Security Information and Event Management (SIEM) technology has firmly established itself as a critical component to any robust cyber-security operation. SIEM tools aggregate data from multiple log sources and analyze it based on rules dictated by cybersecurity professionals. Properly optimized, these tools allow teams to make important decisions quickly. Improperly optimized, they can do more harm than good and leave your organization vulnerable.
Here are a few key factors to keep in mind when reviewing your company’s SIEM capabilities:
Ensure Complete Coverage and Visibility
SIEM functions the way it is set up to operate. Before connecting the various technologies to the SIEM it is important that the person that owns the process of setting up the system has a clear understating of the organization’s security needs based on the current network architecture and topology. That way, the system will match and be configured correctly to suit those needs. Connecting the technologies without a coherent monitoring strategy will leave critical blind spots that put the entire system at risk. Because many SIEM platforms charge by data tiers, enterprises weigh the cost of adding data to the SIEM against the importance of having it monitored. This causes them to sometimes leave out important data sets from the SIEM and monitor them through a patchwork of other systems. That is not quality cybersecurity.
Collect the Right Data
As part of determining your monitoring strategy, you will likely come across certain types of data that you and your analysts consider important. By defining your SIEM rules and data collection based on these outputs, you can prioritize SIEM input data based on relevancy. Not all data is relevant! SIEM systems are often stacked with enormous amounts of data which winds up being collected for no real reason. Other times, the systems are stacked with rules that are not relevant to the organization. Pairing the right data with the right rules is key to an optimized SIEM.
Leverage External Data Sources
Subscribe to threat intelligence feeds that provide Indicators of Compromise (IoCs) and other data about potential threats. Use the experience of others to make sure your SIEM rules are a step ahead of the threat. It’s also a great way to make sure your SIEM rules are properly optimized.
Organize Your Data by Levels of Importance
“What type of data loss would kill our business if we were to suffer a breach?”
Have this conversation with company leadership. Determine which types of data are the most sensitive/vital, and then create a hierarchy that assigns levels of importance to systems, workstations, endpoint machines, and technologies based on the level of data they contain. This will ensure that the corresponding alerts are appropriately ranked by the SIEM. This will also help your incident response team to know instantly just how critical the threat of a breach is by what systems are being affected, which can help overcome/remediate the crisis quickly. A 2017 Cisco study showed out of every 5,000 alerts, 2,200 were not investigated. Out of those, more than 600 were legitimate. Organizing data by levels of importance will help make sure that those critical alerts will get the attention they deserve.
Go Beyond Detection
SIEM is an effective tool for detecting and analyzing attacks, but it can do so much more. With threat hunting, the right security team can identify potential attack vectors before they are exploited or identify a subtle attack in its early stages, increasing the speed and accuracy of response.
Despite the benefits, a 2019 survey of cybersecurity professionals showed that 70% of respondents felt that not enough time was devoted to threat hunting. Conducting threat monitoring exercises helps keep teams sharp and identifies potential vulnerabilities before they become real attacks.
SIEM is a powerful tool when it is well managed. If properly configured, a SIEM provides organizations with visual dashboards that provide actionable insights and valuable data in critical moments. Technology has never been more agile, those who depend on it for their business must be equally nimble.