Today, many enterprises use security information and event management (SIEM) software to help detect suspicious activity on their networks. However, to be effective organizations need to surround a SIEM with security experts, advanced use cases, threat intelligence, and proven processes to investigate and respond to threats.
Misperceptions: Why not set and forget?
Since a SIEM collects millions of security events per day, the most common misperception is that it’s going to immediately identify indicators of attack and compromise and provide meaningful insights out-of-the-box. Many think “hey, that’s why I bought it!” However, a SIEM is only a tool kit. A SIEM, unfortunately only comes with baseline content built into it, it’s not a fully operational cybersecurity solution, even if a vendor installed it for you.
IT security teams need to continually build processes, correlation rules and use cases to truly benefit from its capabilities. In short, a SIEM is not static – it’s a living, breathing environment that needs constant maintenance and operationalization.
Help, we are drowning in false positives!
Are you experiencing an unmanageable number of high priority alerts (also called notables)? That can be an indication that your IT security team doesn’t have effective use cases in place for suppressing false alerts or finding more advanced attack scenarios. Therefore, the SIEM is delivering poor information that can make it difficult to sift through and have visibility into high priority and relevant events.
If an enterprise doesn’t have operational workflow or a documented escalation runbook, security analysts won’t have a playbook to validate alerts, integrate with other threat sources to confirm whether the event needs to be addressed, and then determine what to do about it. If companies don’t have a clear remediation process, they are not ready to respond effectively and in the worst case they are just stumbling around inside the tool as if they’re trying to find the light switch in a dark room. Everything from performing the escalation to containment to incident response should be documented and tested. Otherwise, analysts are lacking the operations side of the SIEM environment.
Find your road map: Making sense of the data
While a SIEM can collect and aggregate a wide range of information, it needs to know what to look for in order to be successful. Like any computer-based problem-solving, you must tell the computer what logic to follow in order to get the desired data. Ask yourself: What data do I need to analyze to identify potential threats? Then program the logic into the tool so that the data filters will identify those key outliers; this is classified as a use case. In the SIEM world, creating uses cases is critical to the success of any SIEM implementation. Enterprises must know what they’re looking for, and what data is being entered into the system to gauge the validity of what’s going to come out of it.
A SIEM will traditionally look for known indicators of suspicious behavior. Depending on the use case and correlations with other variables, it may still require human oversight and validation to confirm the alert is legitimate. For example, an employee that normally works in the US may access a database from China. While this may look suspicious, it may be legitimate. In a security operations center (SOC), analysts are often looking for indicators of bad activity that are not based on a structured use case. Hunting for unknown bad indicators is important activity to detect advanced persistent threats (APTs). Advanced analytics help a SIEM look for the unknown indicators based on previous suspicious activity, outliers, and risk.
To build effective uses cases, IT security teams need to prioritize different security events, define critical assets, and consider their business context. From there, they’ll need to continuously evolve those use cases as hackers use new forms of attacks. This is a constant process. Uses cases that are in place now probably won’t work in six months to a year because of how fast the threat landscape changes. Typically, a security team will need to maintain a minimum of 50 use cases to model a SIEM to the business environment.
Using data to maintain compliance and pass audits
Beyond identifying potential threats or vulnerabilities, a SIEM can be used to manage future audits and meet compliance more easily. If companies fail an audit, they need to figure out where there are gaps in their security policies and processes, and what is specifically required to meet the audit. Companies need to also understand how to be efficient while maintaining compliance.
All compliance regulations and frameworks require enterprises to centrally collect logs, actively monitor those logs, and actively respond to indicators of attack, compromise, and policy violations. This is where a SIEM comes in. Often, companies fail to model their assets, which means they lose the context of whether there is critical data on a server or what behavior is appropriate for a device. For example, a hospital should closely monitor assets that store patient data and would not expect medical devices to communicate to random IP addresses outside their network.
Enterprises should instead evaluate which regulations they’re adherent to, and identify the assets, devices, applications, and users that require a compliance review. To identify vulnerabilities and policy violations, enterprises need to identify the assets they’re monitoring. Without doing so, it’s extremely difficult to create controls around them to identify whether there’s been an attack targeted to a specific asset.
It’s not just the SIEM, it’s the process
It’s not just about managing the SIEM, it’s about managing processes and use cases, threat discovery, and response. IT security teams that continually build and maintain use cases and apply correlation rules appropriate to their business environment will start to receive more valuable insights from their SIEM to maximize their investment in the tool. Similarly, those organizations that nail down the operational workflow are much better prepared to manage the lifecycle of an event from discovery to response, no matter what SIEM software the enterprise has purchased.