SIEM solutions occupy a contradictory place in the modern cybersecurity discussion. On the one hand, the cybersecurity paradigm is shifting from a preventative model—one which favored endpoint security—to a detection model which should favor SIEM’s threat investigation capabilities.
On the other hand, SIEM is one of the least understood subfields in cybersecurity overall. It has a reputation of being complicated, time and labor intensive, and expensive; many of those responsible for their enterprise’s purchasing decisions don’t understand what they need from SIEM. In fact, some research indicates that 1 in 5 American adults lack basic cybersecurity knowledge.
Yet the need for SIEM solutions and subsequent SIEM success has never been higher. Advanced threats are exploiting the increasingly porous IT perimeters from cloud adoption—penetrating preventative solutions. 60% of cyber attacks involve lateral movements. According to Carbon Black, half of all cyber attacks have built-in contingency components to thwart incident response attempts. Somewhere around 90% of digital retail login attempts are credential stuffing attacks.
SIEM success can provide the threat detection, data analytics, data forensics, and incident response capabilities necessary to survival in this new digital world. But how can your enterprise achieve SIEM success?
We took a look at the “Six Steps to SIEM Success” whitepaper from solution provider AlienVault. Here are just a few of the expert ideas they found:
Know Your Enterprise’s SIEM Use Case(s)
The first step to finding SIEM success involves understanding your enterprise’s particular use-case or use-cases. No two products or solutions are identical, even though they may appear similar on the surface. Each might be better suited to different industries or different use-cases.
SIEM uses-cases can include but are not limited to:
- Authentication Tracking
- Malware Detection
- Suspicious Outbound Traffic Monitoring
- Facilitating EDR
- Log and Threat Intelligence Correlation
- Cloud Activity Monitoring
Know Where You Want to Deploy SIEM
Depending on your enterprise’s network size and the location of your most valuable digital assets and databases, you may want to consider deploying your SIEM solution in a few choice locations rather than across your network as a whole.
The fact of the matter is that SIEM solutions require time to deploy properly and for your IT security team to learn and incorporate into their processes. Trying to deploy your solution across your whole network simultaneously can only cause more confusion and eat up more time—a valuable and limited resource in cybersecurity—than is optimal.
Instead of inviting that stress onto your probably overtaxed IT security team, pick the databases that you know need the most monitoring and begin deploying your SIEM solution there. Even as you expand your deployment, consider prioritizing security event correlations and alerts from these key areas to reduce the time eaten by false positives.
One of the keys to SIEM success might be to start small.
Know Where You Collect Your Data (and How You Correlate It)
When your SIEM solution is working optimally—when you have SIEM success—it’s collecting, standardizing, and analyzing security event information from across your enterprise to find potential threats dwelling in your network.
But where is it drawing this information from? And how is it correlating this information to discover potential threats?
The answer to both of these will lie in your IT security team and the correlation rules they write. These rules must correspond with the latest threat intelligence and with the most essential databases and digital assets as discussed above. Furthermore, your IT security team should be continually updating and evaluating these correlation processes to make sure they are optimal.
SIEM success isn’t just dependent on the technology—it’s how you and your IT team uses and maintains it!
Latest posts by Ben Canner (see all)
- 3 Ways to Reduce the Need For Human Intelligence in SIEM - November 14, 2019
- The Cybersecurity Skills Gap Exceeds 4 Million Jobs. What Can You Do? - November 7, 2019
- Sumo Logic Acquires JASK for its SOC Capabilities - November 4, 2019