SageNets Vice President and CISO talks about SIEMonster

Paul Truitt  Vice President, Cybersecurity & Chief Information Security Officer (CISO) of SageNet discusses SIEMonster


As IT infrastructures have become more sophisticated and complex, so have the cyberattacks that attempt to infiltrate them. Advanced persistent threats (APTs) are capable of sneaking past defenses and operating undetected for weeks or even months. There are often signs that an attack is taking place, but organizations lack effective tools for monitoring threats and correlating security event information and in many cases just ignore the signs as false positives.

Many times these events go undetected due to the large volume of data coming from security tools which all require a review of the individual toolset dashbaords and reports. This piecemeal approach can lead to gaps in security due to the lack of correlation as well as an overabundance of log files and alerts.

In a Ponemon Institute study released in 2015, surveyed organizations said they received an average of 16,937 cyber security alerts each week. Only 19 percent of those alerts were considered reliable and only 4 percent were actually investigated. Survey respondents reported spending almost 21,000 hours a year, on average, analyzing false negatives and positives.

Security information and event management (SIEM) systems are designed to identify statistical anomalies and translate cybersecurity alerts into actionable intelligence. In essence, a SIEM tool collects security-related data from a wide range of sources across the enterprise network, and sends it to a central console for review. Data from servers, applications, network hardware, security systems and end-user devices is correlated and analyzed for trends and patterns that may signal a security issue.   Many times the logs from individual security tools may appear normal but when reviewed in conjunction with other system logs and against historical trend data the needle in the haystack can be found.

SIEM systems combine the functionality of security information management (SIM) and security event management (SEM) tools. A SIM system simply collects event logs from various systems and stores them in a central repository. A SEM system includes analysis tools and centralized reporting for compliance. Together they create a comprehensive system for detecting and responding to malicious behavior.

Unfortunately, commercial SIEM systems tend to be complex and expensive. Many organizations, particularly small to midsize businesses, lack the resources to implement them. Open source tools can be used to build a SIEM system, but that requires significant time and expertise.

Fortunately Kustodian has done all of the work for you with SIEMonster. Based upon open source modules, SIEMonster includes all the dashboards, plugins and incident response tools included in an enterprise-class SIEM system. Yet the SIEMonster Community Edition is free to download with full documentation and no data or node limitations. Kustodian also offers a Premium Edition which adds advanced correlation and advanced scheduling for $4,999 per year.

SIEMonster can monitor endpoint devices from a wide range of vendors including SCADA equipment and virtually anything that generates a log file. The solution has been proven in an enterprise environment with more than 20,000 users.

Kustodian recently selected SageNet as its preferred partner in North America. SageNet can offer both the Community and Premium Editions of SIEMonster as well as a multitenant edition for managed security service providers. In addition, SageNet is offering a turnkey managed SIEM environment including 24x7x365 security event monitoring by highly qualified cybersecurity experts.

SIEM can cut through the “noise” created by too many security alerts, but few organizations have the budget or expertise to deploy traditional SIEM solutions. With SIEMonster, organizations of all sizes can take advantage of real-time monitoring and alerting.