Alarms in data security monitoring

What do alerts mean in cybersecurity monitoring?

We have now covered several key areas of cybersecurity monitoring, such as what log sources are, what types of log sources exist, how networks can be monitored with IDS/IPS software, and how log sources can be stored and analyzed in SIEM software.

However, this is not enough. In the real world, there is often not enough time to search for threats manually by digging through logs, so organizations typically create rules that can be used to generate alerts. For example, a rule could be "Alert if a user tries to log in with an unusual IP address" or "Alert if the firewall detects a suspiciously high amount of network traffic from one IP address".

It is often also very important to enrich an existing log by using other available information in order to extract meaningful information from these vast logging jungles.

Suojaus: tietojärjestelmien ja -verkkojen suojaaminen haitalliselta ohjelmistolta ja häiriöltä

Data enrichment

Data enrichment means collecting and integrating additional information into the log, so that the SIEM system can better understand and assess the significance of events. This may include, for example, converting IP addresses into geographical locations, associating user accounts with organization users, or adding identification information to events. Enriched data enables more precise analysis and more effective prioritization of alerts.

For example, if a SIEM system detects an unusual login attempt, it can enrich the event with additional details such as the user's location, login attempt date and timestamp, and user type. With this information, the system can generate a precise alert and automatically assess its severity, helping the security team to react quickly and appropriately.

Tervetuloa tietoturvasivulle!

What remains?

When all these steps are so to speak in order, there is nothing left but to monitor alerts and when they occur, then we can start examining logs more closely / reacting as required.