Anyone who has ever had to implement a Security Information and Event Management (SIEM) solution can attest that it takes concerted effort to get the best value from the solution. SIEMs are pretty complex products, as they are designed to take log and event data from various devices, apply rules to correlate the information in real-time, and then alert security professionals when significant events are discovered.
As both a managed security service provider and a consulting firm, Vigilant Inc. has experience in translating business goals and objectives into customized SIEM solutions for customers. The company has worked with hundreds of customers and numerous SIEM products over the years. Vigilant's Chief Technology Officer Joe Magee shares four tips for getting the most out of your SIEM:
* Focus on output, not input. One of the most common mistakes organizations make when implementing SIEM is making a list of all of the possible data sources in their environment and then creating a plan to integrate those sources into a SIEM. They assume that once the data is there, they will be able to create rich content (rules, reports, etc.) and "discover" things happening in their environment. In actuality, this creates a system that is processing a significant number of logs whose data may have little to no value to the organization from an analytics and/or alerting perspective.
What works better is taking an output-driven approach that defines the information you want to receive from the SIEM before integrating log data into the SIEM environment -- the theory being that if you know in advance what reports or alerts you want from you can integrate (and filter) only the data you need going into it. This approach allows for a much more manageable set of data for an analyst to review and also promotes a higher performing SIEM infrastructure, since the SIEM correlation engine isn't burning through CPU cycles inspecting data that is not relevant to its processing objectives.
* Don't underestimate referential data. Organizations often overlook the importance of referential data -- the data that is periodically updated, as opposed to flowing real-time event data -- which can be used to provide business context around your real-time data (e.g., is this system listed in my asset list as development or production system?), or help to make logic decisions within the SIEM (e.g., is this traffic listed in my threat intelligence feed as malicious?). Referential data such as asset lists, black lists, vulnerability scan results and threat intelligence data can be extremely helpful in prioritizing events and can save hours of investigatory time by adding a layer of business or environmental context to the event data.
* Conduct a value assessment. After a SIEM has been implemented for a period of time, organizations should periodically assess the value of the data they are collecting. Organizations often integrate firewall accept and deny logs into their SIEM, assuming they will use those logs for correlation rules or reporting. Instead, they usually wind up just sitting in the SIEM, taking up disk space and burning up CPU cycles from the event processing engine.
In this scenario the firewall log data has low value to the SIEM. Instead, we should ask ourselves, "Is the data required for real-time correlation or advanced analytics?" and "Would the data be better off in a lower cost alternative such as a log management repository?" Log management products are typically a fraction of the cost of a full-blown SIEM solution and offer basic reporting and ad hoc analysis of event data. This is an ideal solution to house data that you may be required to review for regulatory purposes or you may want to examine for forensic purposes and, by reducing the amount of "low value" data flowing into your SIEM, you'll be able to increase efficiencies and capture more value from the existing SIEM investment.
* Integrate with business applications. In many organizations, security is seen at as an insurance policy versus a proactive risk management process. As a result, CIOs are often tasked with making security spend decisions based on the recommendations of the CISO/CSOs within the organization -- recommendations that are typically focused on infrastructure improvements and additional security controls instead of securing and monitoring the critical business applications that drive revenue.
To improve both value and security, organizations should apply SIEM technology to these business applications, enabling them to build application-specific dashboards that focus on identifying policy violations, potential misuse of applications and other types of suspicious behavior that could result in a dangerous and expensive breach. In addition to securing data against potential losses, applying SIEM to business applications empowers CISOs to delegate some of the responsibility of the security monitoring to the individuals business unit heads that know their business best, creating a more efficient risk management system.
Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.
About Essential Solutions Corp:
Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.