Because threats have become so advanced in recent years, technologies have continued to evolve to keep pace with the latest threat vectors. If you’ve been looking into ways to improve your organization’s information security posture, you may be left with a dizzying array of different technologies that all work in different ways to improve different aspects of your security posture. You may be left wondering what is the difference between technologies such as IDS/IPS, UTM, and SIEM. Let’s look at some of the basic differences in approaches between the technologies.
Intrusion Detection Systems / Intrusion Prevention Systems (IDS/IPS)
Intrusion Detection and Prevention Systems both work by actively monitoring your network traffic for unusual patterns or suspicious behavior. For example, an unusually high volume of data being directed to an external IP—maybe one based in a country your organization does not do work in—might trigger an IDS or IPS system alert. The main difference between IDS and IPS is that while IDS will alert on unusual traffic, it is a passive system and does not prevent or stop the activity. By contrast, IPS typically integrate firewall-like functions to make active changes to prevent the flow of suspicious data, to deny the traffic as quickly as possible. Both technologies are largely signature-based and work by identifying traffic patterns that are similar to known attack methods. This means that they may be ineffective against the latest threats, if there is not yet an identified signature for the attack.
Unified Threat Management (UTM)
UTM devices typically integrate a range of security devices, such as firewalls, gateway anti-virus, and IDS/IPS into a single device or platform. By consolidating some of these functions, it can simplify management tasks and training requirements. On the flip side, however, as Tom’s IT Pro points out, this can create single point of failure and may not offer best of breed solutions for each of its components.
Security Information and Event Management (SIEM)
SIEM works differently. Rather than replacing firewalls, antivirus, or intrusion detection/prevention systems, SIEM works alongside these devices to collect and correlate information from all of these, as well as the log and event data produced by servers and applications on your network. SIEM technologies make it easier to review log data (a component of many compliance mandates) and intelligently correlate information from disparate systems to generate a fuller picture of the organization's true security posture. While individual devices or point products may provide bits and pieces of information, SIEM helps assemble the puzzle and identify security risks that individual products may miss. SIEM is, therefore, a critical component of a ‘defense in depth’ approach to information security.
As a complex technology, SIEM can often be difficult for smaller organizations without the resources, people, and time they need to deploy, tweak, and receive value from the technology. At EiQ, we help these organizations with our SOCVue Security Monitoring service, which includes our SIEM technology along with our SOC team to provide deployment, 24x7 monitoring, and ongoing tweaking, as well as well-defined processes based on highly-respected CIS Top 20 Critical Security Controls to ensure our customers are able to get the most value out of the SIEM solution. We are also able to integrate results from our SOCVue Vulnerability Management service to provide a more complete picture of your organization’s security posture. As an extension of our customer’s IT teams, SOCVue provide the people, process, and technology needed to deliver continuous security intelligence at a fraction of the cost of alternative solutions.
Interested to learn more about SOCVue?
Photo credit: onirb / 123RF Stock Photo