When it comes to SIEM , one thing comes to our mind is it’s raw tonnes of data. Need to be correlated for analysis. It requires a strategy and thoughts , how this need to be implemented. Let’s go through a little in this write up.
Security Information and Event Management (SIEM) systems combine two critical infosec abilities – information management and event management – to identify outliers and respond with appropriate measures. While information management deals with the collection of security data from across silos in the enterprise (firewalls, antivirus tools, intrusion detection, etc.), event management focuses on incidents that can pose a threat to the system – from benign human errors to malicious code trying to break in.
But given the magnitude and complexity of the tasks performed by an SIEM solution, integrating it into the existing information security architecture of an enterprise can be daunting, especially when it comes to a large enterprise with multiple, disparate centers spread across the globe.
Common SIEM integration mistakes
Cybersecurity is a highly dynamic space and a solution that is effective today may no longer be viable tomorrow. This is exactly where SIEM integration pitfalls stem from. Deployments failing and solutions not meeting goals, in the long run, is a commonly observed problem. And when it comes to a large enterprise with a global presence, the complexity only compounds further! Here’s a look at some common mistakes that organizations commit while implementing a SIEM solution, which can later snowball into major threats.
1. Under-planned implementation
Despite a widespread awareness that SIEM solutions can be complex in nature, many organizations go about integrating one without initially defining their goals and requirements. Chances of successfully implementing a SIEM solution without proper planning are slim. Evaluating the solution at a later stage or on an ad-hoc basis only piles up the expenses that could easily have been avoided.
Moreover, out-of-the-box SIEM solutions are more generic in nature and cannot cater to the specific cybersecurity challenges of any organization. This is another reason why prior planning comes in handy so that there is enough scope for customizations and third-party integrations before implementation.
2. Implementing without a predefined scope
Implementing an SIEM solution without defining the scope is akin to building a house without a foundation. And in the case of a large multinational enterprise, implementing SIEM solutions without proper scoping is no less than causing mass destruction. The scope provides the basis for everything that follows – planning, deployment, implementation, and maturing the SIEM solution with related capabilities. It will determine the choice of solution, the architectural requirements, the necessary staffing, and the processes and procedures.
3. Rooting for the one-solution-fits-all approach
Given the large, almost comprehensive nature of a SIEM tool, it may seem tempting to try and do everything with it at once. While SIEM solutions are capable of collecting, processing and managing large amounts of data, that doesn’t mean it’s a good practice to over-stuff the solution with too many capabilities at once.
Organizations with a global presence are bound to deal with myriad and diverse use cases, each use case being distinct and requiring a different approach. Hence, SIEM use cases should be approached in a way that can set up stages of cycles to make way for continual improvements rather than taking a one-solution-fits all approach.
4. Monitoring noise
Another common mistake is approaching the SIEM solution as a log management tool, setting it to capture and store all logs from all devices and applications without discrimination, under the impression that this will give a more comprehensive and clearer view. However, instead of reducing the noise, such an exercise actually amplifies it and generates more of it.
What’s more, one can only imagine the chaos it will cause in the case of a large enterprise with a global presence. Pouring in more hay is pointless when your purpose is to find a needle in the haystack.
SIEM implementation best practices
The mistakes can be easily avoided by following a set of best practices for implementation. Every organization’s implementation will be different, but here are some steps that a CISO can consider and are crucial to the effective performance of an SIEM solution post-deployment.
1. Define the project and scope
The first step to SIEM implementation is planning the scope of the project and its timeline. This entails outlining the scope of the project, including the necessary informational, budgetary, and physical resources. Plus, companies must define their goals and identify all necessary resources in this stage. As a starting point, the CISO must consider setting up basic rules, identifying necessary compliance and policy requirements, and structuring the post-implementation SIEM management.
It is to be noted that SIEM solutions need to be connected to almost everything across the network infrastructure to achieve optimal performance. Therefore, defining log sources is recommended. Here are some basic components that can be included while scoping:
Security control logs:
- Intrusion detection and prevention systems (IDPS)
- Endpoint protection software
- Data loss prevention (DLP) software
- Threat intelligence software
- Web filters
Network infrastructure logs:
- Internal applications
Other data points:
- Network architecture
- Network policy configurations
- IT assets
2. Research products
Product research is something that will be unique to each business. However, on a broad level, there are three main informational resources that the CISO can consider before zeroing in on an SIEM.
3.Use case assessment
3. Implementation planning
The next step is to outline a number of implementation procedures to ensure a smooth and effective transition. Here are a few components that CISOs should include in their plan:
In addition to the aforementioned steps, it is a good idea to outline any other long-term management processes specific to the organization, such as training the staff to manage and monitor an SIEM system.
4. Deployment and review
As soon as the solution is deployed, it is necessary to take a few immediate actions to ensure smooth functioning going forward:
- Ensure data is being collected and encrypted properly
- Ensure all activities, logs and events are stored correctly
- Test the system to visualize connected devices and display to those planned
Ensuring seamless functioning of the SIEM solution
Successfully implementing an SIEM solution is just the beginning. Teams should continue testing and updating the solution against the latest attack. Timely upgrades and customizations are inevitable as the threat landscape and policies keep evolving – it is the only way to keep the number of false positives in check, while also ensuring end-to-end information security to the maximum extent possible.More about