What data should your SIEM solution ingest for optimal performance?
In traditional SIEM strategy and execution, SIEM collects and ingests data from throughout the enterprise network. Then, the solution normalizes the data for easy analysis and uses the information to uncover security events. Therefore, IT security teams can discover and investigate potentially connected security events and uncover breaches early.
As it can uncover security issues and attacks from anywhere, SIEM and similar cybersecurity technologies like SOAR take on special importance during the coronavirus pandemic. SIEM can help with investigations even on remote devices. Additionally, its data ingestion capabilities can uncover malicious user behaviors.
However, this traditional understanding of SIEM doesn’t address a significant problem in legacy SIEM and in SIEM misconfiguration: improper data. Not all data generated by enterprises—which could total in the terabytes every week—is relevant. How do you know what your SIEM should ingest?
What Data Should Your SIEM NOT Ingest?
Let’s begin to answer this question by examining the opposite. What should you avoid plugging into your cybersecurity for optimal performance?
First, your security team should not try to feed your SIEM every log generated by your business’ infrastructure. After all, this creates a serious challenge to your IT security team. The more logs you feed into your SIEM, the more alerts you create…and thus the more potential false positives. The chances that the system mistakes normal behavior as suspicious rise exponentially. This could cause serious burnout, not to mention the burying of legitimate alerts beneath the deluge.
Additionally, this puts the success or failure of your SIEM policy on your IT security team, who must maintain your solution and moderate its effectiveness.
What Data Should You Seek Out?
Instead of trying to ingest all log data, select only the log data based on the most critical databases and digital locations. That way, you can ensure that the information and alerts generated by the SIEM solution is worth your team’s time and energy to investigate. Additionally, you should make sure your solution ingests the activities and behaviors of your users via UEBA.
This could help prevent account compromise and insider threats over the long term.
Learn more in our SIEM Buyer’s Guide.
Latest posts by Ben Canner (see all)
- Top Five SIEM Books for Cybersecurity Professionals - September 17, 2020
- The Staples Data Breach: Why “Low Impact” Breaches Still Cause Serious Damage - September 15, 2020
- Recent SIEM Statisitics for Cybersecurity Professionals: Q3 2020 - September 11, 2020