and they’re breaking into the right accounts to appropriate privileges,” he adds.
These attacks often span multiple resources, says Allie Mellen, principal analyst at Forrester. For example, an attacker may target a cloud-based application, get access to an employee ID, access the endpoint associated with that ID and then move laterally through the network.
EXPLORE: A penetration tester shares where to make healthcare security improvements.
“That spans a lot of controls. You need a holistic picture, not alerts about individual activities,” Mellen says. To that end, organizations also benefit from user behavior analytics, which build profiles of employees or devices interacting with the network to spot unusual behavior that might indicate an attack.
To gain such insight, SIEM systems need tight integration with security tools. After all, Abraham says, a SIEM platform can only send alerts related to data that it receives. If these connections don’t exist out of the box, a SIEM provider may add them upon request, or security teams may create them on their own.