Security Information Event Management (SIEM) is a software solution that enables the detection of cyber-attack incidents that would otherwise go unnoticed and empowers your IT team to quickly take measures to protect your dealership and keep your data, systems, and finances safe.  Basically, SIEM aggregates and analyzes information from a variety of different systems across your entire IT environment.  This includes information from endpoint security systems, firewalls, intrusion detection systems, email security, and more.  SIEM is an essential cybersecurity tool that dealers should have in place.  Have you ever heard of SIEM?

According to a recent study performed by CDK, 70% of respondents said that they invest in cybersecurity protection to safeguard their dealership.  Yet, 73% of dealers surveyed say they don’t use SIEM.  Maybe dealers don’t know about SIEM or maybe they don’t have the resources to implement and manage SIEM effectively?  Perhaps, dealers think SIEM is too expensive?  But considering the fact that the average cost of a successful cybersecurity breach is $3.9 million – the expense of SIEM shouldn’t be an issue.

Maybe a better understanding of SIEM would help dealers who don’t take advantage of this valuable technology to understand its importance?  This is the intent of this blog.

With SIEM properly implemented, your IT team is provided with on-demand data analysis, event correlation, aggregation and reporting as well as log management.  It gives your IT team a birds-eye-view into, and a track record of, their IT environment.  So, why do you need this?  The short answer is that if you suffer a cybersecurity breach you want to know how the breach happened.  You want to understand step by step how the cybercriminal penetrated your dealership and how they moved through your IT environment.  If you don’t know the trail of events leading to the breach, then you won’t be able to prevent it from happening again.  In addition, with the proper implementation and management of SIEM you stand a much better chance of preventing the breach from happening in the first place.

There are 3 key benefits of SIEM:

• Incident Detection – SIEM not only logs security events but it also has the ability to analyze the log entries to identify signs of malicious activity. If SIEM detects any activity involving a known threat, then it can take actions to terminate those connections or interactions to proactively prevent an attack from occurring.
• Regulatory Compliance – Most compliance reporting requires centralized logging capability. With SIEM you can log data from multiple sources and generate one report containing this aggregate information.  Without SIEM you would have to manually collect log data from a wide variety of sources to meet your compliance obligations and this would be extremely labor intensive.
• Better Incident Management – With SIEM you can identify an attack’s route through the network, enabling rapid ID of all sources affected and providing automated mechanisms to stop the attack while it’s still in progress.

To take advantage of SIEM you must have the expertise and capacity within your dealership to do the following:

1. Determine Scope – You’ll need to establish rules that define what events your SIEM software should monitor. You should also group devices and systems and then establish criteria for how best to monitor each group.
2. Establish, Manage, and Refine Correlation Rules – SIEM empowers you to observe more than just single isolated events. Therefore, with SIEM, it’s possible to detect security threats that would go unnoticed by simply looking at a single event.  For instance, with event correlation, you could say if a number of login attempts to the same computer fail from the same IP address within ten minutes and use different usernames and a successful login occurs on any computer from that same IP address then trigger an alert.
3. Identify Compliance Requirements – What are the compliance requirements that apply to your dealership? Understanding this will be important in setting up your SIEM to assist in meeting your compliance obligations.
4. Monitor Access to Critical Resources – Every business has a set of critical resources that need strict monitoring. These systems need to be identified and monitored for administrative access, unusual user activity, remote login attempts and system failures.
5. Defend Your Network Boundaries – Vulnerable areas on the edge of your network must to be monitored by SIEM. This includes firewalls, routers, ports, and wireless access points.  Your SIEM must be configured to gather appropriate information from these network boundary points.
6. Test Your SIEM – SIEM should be tested routinely by simulating how an attacker would behave and then evaluating how the SIEM reacts. Based on testing you will then need to refine your SIEM configuration.
7. Respond Promptly – Your SIEM only does part of the job of protecting your dealership. You need to have a plan and the resources for how to respond to an alert from your SIEM.

Cybercrime isn’t going away.  In fact, it’s getting worst.  Today, a ransomware attack occurs every 11 seconds.  Cybercrime is now the fastest growing crime in the U.S.  So, it’s really not a question of if your dealership will become a victim of cybercrime but instead it’s a question of when.  You’ve worked hard to build your business.  You should protect it and SIEM is a powerful technology that can help.