Why Your SIEM Isn t Adding Value And Why It May Not Be The Tool s Fault Co-management applied across the entire security environment

Similar documents
Getting the most out of your SIEM technology

Moving to the Cloud: What They Don t Tell You ARTICLE. Human Focused. Technology Solutions.

Info-Tech Security Information & Event Management (SIEM) Use Case: Compliance Management

COPYRIGHTED MATERIAL WHAT S IN THIS CHAPTER?

THE FRANCHISE ONBOARDING PLAYBOOK

Communicate and Collaborate with Visual Studio Team System 2008

A QUIET REVOLUTION IN PEOPLE POWER

SIEM Buyer s Guide. The Security Challenge Today

VIDEO 1: WHY IS A STRATEGY PLAN IMPORTANT?

Cisco Smart Business Communications System Lead-Generation Play

developer.* The Independent Magazine for Software Professionals Automating Software Development Processes by Tim Kitchens

Introducing. Let us share our experience with you

Avoiding the 10 Most Common Mistakes in Selecting and Implementing e-procurement Solutions. A Coupa Executive White Paper

TAKE BACK CONTROL OF YOUR IT

The Business Benefits of Managed IT Services

Cloud Communications & the Modern Workplace

VULNERABILITY MANAGEMENT BUYER S GUIDE

THE FUTURE OF WORK HUB

Top 10. best practices for successful multi-cloud management. How the multi-cloud world is changing the face of IT

Drive Predictability with Visual Studio Team System 2008

Unsung Heroes. 6 Easy Ways to Advance Your Cybersecurity Program When You Have a Small Team INTRODUCTION

White Paper: Executive Search Firm How to Engage and Utilise Them Successfully. By Simon Fransca Khan of Leading Headhunters Hunter & Chase

Security intelligence for service providers

BRANDING GUIDE A PRIMER FOR CREATING AND LEVERAGING A POWERFUL BRAND

THE FUTURE OF WORK EDGE

Intellectual Property Firm Turns to Tabs3 to Enhance Workflows and Streamline Invoice Processing

USING PR MEASUREMENT TO BEAT YOUR COMPETITORS: A HOW-TO GUIDE

Power Management. White Paper. Americas +1 (603) EMEA +49 (0) APAC

THE INBOUND MARKETING HANDBOOK FOR FURNITURE MANUFACTURERS

Azure Marketplace. Service Definition 2018

AN EXECUTIVE S GUIDE TO BUDGETING FOR SECURITY INFORMATION & EVENT MANAGEMENT

Plotting Your Path to Smarter HCM in the Cloud. A step-by-step guide for HR leaders and teams.

NOT CONVINCED? TAKE A LOOK AT THE FACTS. We know that companies with a gender diverse workforce see better commercial results

BUY VS. UILD. Contract Lifecycle Management. 1. The organization s contract process is fully understood and well documented.

How to tame your technology in. steps. By Bruce Campbell. Transform IT from a cost center to a profit center

How Do You Know if Open Innovation Is Right For You?

GDPR and Microsoft 365: Streamline your path to compliance

A Business Owner s Guide to: Content Marketing

YouTube Marketing Mistakes Top 6 Most Silly Blunders!

INTEGRATING RETAIL FINANCE WITH YOUR WEBSITE IN 7 EASY STEPS

INTEGRATING RETAIL FINANCE WITH YOUR WEBSITE IN 7 EASY STEPS

Watch for signs of skepticism.

SysTrack Workspace Analytics

5 Best Practices for Transforming Financial Planning and Analysis

Using Reviews to Build and Maintain Your Online Reputation. How Managing Online Reviews Can Lead To a Stronger Practice

When It Needs to Get Done at 2 a.m., That s when you can rely on CA Workload Automation

THE CLOUD: HOW CISOS CAN EMBRACE IT (WISELY), NOT FEAR IT

Microsoft IT Cuts Costs, Gains Greater Consistency with Project Planning Software

Marketing Technology s Broken Promises

Integrated IT Management Solutions. Overview

for managing your changing IT environment.

