The 5 Key Lessons for Enterprise SIEM in 2019

The 5 Key Lessons for Enterprise SIEM in 2019

Regarding SIEM in 2019, a lack of cybersecurity can cost your enterprise in the long term. Customers and clients alike choose not to associate with enterprises that may put their data or businesses at risk; hackers can absolutely use your business as a stepping stone to other targets, and vice versa.

Further, the dangers of a breach extend beyond the initial attack. In fact, a data breach can put small-to-medium-sized businesses (SMBs) out of business within six months. Even for large enterprises, a data breach can ultimately cost you millions in fines and lost customer trust. To fit with the current model of cybersecurity, you need to emphasize threat detection over prevention. 

Therefore, your enterprise needs a SIEM solution in 2019. However, enterprises often feel intimidated by SIEM solutions. Generally, SIEM carries a reputation for being overly-complicated and expensive. 

The good news is SIEM doesn’t have to cause you more stress. In fact, armed with some lessons for enterprise SIEM in 2019, you can benefit from an even stronger cybersecurity platform.

Therefore, we present our five key lessons for enterprise SIEM in 2019. 

Five Key Lessons for Enterprise SIEM in 2019

1. Make Your Threat Intelligence Satisfactory

Intelligence isn’t relevant if it doesn’t correspond to your enterprise. For example, knowing what ransomware currently targets manufacturing enterprises may not benefit your retail business.

Therefore your SIEM solution in 2019 must provide your enterprise with multiple relevant threat intelligence feeds. These threat feeds should correspond to your particular use case—industry, size, employee practices, and IT environment. 

Moreover, these threat intelligence feeds must scale and adapt with both your enterprise and the evolving threat landscape. Ideally, the intelligence should be in a form your IT security team can understand. 

2. Focus on SIEM Deployment in 2019

SIEM deployment tends to confuse IT security teams. Often, they try to deploy SIEM solutions all at once throughout the entire IT environment. Unfortunately, this has the effect of flooding your team in alerts and in log information. Finding a legitimate threat in the chaos could prove nigh-on impossible. 

To deploy SIEM effectively in 2019, you need to start small. Of course, you need to take decisive steps in your cybersecurity, but never recklessly. 

Instead, start with the most sensitive databases and network areas to deploy your SIEM solution. By doing so, your IT security team can take the opportunity to see how the solution operates; this includes how it collects, normalizes, and stores information as well as how it alerts. 

Thus, your team can adjust its security correlation rules to better suit the environment and reduce false alerts. From there, you can deploy it across more network areas. 

Speaking of alerts…      

3. Refine Your Alerts 

Ideally, next-generation SIEM solutions reduce rather than increase the number of alerts. Too many false positives can drain your IT team’s time, resources, and willpower to investigate; each false positive mistakenly assumes a normal event constitutes a security event. Moreover, they can crowd out the alerts of real security events, allowing threats to dwell for longer.

Instead, SIEM should provide your IT security teams with targeted alerts with contextualization; with this in hand, your team can assess whether the alert merits closer investigation. Obviously, this reduces your investigation time and thus opens your team to more activities.  

Also, you can facilitate alert accuracy through your security correlation rules. Nothing in cybersecurity should be set it and forget it; you do need to actively involve yourself in your SIEM’s effectiveness for optimal performance. Therefore, you need to constantly reassess the correlation rules, looking for potential edits. 

4. Involve SIEM in your 2019 Incident Response Plans

Even with the most sophisticated cybersecurity solutions, you need an incident response plan in case of a cyber attack. Even the most preventative solution can’t deflect one hundred percent of all cyber attacks; you need to prepare for the worst. By implementing an incident response plan, you can mitigate the damage of an attack. 

An incident response plan helps facilitate communications during a breach or security event. In fact, it can help employees recognize threats and know who to contact when a threat occurs. Once your security team becomes alerted, they can conduct threat mitigation and alert relevant departments like legal. In an incident response plan, everyone knows their role. 

However, an incident response plan doesn’t just pop into existence. Instead, you need to practice and rigidly define your incident response plan with your employees; if they don’t know the plan, then it is functionally useless. Additionally, SIEM can help with your incident response. Next-generation SIEM can freeze suspicious activity and conduct automatic threat remediation. Further, it can help with threat hunting, helping to find the threats before the incident response plan triggers.      

5. Utilize Artificial Intelligence  

Artificial Intelligence (AI) manifests as machine learning—the power of SIEM solutions to learn about new threats from experience. Of course, this brings with it serious benefits. For example, artificial intelligence lowers the cost of detecting cyber attacks and responding to them. It can also increase the speed of your threat detection and remediation. Also, machine learning can help eliminate false positives as they occur and are discovered. 

The lessons of enterprise SIEM solutions in 2019 focus on what you can do for SIEM. But SIEM can offer your enterprise so much for your cybersecurity. This includes log management, log normalization, threat detection, compliance, threat intelligence, and more. As cybersecurity continues to emphasize detection and response, SIEM is more than an extra feature. It’s a need. 

You can learn more about all this in our 2019 SIEM Buyer’s Guide. We cover the top solutions providers in the market and their key capabilities. We also provide a Bottom Line for each. Also, provide more information in our SIEM Vendor Map, which covers how the top vendors emphasize their key capabilities.

 

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner