One of the perpetual challenges of business SIEM involves where you should collect your logs. This question becomes amplified in the shift to remote work mandated by COVID-19.
Here are the basics of the problem: SIEM collects logs from across the IT environment and aggregates them. This forms the cornerstone of SIEM as a cybersecurity solution; these logs become normalized and analyzed to discover security events and generate alerts.
However, trying to draw logs from everywhere in the IT environment all at once can create more problems than it solves. First, trying to draw from everywhere at once can actually cause configuration rule issues and data pile-up; this can overwhelm the solution. Second, too many logs can cause more false-positive alerts, which lead to burnout and buried legitimate leads.
On the surface, this might seem like an easy problem to solve. All you need to do, in theory, is to be more selective about the digital locations you draw logs from and keep a close eye on those configuration rules. Yet the COVID-19 pandemic, and the shift to remote work en masse, has thrown that calculation out of balance.
In other words, where do you collect logs from during COVID when the entire business exists remotely?
Here are a few pointers. Use user and entity behavior analysis (UEBA) starting with the most privileged users; their behaviors and credentials have the largest impact on your network, so you should keep a closer eye on them. Also, make sure your sensitive data stays centralized so you can monitor it closely; use Data Loss Prevention capabilities (DLP) to prevent users from uploading data to unauthorized locations such as public cloud databases. That way, even though users work remotely, your silos stay centralized for log management.
Finally, make sure your configuration rules for security events detected by the solution recognize the current circumstances. Logging in remotely, for example, might trigger an alert prior to COVID, but now must be recognized as a normal part of the business day.
You can learn more in our SIEM Buyer’s Guide.
Latest posts by Ben Canner (see all)
- How SOAR Can Protect a New Remote Work Paradigm - November 24, 2020
- There’s No Such Thing As “Hands Off Cybersecurity” - November 20, 2020
- What to Expect During the First Annual Solutions Review Cybersecurity Insight Jam - November 20, 2020