Is There an Optimal SIEM Approach for Your Business?

Is There an Optimal SIEM Approach for Your Business?

Is there an optimal SIEM approach for your business? 

SIEM proves one of the most complex branches of cybersecurity, with every vendor offering a unique variation on the theme. Basically, SIEM collects logged security event data from around the enterprise network. Then, it aggregates and analyzes the data, looking for commonalities and other signs of a cyber attack. If it detects an attack, the solution sends an alert to the security team for investigation. 

Of course, beyond differences in capabilities, businesses face differences in deployment and maintenance. Not only do enterprises need to consider their industry, size, employee behaviors, and infrastructure sprawl, but they must also consider what cybersecurity talent they possess on hand. 

At first glance, this feels like a lot of information to weigh and consider. How can you form your optimal SIEM approach? Here are a few hints to get you started. 

   

How to Start Your Optimal SIEM Approach for Your Business 

1. Be Prepared to Invest

First, you should make sure you budget your cybersecurity appropriately. This may require speaking to your C-suite and presenting the benefits of adequate cybersecurity and SIEM protections; because a significant proportion of customers won’t engage with businesses after a data breach, cybersecurity becomes essential to preserving your bottom line.

However, our maxim “be prepared to invest” doesn’t end with monetary investment. Instead, for optimal SIEM, you need an investment of both time and talent. Unfortunately, SIEM is not a “set-it-and-forget-it” tool (in truth, there is rarely if ever such a thing in cybersecurity). You need ongoing monitoring via human stewardship to ensure good performance.

Additionally, your business can’t just select a solution. You need to invest time in customizing and fine-tuning to make sure the SIEM solution fits your business processes and databases. 

2. Don’t Give in to Complacency

Having a SIEM solution doesn’t mean you are fully, 100 percent secure. In fact, no solution can guarantee total protection against internal and external threat actors. The goal of cybersecurity is to reduce the risks of conducting business and storing digitally to as close to zero as possible. It is as much about deterrence as it is about active defense. 

However, this fact has yet to permeate across businesses and decision-makers. In fact, a serious problem comes from assuming your cybersecurity can ensure your business’ safety. This becomes doubly troubling when it includes SIEM; since SIEM provides an alerting capability, some IT decision-makers suffer from complacency. “The solution will let us know when there is a problem” best summarizes this line of thought. 

Yet this proves a dangerous attitude. SIEM can help find problems, but optimal SIEM partners with human intelligence to uncover threats. You need to make sure you have strong detection tools like EDR to find uncover threats before an alert triggers. Also, you need to engage in regular threat hunting to help uncover the threats your SIEM might miss. 

3. Reduce False Positives (As Much As Possible)

One of the most recurring challenges in SIEM involves false positives. Unfortunately, SIEM can have difficulty distinguishing between normal activity and abnormal behaviors. Tools like user and entity behavioral analysis (UEBA) or contextualization can help distinguish between false positives and real alerts. However, this rarely solves 100 percent of the problem. 

Make no mistake, false positives are a problem. They could bury real leads in garbage and contribute to significant cybersecurity burnout—at a time when such talent is already limited. 

For optimal SIEM performance, you need to make sure that you configure your SIEM rules appropriately. This requires not only a time investment but an analysis of your business processes and data behaviors. You must understand what is baseline behavior and be able to communicate that information to your SIEM solution. 

Of course, you can learn more about SIEM in our Buyer’s Guide

   

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner