So You Need a SIEM…

How to maximize the long-term value of your SIEM technology investment.

April 12, 2016 • Published by

Even with SIEM, Log Monitoring is Critical.

Security Information and Event Management (SIEM) solutions are a technology of choice for today’s IT organizations. SIEM’s claim to fame is its ability to collect, store and even analyze activity within the organization's IT systems, so that cyber threats can be detected in as close to real-time as possible.

But before you make your SIEM investment, consider this: Many IT professionals I speak with are disillusioned by the SIEM technology they implemented, because they expected it to spit out actionable data and it just didn’t happen that way.

SIEM solutions collect the data that catches cyber criminals in the act, but human involvement is necessary to turn that data into informed decisions. So, although you may have functioning SIEM technology in place, effective security log monitoring and management is a critical component to your business's security threat detection efforts.

Not "Run and Done."

In its data breach investigations, Verizon has found that 84% of breach events showed evidence of breach in the IT log data, yet only about 1% of breach events were actually discovered via an internal log audit. What this tells me is that even organizations with dedicated IT teams have difficulty keeping up with the amount of time and expertise required to adequately monitor and manage their volumes of log data.

SIEM is best approached from what I like to call a “review and do” standpoint. But how do you make sure that you and your team aren’t losing critical time responding to false positives and other data anomalies?

If you don’t have a dedicated internal resource with the expertise to properly analyze the data your SIEM is supplying, I highly recommend you consider forging an MSSP (managed security solution provider) relationship.

Maximize the Value of Your SIEM Technology Investment.

SIEM technology is an investment for any size and type organization, so the last thing you want to do is implement and then ignore its value. By coupling your SIEM search with MSSP discussions, you could save your organization significant time and money over the long term.

Here are my top 3 recommendations when researching potential MSSPs for SIEM:

1. Ensure that the MSSP will not act as an “alert pusher” from the SIEM device. 

A good Managed Security Service Provider will have analysts with the capability to perform root cause analysis of events, weed out false positives from true positives and alert you only for those events that are relevant.

2. Review the MSSP’s processes. 

Thoroughly review the MSSP’s processes for onboarding customers as well as alerting and managing security incidents. Each of these processes should be well laid out and the MSSP should be able to clearly articulate them.

3. Be sure to partner with an MSSP that uses enterprise-class SIEM technology.

The SIEM technology behind an MSSP’s log monitoring and management service plays a big role in assuring that all services the MSSP delivers are top notch. Oftentimes you will be hit with scalability and reliability issues if the underlying SIEM technology is not enterprise grade.

Review and Do.

Security technology is only as useful as your ability to make use of it. Support from an MSSP can be your ideal solution when it comes to “review and do.”

Be sure to subscribe to this blog for additional tips and webinar announcements.