Managed IT Services Eliminating technology pains in small businesses

Financial Advisors: How to Optimize your LinkedIn Profile

business intelligence software for manufacturers

The Five Critical SLA Questions

Demystify the Dynamics AX JumpStart

THE SIX ESSENTIALS FOR DEVOPS TEAM EXCELLENCE

Getting Started. Chapter 1

Managed IT Services. Eliminating technology pains in small businesses

BT and the Future of IT Security. Bruce Schneier Chief Security Technology Officer, BT BCSG. 27 February 2009

Who minds the bots? Why organisations need to consider risks related to Robotic Process Automation. pwc.com.au

More than Mobile Forms Halliburton s Implementation of an End to End Solution

How to Sell Marketing Automation to Executives

Trends in Change Management for 2018

Website Content Creation Worksheet

WORKING WITH TEST DOCUMENTATION

Smart Net Total Care. Realizing the Promise of Automation for Network Support Operations

The top 8 reasons. to outsource your IT. to a managed services provider

DEVELOPING A PERSUASIVE BUSINESS CASE FOR CRM. Glenda Parker

Lesson 3 Workplace Job Skills (hard skills or job specific skills)

Grow Your Business with Confidence

Managed IT Services. Eliminating technology pains for small businesses

Agile Test Plan How to Construct an Agile Test Plan

Why an Open Architecture Is Vital to Security Operations

PEOPLE POWER IMAGINE TECHNOLOGY BUILT AROUND YOU A QUIET REVOLUTION IN

The Game of Life Predictable Life Crises Updated:

Price Reductions: The Bottom Dollar Script Page 1

Results. Actions. Beliefs. Experiences

Design Like a Pro. Boost Your Skills in HMI / SCADA Project Development. Part 3: Designing HMI / SCADA Projects That Deliver Results

7 TIPS TO HELP YOU ADOPT CONTINUAL SERVICE IMPROVEMENT, BY STUART RANCE 1

SCALING LAND-BASED INNOVATION GROUP DECISION-MAKING TOOLKIT

Avoiding Data Loss Prevention (DLP) Pitfalls A Discussion of Lessons Learned. April 2013

3 Questions. to Ask When Developing an Adaptive Security Awareness Program

Your Complete ERP Solution

Selling IT Automation to Your Organization

GO BEYOND MOBILE DEVICE MANAGEMENT WITH A DIGITAL WORKSPACE WHITE PAPER

Deliver Next-Generation Customer Experiences in The Cloud. PureCloud

IBM QRadar SIEM. Detect threats with IBM QRadar Security Information and Event Management (SIEM) Highlights

Creating Highly Engaged (and) Satisfied Clients

Distribution System Operations:

INTRODUCTION THE PROBLEM AND ITS CONSEQUENCES

Via Benefits Frequently Asked Questions

Azure Marketplace. Integration Solutions

Definitive Guide for Better Pricing. Build a solid pricing foundation that will help you create consistent sales and profit growth.

VULNERABILITY MANAGEMENT BUYER S GUIDE

Managed IT Services. Eliminating technology pains for small businesses

Dynamic IT Disaster Recovery Plan

Starting a business checklist: 8 key steps most founders miss

CASE STUDY: INCREASING AND ACCELERATING SALES IN A CHALLENGING SELLING ENVIRONMENT.

Transcription:

Why Your SIEM Isn t Adding Value And Why It May Not Be The Tool s Fault Co-management applied across the entire security environment Best Practices Whitepaper Make Security Possible

Table of Contents Living Up to the Sales Pitch...3 The Initial Purchase and Selection Process...3 Best Practice Recommendation...4 Use Cases, Content and Correlation...5 Best Practice Recommendation...5 Management, Care and Feeling of the SIEM...6 Best Practice Recommendation...6 Next Steps or More Information...6 Make Security Possible Page 2 of 6

