— InfoSec Guides
Anchor Your Security With a Well-honed SIEM Strategy
Security information and event management (SIEM) systems have been on the scene for more than a decade, and in that time they’ve grown from niche technology to something that approaches a must-have for enterprises serious about their security posture. It’s an impressive evolution for a solution set that was once viewed by many as expensive and redundant, not to mention difficult and time-consuming to implement.
The criticism of early SIEM iterations were not entirely unfair. For much of its nascent period, security managers and incident response teams wondered why they needed yet another data feed on top of the dozens they already had. After all, more data doesn’t always mean better data. Sometimes it just means more (and possibly duplicate) information.
SIEM technology improved over time, however. And while the volume and variety of attacks hitting enterprise networks increased apace, SIEMs became more flexible and useful, earning a key place in many network defense architectures.
Admittedly, implementing a SIEM system can still be a challenge, but it’s much simpler now than it was in its early days. SIEM vendors have developed methods and systems to ease deployment.
For many enterprise security leaders and teams, the point where the SIEM system is in place and the console starts filling up with dozens or hundreds of new events is when the real work begins. It takes time, patience and a solid strategy to get the most out of a new SIEM investment. Armed with such a solid SIEM game plan, savvy organizations can reap major dividends in the long run.
Like most security solutions, SIEMs have their strengths and weaknesses. Let’s look at some of the things security information and event management systems do well:
- Information aggregation. This is where SIEMs excel. The ability to pull in data from dozens of disparate sources and present it in a single, comprehensive view is the key value proposition for the technology. Rather than looking at consoles from server management software, intrusion detection systems, databases, and other systems to find event data, security teams can focus on one view in the SIEM.
- Timely alerts. Time is of the essence in security, and SIEMs can give users quick and informative alerts about new incidents and potential attacks. Again, bringing those alerts into a central view increases efficiency and can decrease response time.
- Data storage. SIEMs provide the ability to store event and alert data long term, giving organizations the chance to analyze historical data and identify key weak points in their infrastructure or commonly attacked systems.
- Event correlation. Information on individual events and alerts is nice, but it’s of limited use if it can’t be compared and correlated with data from other sources. SIEMs can correlate information from a variety of sensors and inputs and enable security teams to get an optimal picture of what’s going on around their networks.
SIEM systems can do a lot, but they don’t excel at every task. For example:
- Data overload. Because SIEMs gather information from so many sources, the volume of data can be overwhelming. Hundreds or thousands of alerts and notifications can stack up in an SIEM console, and if the security team isn’t careful with its prioritization and tuning, important information can be lost in the shuffle.
- Context. In many cases, alerts and notifications from IDS and other systems arrive without much in the way of context. SIEMs don’t often help much in this regard, as they’re not designed to provide nuance; mostly just raw data.
- Response. The events that show up in a console typically can’t be addressed with an automated response with traditional SIEM solutions. Alerts require experienced security people to go and do something, and in most cases SIEMs won’t help much in this manual process. They can provide the details of a potential incident, but often don’t give advice on what to do about it.
Optimizing a SIEM Implementation
One of the main challenges of using a SIEM is getting it into a new environment and bringing all of the feeds and inputs online. For large enterprises, this can be a serious, time-consuming operation.
"When just getting into the process of managing a SIEM, it can be easy to underestimate the effort it takes to actually bring the data on board. This data onboarding is usually what takes the bulk of the time," Raffy Marty, IANS Faculty and co-founder of PixlCloud, said in his guide for managing SIEMs.
"You should identify where the data is generated, then go to your networking team to make sure it’s all reconfigured properly, etc. This aspect is generally underestimated — it’s a huge effort."
Hear IANS Faculty Raffy Marty talk about challenges and best practices for implementing a SIEM.
One of the best ways to help alleviate some of the stress and pain of this process is to identify the goal or goals of the SIEM implementation before it begins. In some scenarios, enterprises will deploy a SIEM, hook up all of the feeds, and then wonder what they should do with all of the information they’re pulling in. This can end up causing frustration and delays in gaining useful insight from the SIEM.
SIEM in Action
To illustrate the ways in which a SIEM system can be useful for an enterprise, let’s take the example of a data breach. Here’s how SIEM plays a role in the various phases of data-breach response and investigation.
- Monitoring and detection. A SIEM can provide the first indications of a compromise in a network, producing notifications of unusual or malicious activity on monitored systems.
- Investigation. SIEM implementations give security teams the ability to drill down into incidents and determine which machines are affected, what activity raised the alert, and determine next steps.
- Response. SIEMs have traditionally been weak in the response department, but many next-gen SIEM products are adding built-in rules that can help kick off response activities automatically in breach situations. These actions often can be customized for each organization, providing enterprises with maximum flexibility.
- Forensics. The built-in log management and retention capabilities in SIEM systems give security teams the ability to look back at historical data after a breach to look for earlier indicators of compromise or data exfiltration.
However, if a specific goal is set before the SIEM is deployed, then the security and other teams can decide what data they want to pull out of it. With that done, the teams can observe the way the system runs and whether it’s helping them move toward their goal. They can then whittle down or expand the amount and kinds of data they feed into and pull out of the system to ensure they’re on the path to achieving their goals.
"Depending on the type of event a SIEM identifies, most seasoned SIEM analysts can immediately tell you what systems and logs they are going to have to reach into to gather more data for analysis. Systems such as antivirus, packet capture tools and firewalls are all common areas that need to be queried to determine the severity or legitimacy of an event," Michael Pinch, IANS Faculty and CISO of Rochester Medical Center, said in his SIEM implementation report.
"With the trend of most security systems having APIs to build interactivity between systems, it is becoming possible for these tools to actually automate a portion of the forensic response, and have that data queried and archived by the time a security analyst actually lays his or her eyes on a new incident."
Just as important as figuring out the response portion of the SIEM picture is fine-tuning the performance of the system. SIEMs are capable of taking in and crunching huge amounts of data, but like any system, they need constant assessment and tuning in order to perform at their best.
SIEMs rely on rules to process the data that they bring in, but they don’t have an infinite appetite for those rules. SIEMs will tend to slow down as more rules are added, so it’s vital that security teams constantly assess the kind and number of rules they’re employing to ensure that their systems are performing as efficiently as possible.
SIEM systems have become integral pieces of corporate defenses and have evolved into flexible platforms for detection, response, and investigation of incidents. Enterprises deploying SIEMs have a wide range of options for how to use them and what information to plug into the systems.
Making the most efficient use of SIEMs requires organizations to constantly monitor the ways in which their internal teams are using the systems and fine tune the data flows the systems take in. Security teams should determine what they want to achieve by deploying a SIEM, then adjust the system to help meet those goals in order to have the best chance of success.
Checklist: IANS New Security Fundamentals
Making the leap from basic security log management to full-fledged SIEM capability requires significant investment in money, time and human resources. Download our checklist of things to consider when you're evaluating a SIEM platform.