In terms of information security, the SIEM system is the brain of the organization. It allows you to gather events from all information systems, information security tools, and in one place
tell you what happens in principle to the company. It is a mistake to think that the SIEM system is intended only for mature large companies. If you have a firewall, antivirus and electronic
mail – you are already a SIEM user. About what it is and how in five years has turned RuSIEM into one of the market leaders, says CEO of the company Maxim Stepchenko.
In a nutshell, what is a SIEM system anyway? And which companies should it recommend?
SIEM is a system that collects events from different sources and allows them to detect incidents. You can recommend it to everyone, starting with medium and small businesses. The need arises in
large enterprises, financial and industrial enterprises, small universities and organizations employing 50 employees. First of all SIEM is needed when devices
generate hundreds, thousands of events per second, among which manually highlighting what is interesting to the organization is impossible. This will require some tools. Such tasks are solved by SIEM.
It can select from thousands of events the units you want to respond to, notify them, display the necessary information. For example, a person did not enter the territory of the building, but came in
corporate computer. This is an incident. Accordingly, we capture and collate access control events and events from a computer or information system
We are now seeing an active rise in the Internet of Things, including industrial growth. Sensor information is transmitted to different systems. How can SIEM help here?
SIEM is already used in various information systems, including IoT and telemetry. SIEM can act as a collection point for all devices and analyze the appearance of a new sensor,
identify event types and locations, identify new event types, and detect anomalies based on statistics. In short, SIEM is the brain. We bring events there
from everywhere, and it indicates what to look for.
How can SIEM systems track complex cyberthreat targets and prevent attack targeting?
It is now mandatory to use SIEM systems to combat targeting attacks. They do not protect, but allow you to detect the moment of any suspicious changes, which is equally important in
in such cases. SIEM enriches the functionality of information security, and it also builds antifrod systems. For example, on average, a user uploads or sends ten files a day, but
suddenly their number increases sharply to a hundred. Or, on average, a person opens ten files in an hour, and today there are a thousand. Such changes indicate a possible leakage of information. This is an anomaly,
to which SIEM responds. The same with the banking system: the appearance of a new counterparty or a different payment will be a signal.
Since the quality of event analysis is directly dependent on the quality of the raw data, how do you choose it? How much does it take for relevant analysis?
The more the better. The middle ground between “collect everything you need” and “collect extra” is needed. We need to be able to collect data from all available sources, and here are some of them
company needs – depends on the rules that will be used. Today, such data streams are not needed, and tomorrow they are critical, and that is the advantage of the SIEM system. she
lets you analyze everything. What we do not pay attention to today may prove to be very important tomorrow. Therefore, we must collect and store everything, be able to return and
analyze what happened yesterday or a month ago, especially when it comes to prolonged attacks.
Recently, many all-at-one systems have emerged for small companies when the correlation is implemented within the box. Do you have this resolved?
Yes, our RuSIEM is a “box” solution with a huge number of rules that many customers set themselves. It is easy to implement and staff and partners are trained for free
based on recorded webinars. Although we do not work directly, we are ready to educate our clients.
How difficult is it for an untrained specialist with basic computer skills to learn how to use RuSIEM? Who can work with her at all?
Generally easy. Information security and IT staff will be able to work with RuSIEM. If something goes wrong with the client, we try to refine the system so that next time it does not
What is the principle of development?
We have long and short development plans: two years ahead, six months and a quarter. There is a community that anyone can access by contacting me. People in this community
affecting a product refinement plan, without even being a customer, you can influence the development by sharing a reasonable idea that needs to be modified or refined. Next we are: developers,
existing customers and users of free and pilot versions, we discuss each item together.
Is your solution scalable? What are its technical requirements and is it “friendly” with other systems?
The solution scales anywhere – both vertically and horizontally. We can both receive and donate any system. For example, we have a customer who has three SIEM systems, and they have one
absolutely calm with each other “friends”. Specifications, of course, depend on the network you want to protect, but compared to competitors, RuSIEM will need two to three times less
resources. Most of the time, we run on existing customer capabilities, and support virtualization and are not very demanding on the equipment.
Who is involved in implementation and technical support?
We provide technical support directly or to partners, but we only implement through partners, including virtually all major IT and security integrators in the Russian market.
How is machine learning used in your decision?
Machine learning is actively used in a separate module “Analytics”, which collects data and analyzes it using various mathematical models. We are now developing neural networks and
we plan that in the future the system will work and detect anomalies simply by collecting data, without preset correlation rules.
Many events speak of IT as a service. Is information security possible as a service? And how does it fit into your system?
On the one hand, this is already a reality, on the other – the future. Many companies go the same way, many SOCs are opened. However, the internal service is still not out of the box: setting up security
unfortunately, this is not possible with targeted attacks and business tuning. I believe in IB as a “box” solution from experienced people, but not in a “box”. Bought the solution, put and
forgot – it will not be.
On what principles do you select promising areas of new functionality?
Based on customer needs. We collect their wishes, find a common denominator and implement it.
It is very difficult to calculate how much information security costs. How to explain the need to purchase RuSIEM?
It is necessary to explain to the business itself that it is important to bring cases. It is necessary to know business, to understand that it is critical for a company, what it represents and what it earns. What are the risks and what
specifically the information really needs to be protected.
There is a lot of talk now that security needs to be built in. Can RuSIEM be incorporated at the project stage?
RuSIEM can be laid at the project stage, that’s right and good. But fundamentally my position – information security should not stop business and act as a brake. And business is unambiguous
should listen to the IB and not run ahead of the steam locomotive. Where is the middle ground? This is an eternal question.
RuSIEM has become a major player in this market five years after its launch and has already won the Security Management nomination CNews AWARDS. How to Become a Leader in 2019 and
how is the company growing now?
Since the beginning of the summer, we have grown almost four times and continue to recruit intensively. We have a catastrophic shortage of quality professionals because of the “better to take one good than three” approach
the weak. We have been looking for developers, for example. Despite significant growth, we were able to retain the entire team and multiply it. The staff and number of projects increased, the number of partners with
active projects grew from 10 to about 80, and new distributors appeared. I think we are one of the major players in the market primarily because we are not focused on
the Russian market, although it is certainly very important, and the world. We now have a free version that is installed worldwide, there are several overseas customers, not only from
CIS countries, but also from Europe, the Middle East and Southeast Asia. We focus on high product speed and an adequate price. In this case, in special cases, we issue annual licenses
for free use, because we know that some companies have a budgeting cycle of substantially longer than three months or six months, and the need for the product is already present.
What caused the fourfold increase?
First, the investment came. The market is ready and, despite the high competition, we give an adequate price. Our product does not consume a lot of resources, has a high speed of operation and
it is inexpensive. Also, in the last six months the number of clients has increased three times.
Well, traditionally for the twelfth issue, what’s next year’s prospect?
In the future, new functionality, extending existing ones, increasing the number of projects, a big leap towards RuSIEM automation and simplifying product use. But we’ll talk about it in
first quarter of next year.
IT-Manager Magazine [№ 12/2019],