Living Up to the Sales Pitch Security Information and Event Management (SIEM) solutions have been used for more than 15 years in an effort, as the sales pitch goes, to give organizations situational awareness by real-time monitoring of logs from across their organization. Businesses spend millions every year buying, maintaining, operating, and optimizing these solutions but regardless of the size of the organization they aren t delivering on the sale pitch. Like a lot of technology solutions, most organizations use a very small percentage of their potential capability, resulting in missed expectations at one end of the spectrum and an irrecoverable security event on the other. Let s look at why this happens and then discuss the 3 things that any organization, regardless of size and scale, can do to ensure they are getting more value out of their SIEM investment. The Initial Purchase and Selection Process When looking why companies don t get all the value they should out of their SIEM purchase we have to start from the beginning or at least remind ourselves of the initial reason it was purchased. Most organizations that we come across, both private and public sector, purchase a SIEM for compliance reasons or as a reaction to concerns to security news out in the market. Others have a highly skilled senior security team that can spend months if not years convincing senior level executives about the importance of having a well thought out and executed security plan balancing people, process, and technology. In both cases, if the plan isn t laid out properly with realistic expectations from the evaluation and purchase phase to the implementation and finally the ongoing operations and maintenance of the technology, it will not be successful. It may sound trite but plan your work and work your plan is all too often ignored when it comes to IT security. Often times to meet compliance requirements or as a response of a senior executive that wants to know where we are with security, organizations pay outside/third party security assessment companies to come in and do a full security review and assessment on their environment. If a reputable company is hired, the end result is a multi-page document showing any and all security concerns and compliance issues. The problem with these assessments is they highlight all the what and don t assist the client with the how side of going forward to remediate and fix the issues. It is like telling a child over and over they are pronouncing a word incorrectly but never telling them the right way to pronounce it. These assessments will usually state that the organization should be monitoring all the logs from all applications, firewalls, etc. From here a reseller is called and shows the organization as many SIEM technologies as it can until the client buys something with the sales pitch of Situational Awareness and a Single Pane of Glass implying that out of the box the SIEM technology will be fully operational and solve all of your compliance woes or security issues. Unfortunately most resellers aren t service providers and don t have the engineering expertise themselves to install and maintain the solutions they are selling. The client is left with usually one person to inherit the SIEM tool on top of all the other technologies in the building with limited training, time, and lack of a security partner to guide them through the SIEM implementation in their environment. A lot of times, the person will be unsuccessful in getting any meaningful return on the SIEM tool for the organization leaving the entire senior management team to doubt the purchase altogether or blame manufacturer of the SIEM technology. In the other case where an organization has an experienced security team that knows what they need but have to ensure they have the budget and buy in necessary for a successful SIEM deployment. In this case they rely on their own proof of concept of the tool to make a selection. The selection is made and the often already overburdened security team is sometimes left with no additional funds to add headcount to effectively run the technology, no time to train, and no budget to bring in expert 3 rd party consulting companies to fit the SIEM technologies to the specific use cases, etc. that are needed for their organization. Make Security Possible Page 3 of 7

