Who's Watching Your SIEM?
Congratulations! Your organization has implemented a Security Information and Event Management (SIEM) platform for network security monitoring. That's a good thing, because SIEM can be an extremely effective tool for combating today’s advanced cyber threats, giving you real-time visibility into unusual and even malicious activity across your network.
Here's the issue, however: Many IT professionals expect their SIEM to consume logs and machine data from their environment and effortlessly spit out actionable alarms. Unfortunately, it just doesn't happen that way.
When you have a SIEM, experienced human involvement is an ongoing, absolute necessity. Methodical approaches are needed to gather the right data, filter out “noise” through correlation and tuning, and respond quickly to validate security events that are generated. And, because your IT environment and external threats are both constantly changing, continuous enhancement is a necessity.
Gathering the Right Data
Many businesses underestimate the time investment required to implement and manage their network security monitoring function. SIEM technology is complex, especially if you expect to take full advantage of its capabilities; it requires extensive training just to get started with SIEM.
To get started, you must first identify your critical assets, enable the appropriate log files, and then successfully forward and "ingest" those files into the SIEM. A thorough understanding of security best practices is extremely important to the success of these up-front steps.
Correlation and Tuning
Once you have the appropriate log sources configured and information is flowing consistently into your SIEM, you’re ready to begin looking at how the data should be correlated across multiple sources as well as how to apply the rule logic that will surface suspicious conditions.
Most SIEM tools provide extensive out-of-the-box correlation rules and automation; however, these baseline rules must be tuned and augmented to address your organization’s unique security and compliance needs. Understanding data correlations and having the ability to adjust rules based on risk priority of assets and the latest threat intelligence ensures that the right alerts are surfaced.
Without experienced, security-minded personnel managing the above activities, critical events are likely to get buried in a barrage of information being generated by the SIEM platform. This significantly hampers your ability to respond to threats as they emerge.
Using the real-time log information presented by the SIEM platform, focused individuals are able to address what they find quickly—but only if they’re actually monitoring the system on a continuous basis. These individuals thoughtfully respond to system-generated alerts, pinpointing those that require action and, in many cases, initiating that action themselves. False positives can also be identified more quickly, thereby saving valuable time.
Your IT environment is constantly changing to support the growth and evolution of your business. The types and vectors of cyber threats that put your organization at risk are also growing and evolving.
Consider all the change happening within your network and the surrounding business environment:
- Network configurations are changed, system components are added, and new endpoints appear on a daily basis.
- Employees come and go, user groups reorganize, and vendor relationships are forged and dissolved.
- New virus definitions are distributed and downloaded daily, applications and firmware are regularly updated, and user permissions are adjusted.
Keeping up with all of this change and ensuring that your SIEM platform is correctly responding is a continuous job. That's a far call from the “set and forget” security technologies of earlier times!
When Do Managed Security Services Make Sense?
In 2015, less than 25% of the data breaches studied for the Verizon 2016 DBIR had been detected in "days or less," yet nearly 100% of the compromises were executed in that time period – in fact, sometimes in minutes or hours. It's clear that a majority of organizations are failing to adequately monitor, manage and make sense of the business-critical security information found in their log data.
If you don’t have in-house security experts dedicated to network security monitoring, it makes sense to explore the option that thousands of organizations like yours are leveraging today: Engaging a Managed Security Service Provider (MSSP) to advise you and help manage your security infrastructure. Engaging the right MSSP can make all the difference in the amount of return you receive for your SIEM investment.