Kim Maibaum | Sr. Product Marketing Manager | Proficio
In the early 2000s, when Security Information and Event Monitoring systems (SIEMs) came onto the market, they were often expensive and complex to manage. But many organizations were required to collect, analyze and store security logs to meet compliance requirements, and a SIEM was the perfect tool for the job. Today most IT organizations expect much more from their SIEM than meeting compliance requirements. Modern SIEMs must detect advanced threats and provide automated response and containment functions.
For all but very large organizations, the most practical approach to security monitoring was to partner with a Managed Security Service Provider (MSSP). MSSPs were responsible for monitoring and investigating security events and managing SIEM systems. Some MSSPs extended this role by developing their own SIEM.
As technology has evolved and cybersecurity has become increasingly complex, many users found that older SIEMs are not only complicated to properly run and maintain, but also haven’t evolved enough to stay ahead of today’s cyberthreat landscape. Older SIEMs struggle to ingest all data types and have slow or difficult search capability, poor user interfaces and lack scalability. And as these platforms age, there is often less support available from the vendor or the MSSP, leading to frustration and lengthy problem resolutions.
If you’re leading your organization’s transition away from its legacy SIEM, where do you start? The first step in selecting a SIEM is determining your objectives and needs. Questions you should ask include:
• What’s my budget for the solution?
• What is my risk profile?
• What are my critical digital assets that must be protected?
• What is my timeline for implementation?
• Do you want to host the system on-prem or in the cloud?
• How much data will be ingested?
• Which data sources are being sent?
• Are there any critical use cases that I need to move over?
• Will I build my own security content, or do I want a pre-packaged solution?
• What response and containment functions must be automated?
• What role should AI and Machine Learning play in detecting and responding to threats?
• Can I scale my environment and team over time?
• What are my business continuity goals?
Once you gather the requirements for your new solution, you will have a better idea which solutions to focus on in your search. Today many organizations select Splunk as their SIEM. Splunk is a Leader in the Gartner SIEM Magic Quadrant and highly regarded for its search ability and powerful data analytics. Splunk’s unique approach to data ingestion and robust library of apps allows you to send a wide range of log sources directly to their system and define use cases for your data.
Splunk software can be installed in your organization’s IT infrastructure or hosted in the cloud. Splunk offers a managed cloud-based service and some MSSPs also offer to host Splunk in their own cloud infrastructure. The decision to deploy your Splunk SIEM on-premise or in the cloud rests on trade-offs between control, scalability, and access to in-house expertise. Some MSSPs have built their use cases and content as an extension to Splunk Enterprise while others fully support Splunk ES. Further, Splunk offers Phantom for Security Orchestration and Automation and User Behavioral Analytics that can also be part of your technology solution.
Once you’ve determined what Splunk deployment you need, you have to decide how you will manage the platform. While your choice of platform and deployment architecture will guide your decision, many organizations find it’s best to partner with a team of Splunk experts for the implementation, as well as the security monitoring.
There are many things to consider when selecting a service provider to partner with. MSSPs come in all shapes and sizes. Some focus on offering a fully managed solution, while others offer a co-managed or hybrid approach. Some MSSPs differentiate themselves on their ability to customize their services while others offer a pre-set package of solutions.
Do you have the in-house expertise, or will you need a partner who can help you with the process, from migration to on-going monitoring and even management?
Managed Detection and Response (MDR) providers deliver 24×7 threat monitoring, detection and response services to their clients. Partnering with the right MDR provider gives you the benefits of a 24×7 Security Operations Center (SOC), plus extends your team with access to a wide range of Splunk experts. These experts are available from start to finish, giving you a well-thought out installation design, as well as creating strong use cases with actionable alerts, specific to your log sources, and expert back-end management.
See Proficio’s MSSP Checklist for our suggestions on what to look for in an MSSP.
Now that you’ve selected your solution and a partner who can help you deploy it, it’s time to plan for the transition over into a new system. Before you remove your legacy SIEM, you’ll want to ensure you have properly phased out your current SIEM and MSSP, if you have one.
Ideally, when you entered into an agreement with your legacy MSSP, you defined a process to transition to another partner or to in-house approach. This includes how and when to give notice of termination, ownership of information pertaining to your operations and policies, and access to historical security logs. Professional MSSPs understand that business relationships may not last forever and should work with you through the transition.
The best way to migrate over is to plan ahead and leave at least 30-60 days of overlap to properly implement and setup Splunk. This also allows you time to verify that your data ingestion is aligned in both systems, ensuring you’re not missing any critical data. A well thought implementation ensures you get the most of your investment from the start.
If your organization has data retention requirements to adhere to, you should keep that in mind when you plan for the transition. Plan ahead to ensure that your archive data will not be lost when you offline your legacy SIEM and determine the process for recovery if access is needed later. For hot, searchable data, build your implementation overlap to keep this data on both SIEMs for this period so that you can easily access it.
You’ve spent a long time setting up your legacy SIEM to be exactly the system you want. This includes everything from data ingestion to creating security use cases, dashboards and reports. Use this transition as a chance to audit everything you’ve set up and created, to find what you want to move in to Splunk and what’s most important. Give yourself ample time to transition to ensure all of the high value data is coming through.
Data and Use Cases
It’s important that you not only send the appropriate data sources to Splunk, but also have strong use cases in place to ensure you’re capturing the right incidents and not missing critical alerts. When looking at your data, consider what sources are overactive, or always quiet. Are these still relevant? Do they need to be tuned better?
For use cases, look at what’s catching important incidents or hasn’t alerted in a year. If you begin by looking at the data you’ve ingested, and content you’ve built and how it’s working, you can determine where to start and what you should rebuild in your new system.
Your service provider should offer insight into what data is most essential to keep your organization safe. Look at what use cases or log sources are most critical and start with those high value assets first. They should also be able to assist you in controlling your data ingestion, so that you are only paying for the data you need.
If your legacy SIEM is still running when you deploy Splunk, you should look for consistency between the two platforms. This will help you gauge whether your use cases are properly tuned and accurately sending you alerts for security incidents.
Outline your Policies
If you’re currently using an MSSP or service provider, this is the time to review all the runbook and escalation procedures you’ve put in place. This should be the base for your new service provider, so that you can get off on the right foot and be setup for a successful relationship. Good service providers should help you define business context modeling, so they know what your critical assets are and provide you with a dedicated team for your account.
Once everything is configured, it’s time to start the testing phase. If possible, give yourself a few weeks to compare your Splunk setup to the legacy SIEM. Make sure that all the data is coming in properly and your use cases are firing as expected. Once you’ve fine-tuned your environment and are happy with your setup, you can officially retire your legacy SIEM.
Proficio’s team of Splunk experts can help you with your migration and continue with management of your environment once deployed. Contact us to learn more about how we can help you upgrade your cybersecurity with Splunk.