Organizations in both cases need a service partner focused on making sure a proper map of process and expectations is laid out for 3 important phases in the deployment of a SIEM: 1 2 3 The initial install, The first 3-6 months of optimization and customization, And the ongoing management and enhancement. Imagine purchasing Microsoft PowerPoint, installing it, and being angry that it doesn t come preloaded with all of the slide decks that you need across sales, IT, Human Resources, etc. specific with text and data for your organization. It is just a tool; the organization has to take the time to format the slides, etc. in order to achieve what they need. Does PowerPoint have templates and stock images? Sure, but that is just a baseline. SIEM technology is the same way, regardless of the technology that you purchase you are going to have to customize it for your organization using internal processes and industry best practices. Without the proper planning and expectations around people and processes upfront the odds of achieving even the minimal capabilities of a SIEM solution are slim to none. Best Practice Recommendation If you are buying a SIEM make sure you get it from a service provider that has extensive experience architecting that specific SIEM technology. If you have an existing SIEM technology that isn t providing the value you want, then it might be a good time to bring in someone to look at re-architecting the solution or coming in to clean things up. First, when selecting a service provider I would recommend that you don t chose one that only knows one type of SIEM technology or only in one industry. There are huge advantages in working with all of the major and some less known SIEM technologies as it increases the likelihood that the organization is going to benefit from the service provider s experience architecting SIEM solutions across many different industries both public and private. Second, make sure all stakeholders are present during the demo, proof of concept, and selection phases to ensure user adoption across all functional areas. The nature of the SIEM means it must work with many things across the network and if the organization s network team is separate from their security team, then it is important that the network team is a part of the selection process and understands the goals and objectives around purchasing a SIEM. At the end of the day you ll need buy-in from all system owners to ensure a successful deployment that meets everyone s expectations and criteria. Finally, before the purchase an organization should make sure they have a clear understanding of their current environment. What is on your network currently? Who has admin rights on your network? What applications are running on your network? What are the compliance drivers for the organization? This information should be compiled prior to the purchase of a SIEM and is the foundation of what will be come the SIEM roll-out plan. Most of the time these road maps are built during a 3 rd party assessment or security posture analysis and they are a key part of ensuring a successful deployment of a SIEM technology. Project manage the road map and highlight specific success milestones that can be measured to ensure the deployment is on schedule. Typically this road map is no less than 6 months and often times extend out a year. Make Security Possible Page 4 of 6

Use Cases, Content and Correlation Not all use cases are created equal. Again, out of the box almost all of the SIEM technologies in the market today come with the basic connectors that help the user to bring in basic use cases pulled from the most common security and other technologies on the market. Organizations use SIEM technologies for many different reasons so some of what I am saying here won t apply to all, but in general a SIEM has the ability to be used for not only security monitoring but opperational monitoring, and executive/compliance monitoring if quality use cases and content are generated and added into the solution. If the user has the time and knowledge to use the built-in API s/connectors/etc. to get most of their firewalls, servers, and other point products flowing into the SIEM tool they are ahead of the game but they are still a long way away from the situational awareness and single pane of glass promise on the outside of the box or in the subject line from the reseller. Use cases are an area where an organization can see the most return on their investment after the proper installation and roll out of the SIEM technology. There are many types of use cases. Across over 70% of all the SIEM engagements we perform on an annual basis we find the majority of use cases address bringing only one technology into the SIEM and maybe setting an alert based on the built-in content included. That may be a valid use case but is it getting the organization what they need, is it helping get them to a place of situational awareness and compliance automation? Often it isn t, use cases should have more than one function. Most use cases we see are created from one technology or only take into account one or two items without any context to the rest of the environment. Properly correlating events from multiple systems and vulnerability scan results will give you the visibility into the entire attack chain and provide true situational awareness. Best Practice Recommendation Regardless if an organization is going to deploy the SIEM technology or if a 3 rd party is going to do it, well thought out use cases can make or break the success of a SIEM. Situational awareness is very possible if strong use cases and content are built into the system. In every SIEM technology there are plenty out-of-the-box connectors and API s that will make bringing in most critical infrastructure fairly easy but in the case that there are proprietary or other technologies that aren t supported by the SIEM tool s API, it might be necessary to do some custom parsing or scripting to match the output of the source of the logs to the input of the SIEM. Once an organization gets all of that data feeding into the SIEM it is important to create meaningful and tuned use cases to limit the amount of alerts firing. Alerts should be actionable and important to not just the security team but also for the operational health of the organization as well as the executive view of compliance and top of mind threat intelligence that today s boards and executive teams are keying on. The SIEM can be a window into all of these things through the creation of the proper use cases. As we discussed earlier, most use cases are created to look at only a single feed when they really need to weigh multiple feeds against each other to measure what may or may not be happening. The single feed works in some cases but is often stopping short of what the system is capable of doing costing many engineering and analysis hours to manually do what should be automated. Imagine if the strategy of a defense was to only watch what one single player did on offense and ignore all other receivers, running backs, etc. That may work for certain plays that the offense runs but for the remaining plays the defense will SIEM System Monitoring Source Device Feeds SIEM Components SIEM Component Performance SIEM Database Storage Import of Customers Intel Feeds SIEM System Maintenance Use Case Library/RQ Best Practices Troubleshoot SIEM Components Interfacing with Support Update Config Settings Content Turning Change Mgmt Support never be able to stop the offense. It is better to create plays and formations that allow the defense to cover the entire field. That is what good use cases should do for not only the security team but for the entire IT, Finance, and Compliance organizations. Prior to hiring a 3 rd party to develop content and use cases ask them to show you examples of what they would do make your SIEM more efficient. Make Security Possible Page 5 of 6

