November 08, 2018 / by Siddhant Mishra / In log-management /

SIEM is not a buy and forget tool

The Security Information and Event Management (SIEM) space has evolved significantly over the years in the backdrop of shift in the regulatory landscape, change of attack surfaces to applications and government-sponsored hacking. While the SIEM marketplace continues to innovate, there are many organisations for whom implementing this solution is reduced to a simple a check in the compliance checklist with a bare minimum security implementation.

How effective is your SIEM solution?

The mere presence of this question is a sign of ‘ineffective and sloppy’ planning. To put it simply, if you don’t know clearly, why you implemented your SIEM solution, this reason is enough to take your security objectives on a downward spiral.

SIEMs are going to be the backbone of security monitoring, while many organizations are challenged with the effective deployment of the technology.

So, let’s begin and try to understand a few problems which are often overlooked when it comes to effective deployment of a SIEM solution.

Failure to perform detailed planning before buying

It’s important that concerned stakeholders define their objectives based on a clear frame of mind as to why they want to buy a security tool:

“Buy for Compliance, Use for Security” or “Buy for Security, Use for Security”.

Once this why is answered, defining a use case to start with is the most logical way to move forward and later on, simpler use cases can be picked up once the team is in the groove and this cycle can go on like a release kind of deployment.

Where does this planning for security implementation start from? Who has the final say?

It’s either the Chief Information Security Officer (CISO) or the Chief Security Officer(CSO). Many CISOs often inherit a broken or yet-to-be matured implementations of a SIEM and by the time they build their understanding of the new network and security implementation in-depth, it becomes “too much to look into and less time” and the most popular solution that most CISOs think of, is a “rip-and-replace” kind of a fix. Is it right? or wrong? Well, it all depends upon the strategic objectives.

Objectives once identified by CISOs or CSOs need two things - strategic planning and tactical deployment.

Failure to define an appropriate goal, requirement and scope before deployment leads to an implementation chaos with security teams not knowing how to evolve or mature their SIEM implementations to its full potential.

Expecting to solve all security problems from day one

Deploying SIEM is a marathon and not a sprint.

SIEM is not a product but a platform (note the word platform) which is used to assist organizations in continual security process improvement. Many security managers fail to understand this concept and end up setting inflated expectations out of their SIEM platform and security staff.

SIEM implementation is just a start and NOT a destination.

Many people end up overestimating their SIEM platforms in terms of use cases they can implement later, only to realize the limitations due to technical challenges. Security folks simply assume that throwing all kinds of data/information at the SIEM at once is good to start with and hope to clean up later - one of the most common causes of stalled deployments. Most deployments fall into this trap of “collect first, use later”.

Architectural and operational changes should drive use cases and not the other way round.

Insufficient Resources

A SIEM solution does not run on its own and requires a set of skilled people to derive true value out of it 24/7. Treating a SIEM as a simple install and forget depicts how seriously an organization takes their security initiatives. At a bare minimum, a SIEM requires the following set of duties:

  • Maintain: This involves managing and maintaining the underlying components for the SIEM, ensuring sufficient computing needs are in place, patches and version upgrades happen. Typically, this is an engineering task and segregation of duties as per a RACI model is optimum.

  • Monitor: This entails real-time event monitoring, with activities like investigation and validation of threats and incidents. A role title fit for this would be a security analyst.

  • Tune: This aspect focuses on the never-ending cycle of optimization and tuning of reports, correlation rules and signatures. It also involves the two duties as mentioned previously. Role title fit for this would be a senior security analyst.

Having a knowledgeable team to manage and maintain a SIEM is VERY important. It’s like -

In a fight, a sword is as good as the person who holds it

The security industry is facing the highest possible talent shortage of its time and this gap is not going to be reduced in few years, if possible, going for co-managed SIEM or MSSP model makes sense for resource crunched teams.

While many organisations are deploying SIEM platforms for the first time, numerous others are re-visiting their deployments as technologies evolve and mature. The above discussions are by no means a complete list of pitfalls. In fact, each of the section can be lead to a much broader discussion. Few points have been touched out here as many either don’t think through all the components of a SIEM program or they undergo one for the wrong reasons.

There can be more to this list. Welcome your comments in the section below.

five effective siem use cases