This past week has seen a series of major data breaches that remind us just how essential SIEM best practices are for enterprises in the modern digital marketplace. As just one example, Athletic apparel giant Adidas announced yesterday that an unauthorized party had gained access to millions of customers’ personal identifying information including encrypted passwords. Earlier this week, marketing data company Exactis allegedly leaked 340 million users’ personal data—a leak that may rival the Equifax breach.
SIEM best practices are essential to detecting, mitigating, and remediating these kinds of digital threats. Yet simply encouraging your IT security team or help desks to embrace SIEM best practices isn’t enough. SIEM is not just an issue of security or technology—it’s an issue of business processes and efficiency. And with 47% of data breaches being the result of employee errors, it’s clear that SIEM best practices need to be internalized through your enterprise to achieve true success.
How? Here are a few suggestions:
Make SIEM Best Practices Core Business Processes
The best way to show your employees that you intend to take SIEM best practices seriously is to, well, take them seriously in your enterprise’s day-to-day routines.
For example, you can start by training your employees on how to spot potential phishing responses through lectures, gamified experiences, or whatever method you think will best reach them. Once you have done that, your enterprise needs to take the next step that so many others don’t: hold your employees accountable for utilizing their knowledge of phishing attacks in their business activities. Give praise or offer incentives to employees who successfully spot a phishing attack email before it can infiltrate your network proper. Make this awareness a regular part of your employee evaluations at their milestone marks, and a possible factor in their promotion or raise considerations.
You don’t want to be draconian about enforcing SIEM best practices—even the most aware employees will inevitably make a mistake—but you need to change your enterprise’s culture to make SIEM best practices a core part of your business processes. Carelessness shouldn’t be tolerated outside of the digital realm, and it shouldn’t be tolerated within it either.
Make Sure Storage Locations Are Communicated
The sad truth of modern cybersecurity is that no matter what preventative perimeter safeguards are deployed, no enterprise’s network is 100% effective against digital threat actors. It may well deter less experienced hackers from targeting you, but that does not mean your enterprise will never be targeted.
Today’s SIEM best practices, therefore, prioritize detecting and removing threats promptly over preventing threats, stopping threats from accessing the most sensitive databases or digital assets in your enterprise’s network. Yet this is futile if your IT security team doesn’t know where these databases or assets are within the network.
SIEM solutions can offer better visibility into your network by compiling and aggregating security event information from throughout the IT environment. However, IT security teams still find it difficult to know how to prioritize potential security events in the resultant deluge of information. You should have your employees and department leaders assess what databases and assets are most essential to their operations and ensure that your IT security teams know where to find them.
Additionally, make it a core business process that whenever a department or employee creates a new database or digital asset, they alert the security team so they will know what it is, what it contains, and how to find it. Visibility and communication are the keys to the long-term success of any cybersecurity platform.
Have A Comprehensive Incident Response (That Everyone Knows)
Regardless of your enterprise’s particular SIEM solution or cybersecurity platform, you absolutely need an Incident Response Plan as part of your SIEM best practices. But an incident response plan by itself isn’t enough: it needs to be comprehensive enough to accommodate all aspects of a potential data breach, including:
- Preparation: Who will do what during a data breach or other digital security event? What resources or endpoints will be used during a breach? Whose credentials will be used? How will security events be prioritized and documented? Who will communicate with investors, law enforcement, and consumers?
- Reporting: Who is responsible for reporting a breach? How will the breach be reported to your incident response team? How will the potential security event be documented for easier detection and containment?
- Eradication and Recovery: Who will determine if a data breach or security event is resolved, and by what mechanisms? Who is responsible for making sure critical data is backed-up, and what solutions do you have in place to ensure disaster recovery? How will your system be evaluated in the aftermath of a breach for potential reconfiguration?
SIEM best practices dictate that you implement the capabilities to hunt down threats that have already penetrated your network perimeter. But without a layered, comprehensive incident response plan in place, your IT security team won’t know what to do to effectively remove the found threat.
On a similar note, it’s important you take the time to drill your IT security team so they know to follow your incident response plan. This will have the dual benefit of training your employees (they can’t follow what they don’t know) and seeing where the plan needs reevaluation or correction. But at the same time, your enterprise needs run these drills throughout your enterprise so all of your employees will understand what kinds of digital behaviors are suspicious and thus warrant reporting to the security team as well as who they should speak to when reporting.
Latest posts by Ben Canner (see all)
- Key Findings: 2020 Gartner Peer Insights Customers’ Choice for Security Information Event Management (SIEM) - July 10, 2020
- 2020 Vendors to Know: SOAR - July 8, 2020
- Should We Move to a New Definition of SIEM? - July 6, 2020