Management, Care and Feeding of the SIEM SIEM technologies definitely do not fall into the set it and forget it category of technology. These technologies are often sold incorrectly, they are sold as the solution, the all knowing, and instead we need to sell them as the meeting point or canvas for all security information. Just because you have paints, brushes, and a canvas doesn t ensure great art. Organizations must plan for an internal resource or outsourced service to monitor and maintain the SIEM solution on a regular basis. Some of the many things to manage on the SIEM include internal health of the individual components, ongoing content development and analysis of the actual security events. We recommend at least two formal health checks on the SIEM from an experienced SIEM focused service provider per year and sometimes more for larger organizations. Like cars, computers, firewalls, etc., SIEM technologies break and require an experienced professional to fix the issues while continuing to advance the sophistication and visibility of the system. Best Practice Recommendation The ongoing development and management of the SIEM tool is key to ensuring that an organization gets the most out of their SIEM technology. In order to manage the technology ongoing properly the organization has to decide if they are going to allocate enough time for an internal resource to do all of the tuning, testing, and repair of the SIEM day to day. Too many organizations put a well-qualified professional in a position to fail by making them a jack-of-all-trades in security. One person often times has responsibility over the SIEM, IDS, IPS, firewalls, etc. Depending on how many devices are reporting in to the SIEM, it is often too much to put both the management of the SIEM and the development of use cases and content on one person in the organization. There are several trends that have emerged in the security space around outsourcing that makes sense for both large and medium sized organizations that feel it is important to control where their logs are being stored and who has access to them. The traditional model of the MSSP has always required the customer to send their logs to the MSSP for analysis and import into their white-labeled SIEM tool. This often creates issues around making sure that the 3 rd party is set up to securely receive and store that often sensitive information. Another challenge sometimes present is getting data exported from the MSSP into your own data analysis systems. That trend is changing with the emergence of service providers that now enable their clients the ability to own their own SIEM tool and other technologies and control their log information more closely by not requiring them to send them off-site but rather the service provider connects in and manages and writes content for the organization remotely from their own security operating center. This a highly efficient and cost effective method that is allowing customers to focus less on the day to day care and feeding and expansion of the SIEM technology and more on interpreting the intelligence generated by all of the tools in the environment. Organizations can find success managing and advancing the SIEM technology using internal staff or outsourcing to this new breed of service providers but the key is setting expectations and not putting too much on one person s plate allowing them time to constantly improve the technology. Ongoing management is key to the success of a SIEM in an organization given how fast the security world changes and evolves someone has to be driving the SIEM to make sure the organization is keeping up. Next Steps or More Information ReliaQuest, a pioneer in IT security solutions, ensures organizations remain secure and compliant as the IT world changes; empowering IT professionals with the latest relevant security technology innovations and services that simplify often complex interactions between security, risk and compliance in order to minimize loss of data, business disruptions and reputation. The ReliaQuest team has a unique ability to deliver optimal solutions combined with our talented staff and documented best practices that unify people, process and technology in both on-premise as well as managed service requirements. Check out our website (below) or contact us today to schedule your security assessment and find out what can be done to improve your SIEM today. 2015 ReliaQuest, Inc. All Rights Reserved. ReliaQuest, the ReliaQuest logo, RQ Labs, and RQ University are trademarks or registered trademarks of ReliaQuest, Inc. in the US and/or other countries. All other products names Make Security Possible Page 6 of 6 and/or slogans mentioned herein may be trademarks or registered trademarks of their respective companies. All other information presented here is subject to change and intended for general information. Printed in the USA.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback