October 2, 2018 •
There’s a lot of buzz in the marketplace these days around SIEM, which is Security Information and Event Management. I’ve had people tell me that their SIEM technology isn’t of much use, and others tell me that it’s critical to their business’s everyday security posture. The vast difference between those two is usually the same thing, which is how the related tools are deployed, and what the staff around them looks like.
In a mature security posture, SIEM is only one component of a much broader acronym. While we do employ SIEM for many of our customers, it’s actually a small piece of a term called Managed Detection and Response (MDR). Our team of security analysts provides these real-time MDR services to our customers. But, little known to most, they actually provide MDR for our own organization as well. We call it “eating our own dogfood.”
The world of MDR involves a lot of pieces. It includes developers who understand how to ingest information, and security analysts who know how to communicate to those developers the intelligence they need to derive from the information. The SIEM is a typical tool used in that process as a platform for the developers to implement the rules and turn the information into actionable intelligence.
Sorting through the mess of false positives and useless information is a science in and of itself. Behind the scenes, senior security analysts are doing “threat hunting”; they’re taking the intelligence produced by the system, correlating those events with what they already know, and using that to notify customers in real time when there are suspicious things going on that warrant more review. In many of those cases, it’s an active attack that’s knocked down immediately.
Large enterprises with massive IT budgets typically implement a SIEM and have the necessary IT staff to maintain and monitor it (i.e., MDR). By contrast, smaller and mid-sized organizations typically do not succeed in gathering intelligence from their SIEM because they don’t have the necessary internal expertise and staffing levels. In those environments, we often see the SIEM being used by a forensic investigator, trying to determine why a breach was ongoing for months. In those cases, outsourcing MDR to a managed security service provider—before you have to engage a forensic investigator—is the ideal solution.
In the end, you can implement all the right tools and still miss an intrusion. The answer lies not only within how good your tools are, but also in who’s watching your environment.