This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
As security events and breaches become ever more common, interest in Security Information and Event Management (SIEM) solutions is growing. Ideally a SIEM will help collect and correlate an array of log and event data to identify and address threats that really matter. That's a pretty tall order, and many companies that implement a SIEM are disappointed they don't achieve the results they hoped for.
Brad Taylor, president and CEO of the managed security service provider Proficio, says his company is often called in to rescue SIEM implementations that haven't achieved success. Having done this for a number of years, Taylor knows just where the projects are most likely to derail.
"A lot of companies that buy a SIEM as an appliance think it will be like a firewall or IDS, where you can just set it and forget it," Taylor says. In reality it's a framework that requires special consideration for managing the software in the framework as well as maintaining the relevance of the content inside so the information it provides is actionable. "That's the real challenge, and there are whole bunch of things that go into that to make it effective."
The top issues that he sees time and again include:
- Lack of actionable alerts
- Lack of relevant content and use cases
- Lack of executive visibility
- Failure to fully operationalize the processes
- Having access to the right people
- Being able to turn detection into prevention
I talked with Taylor about some of those challenges and his recommendations for getting past them in order to get the most value from a SIEM.
"Many companies tend to install the appliance, point their logs and other data sources to it and set up the base content, and go from millions of events per day to one or two thousand events a day," says Taylor. "That's still not a manageable number to investigate. They need to get down to two or three meaningful events they can investigate, and getting from one thousand to two or three is the challenge."
Companies don't get the actionable alerts they need because there is still too much noise from chatty devices like firewalls and IDSs, and there's not enough context around alerts to really trust them. This can lead to security analysts wasting time on less significant events. Taylor stresses the importance of going beyond the base level of content that comes with the SIEM appliance and providing custom use cases that are specific to your business and computing environment.
"We see a lack of relevant content in the SIEMs and use cases," according to Taylor. "A SIEM can look for many things, but you have to tell it what to look for, or you have to give it some conditions so it can start to analyze behaviors. You also have to understand that threats are continuously evolving so you need to continuously adapt your content and your use cases."
A simple use case, he says, might be wanting to know “when I have a person that logs on to his desktop PC in the office and at the same time is logging on to the VPN from a remote location. Because a person can't be two places at one time, I know this is a situation worth digging into. I need to look at two sources of logons, do geolocation analysis of where they are coming from, and send that type of an alert. That's a very simple use case that you might want to set up based on users that travel and use VPNs. There are much more sophisticated use cases that also get built around applications and web portals and basic content for looking for malicious software and malicious activity."
He gives an example of how to put context around an incident. Say you have an IDS detecting activity that is attempting to use a dangerous exploit such as Shellshock. But the traffic is targeting a system that doesn't have that vulnerability, based on vulnerability scan data that you have. It's important to correlate those data points so you don't end up chasing something that just doesn't matter.
Many companies don't take the time to model their internal resources and policies into a SIEM to make it more effective in determining suspicious insider threats as well as the perimeter-based security environment. "Companies need to model their assets," says Taylor. "They need to say, this is everything in my environment, and here are my zones for Finance and Development, here are my policies of who should be communicating from where to where. That's the business context of the environment. It tells me a lot about what should be normal and then I can create use cases and behaviors so that I can look for those things that are abnormal."
He adds, "You can't rely on the base content of the SIEM to answer these questions about context and priorities. All SIEMs have base content that is pretty good but you have to adapt it and model it to your own environment and to today's threats. And you must continuously add to and tune the content."
Taylor says another area where companies fail with their SIEM projects is operationalization, or defining the processes of how things are done. For example, what's the process to send a request from the security operations center to the network operations team to issue a block on a firewall? And how will that request be prioritized? If there's a critical threat in the environment that could lead to a breach, the network team needs to address the block change now and not wait until the regular change management window four days from now. Taylor recommends defining such processes in a shared runbook to avoid ad hoc responses or activities.
One more area where SIEM implementations sometimes struggle is with having the right people in place. Taylor says SIEM experts are hard to find and highly in demand. Nevertheless, there are some critical roles a company must fill, like having a content author, a SIEM architect for use case modeling, and a SIEM administrator to ensure that data feeds and databases are working properly. If a company can't find enough people to staff a qualified team, some tasks can be outsourced, such as the 24x7 coverage of monitoring and responding to alerts.
Taylor says that organizations can attain a lot of value from a SIEM solution, but only if it is continuously customized with the content and policies of the organization it is intended to serve.