Advancing an Organization’s SIEM: From Acquisition to Deployment
Share this on:
One of the most valuable tools security professionals use is Security Information and Event Management (SIEM), which combines event management with security information management to provide real-time monitoring, analysis, tracking, and logging of security data. SIEM systems help guard against modern-day cybersecurity threats while observing data logs and incident data to achieve overall security compliance. Many organizations, however, lack an effective SIEM deployment strategy that allows them to maximize the benefits of SIEM. Given the number of available use cases as well as the volume and complexity of SIEM operating variables, it’s likely organizations will remain vulnerable and generally unsatisfied with their SIEM deployments. While it’s tempting to compensate for this by building out a SIEM strategy that attempts to accomplish multiple security use cases, the unfortunate reality is IT teams simply cannot accomplish every organizational goal—even when their SIEM is being maximized. Typically, it is more effective to consider a targeted approach to use cases that provide the best tactical advantages over one’s adversaries, thereby taking a more strategic approach to achieving the overall security mission of an organization.
According to Gartner, SIEM is “a technology that supports threat detection and security incident response through the real-time collection and historical analysis of security events from a wide variety of event and contextual data sources.” SIEM programs are sold, marketed, and advertised as tools that can do anything and everything to enhance security. The truth is SIEM is not just a repository where data can be sent without a specific agenda being attributed. Therein lies the true challenge many face with SIEM—most industry professionals don’t know what to do with their collected data or how to consume it for security purposes once it’s collected in SIEM. While it’s true that SIEM can ingest large amounts of data, it is dependent on a deployment strategy, as with any security platform. Uncovering some associated complexity with how to conduct an appropriate rollout can be achieved by building a list of use cases that need to be solved. Based on the use cases selected, the deployment approach can be determined and a roadmap for adoption and data ingestion can be built. For example, if a use case is “alerting on multiple failed login attempts,” data would need to be ingested from Windows Event Logs.
Identifying SIEM strategies
Frequently, defining use cases is an area of confusion for those who acquired a SIEM tool and are seeking the most appropriate way to initiate deployment. Specificity is an important component to establish SIEM use cases that will address an organization’s most pressing security needs. Does the organization want to monitor user behaviors? Does it want to conduct surveillance for insider threats? Is the organization planning to conduct external security threat-hunting by looking at external attacks and then using that data to learn if there is any presence of that threat background within the organization? Based on developed use cases, data sources can be utilized to ingest logs, enabling use cases within the organization’s environment. For example, if the use case is employee online behavior monitoring, a plan will need to be devised about how to ingest login and logout activity. That data related to user activity must be captured and logged centrally into the SIEM monitoring tool. If the use case is based on threat intelligence, it will be necessary to ingest data from firewalls, network devices, and other threat-intelligence feeds.
Often, today’s organizations are in a position of trying to recover from failed deployment attempts. To do so, it’s important to define what is important to the business so that use cases can be prioritized and implemented. Consider the following potential areas of need:
Real-time security monitoring and analysis. To detect and respond to threats in real-time, gather data from all user devices, applications, and identities across platforms. Monitor a diverse set of data sources and then build detection rules on the dataset to enable real-time visualization and ongoing threat activity.
Cloud security. Digital initiatives and all modern applications in this “post-pandemic world” are cloud-native. Securing data in the cloud has become an organizational responsibility that is important to detecting and responding to threats across multiple in-house, hybrid, and remote environments, including remote multi-cloud environments.
Enhanced incident response capabilities. Incident response workflows can be built and customized around a SIEM tool as the center of security operations. It makes sense to leverage these SIEM capabilities, such as event aggregation, context-based alerting, threat fidelity for triaging, and integration with third-party systems including ticketing, automation systems, and collaboration tools to the fullest extent. These capabilities within any modern SIEM will enhance the security team’s capability to respond to incidents.
Leveraging threat intelligence. When considering indicators of compromise (IOC) data, industry frameworks such as MITRE ATT&CK® can serve as critical support for simplifying the process of detecting abnormal behaviors. With threat intelligence being consumed, the security team will have access to the information necessary to scope the attack by assessing risks and weighing the impact of those risks.
Leveraging forensics and threat hunting. This is a must-have strategy. According to a 2021 report by the International Data Corporation, a growing number of cyber alerts resulting from potential or actual cyber threats and breaches has caused a cycle of “alert fatigue” that results in increased costs for many organizations when staff members become numb to various cybersecurity alerts. This also can lead to longer response times to critical alerts or missed alerts altogether, as well as unnecessary stress and burnout among IT departments. Low-value alerts can be eliminated by correlating data that maps to events against a kill chain or adversary tactics. Applying context awareness or risk attributions can help hunt threats, reduce alert volumes, increase the fidelity of alerts, and free up time while uncovering more sophisticated threats.
Insider threat detection and other advanced threats. While most SIEMs include content for detecting well-known threats, continuous adaptation is needed to manage unknown or advanced threats, such as insider threats, zero-day attacks, laterally moving malware, compromised accounts, and high application programming interface calls. It is important that SIEM deployments mature over time, evolve, and adapt while utilizing machine learning, artificial intelligence, endpoint detection, and behavioral analytics to detect modern threats.
Compliance measures. SIEM tools are designed with the intent of consuming data across the entire security and technology stack. This can serve other teams, including privacy, fraud, and risk management that require different views and processes around the same data to guarantee compliance. An important SIEM strategy should help unify the three pillars of compliance—processes, technology, and people—and provide better visibility across the board.
SIEM challenges and misconceptions
Some SIEM challenges are real and some are perceived. Real challenges include a lack of budget to acquire SIEM, a lack of staff to manage SIEM, and a lack of processes and/or an established framework to address deployment and network complexity. Perceived challenges include polar-opposite fallacies such as SIEM is “just another way of conducting log management” or that SIEM “can solve every security challenge.” It’s true that log management is a central function of SIEM, but this is just one feature. If the organization’s requirement is to store log data, aggregate logs, and perform log management, then the cost to acquire the SIEM is difficult to justify. That said, the notion that SIEM is “too expensive” or “too complex” is also unfounded. Uncovering some of the complexity that challenges many organizations can be achieved by refining use cases as a means to developing a roadmap for adoption and data ingestion.
The growing importance of SIEM
At its core, SIEM represents a cycle of an organization’s continuous improvement. Security operation centers should invest in SIEM software to streamline visibility across their organization’s environments, investigate log data for incident response to cyberattacks and data breaches, and adhere to local and federal compliance mandates. Examples of effective frameworks that can be adopted to assist in the deployment and maintenance of SIEM include those devised by the National Institutes of Standards and Technology, Center for Internet Security, MITRE ATT&CK®, and Lockheed Martin. Available data sources to consider when building a security monitoring program include endpoint security, application security, and cloud security. Whether investing in SIEM for the first time or attempting to recover from a failed SIEM deployment, organizations can begin the SIEM process by building use cases into the business context and developing a data onboarding system. From there, they can generate effective security strategies.
About the Writer
Jayant Kripalani is a cybersecurity professional with 20 years’ experience working for global security companies such as Splunk, Cisco, Rapid7, and Wipro. He holds a bachelor’s degree in Computer Engineering in addition to multiple industry certifications. He has worked extensively with SOC teams and currently specializes in cybersecurity strategy and consulting. For further information, contact: firstname.lastname@example.org.
Disclaimer: The author is completely responsible for the content of this article. The opinions expressed are their own and do not represent IEEE’s position nor that of the Computer Society nor its Leadership.