Getting the most out of your SIEM technology

Similar documents
Why Your SIEM Isn t Adding Value And Why It May Not Be The Tool s Fault Co-management applied across the entire security environment

Info-Tech Security Information & Event Management (SIEM) Use Case: Compliance Management

Professional Services Guide

RSA ARCHER IT & SECURITY RISK MANAGEMENT

invest in leveraging mobility, not in managing it Solution Brief Mobility Lifecycle Management

FUJITSU Cloud Services Management

In Support of (Business) Intelligence. A Technical Solution Paper from Saama Technologies, Inc.

The Business Benefits of Managed IT Services

AN EXECUTIVE S GUIDE TO BUDGETING FOR SECURITY INFORMATION & EVENT MANAGEMENT

Savvius and Splunk: Network Insights for Operational Intelligence

5 Tips for Improving Collaboration

SysTrack Workspace Analytics

Comprehensive Cost and Security Management for C2S Environments

Professional Services Subscription Service Offering

Luxoft and the Internet of Things

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Why an Open Architecture Is Vital to Security Operations

Contents. Our Approach 1. Solution Design 5. System Integration 6. Logistics and Compliance 7. Global Support 8. Business Analytics 11

Security intelligence for service providers

The digital Data quality playbook

The SaaS Management Platform (SMP): A Single Pane of Glass to Make SaaS Management More Secure, Streamlined & Cost-Effective

AlienVault MSSP Partner Program

An Introduction to AHEAD s. Azure Governance Framework

Fulfilling CDM Phase II with Identity Governance and Provisioning

Bot Insight is here. Improve your company s top-and-bottom-line with powerful, real-time RPA Analytics Go be great.

Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

5 Tips for Improving Collaboration

A technical discussion of performance and availability December IBM Tivoli Monitoring solutions for performance and availability

UPGRADE CONSIDERATIONS Appian Platform

Customer FIRST for Avantis PRiSM Program Guide

SIEM Buyer s Guide. The Security Challenge Today

TOP 6 SECURITY USE CASES

PROGRESS CONSULTING SERVICES MODERNIZATION BLUEPRINT

Why Agile Business Suite Should Be Your Development Environment

Smart Net Total Care. Realizing the Promise of Automation for Network Support Operations

GREAT SERVICE NEVER STOPS.

IBM Resilient Incident Response Platform On Cloud

Asset Inventory. Key Features. Maintain full, instant visibility of all your global IT assets.

3 CRITICAL STEPS TO MAKE YOUR RPA IMPLEMENTATION A SUCCESS

4 Steps To Scaling Agile Across The Enterprise. The Guide To Agile At Scale

CASE STUDY: COMMERCIAL EQUIPMENT BUILDING AN INDUSTRIAL IoT STRATEGY

4/26. Analytics Strategy

Business Resilience: Proactive measures for forward-looking enterprises

Gain Greater Insight and Facilitate Actions. Brochure Analytics & Big Data

ORACLE SYSTEMS MIGRATION SERVICES FOR IBM ENVIRONMENTS

Guide to Modernize Your Enterprise Data Warehouse How to Migrate to a Hadoop-based Big Data Lake

VULNERABILITY MANAGEMENT BUYER S GUIDE

Better Performance, Better Results

LEVERAGE THE WEALTH OF DATA INTELLIGENCE BUSINESS INTELLIGENCE ANALYTICS CDW FINANCIAL SERVICES

LEGACY TRANSFORMATION: SHAPING THE FUTURE OF CUSTOMER COMMUNICATIONS

Cisco Intelligent Automation for Cloud

Features Benefits. Why Claro Enterprise Solutions. Product Description. Geo-fencing and real-time tracking via Google maps

An Overview of the AWS Cloud Adoption Framework

EFFICIENT MARKETING PLANNING WITH PIVOTAL CRM

Managed IT Services. Eliminating technology pains for small businesses

Cisco Intelligent Automation for Cloud

COGNITIVE QA: LEVERAGE AI AND ANALYTICS FOR GREATER SPEED AND QUALITY. us.sogeti.com

CUSTOMER FIRST FOR OIL AND GAS MIDSTREAM SOFTWARE

MSP Best Practice Guide: Security. Sponsored by

Managed IT Services. Eliminating technology pains for small businesses

Datameer Technical Advisory Services. Strategic Guidance for your Big Data Platform

RSA ARCHER INSPIRE EVERYONE TO OWN RISK

data sheet ORACLE ENTERPRISE PLANNING AND BUDGETING 11i

OVERVIEW. March 13, 2015

Noble Enterprise. Unifi ed Contact Center Management

A HOLISTIC APPROACH DRIVING BETTER OUTCOMES. GE s Bently Nevada Condition Monitoring Product Line

CUSTOMER FIRST FOR AVANTIS PROGRAM GUIDE

At the Heart of Connected Manufacturing

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

INTEGRATION BRIEF DFLabs and BMC Remedy: Streamline Incident Management and Issue Tracking.

How to Build a Solid Analytics Foundation

ACHIEVE INNOVATION WITH CONNECTED CAPABILITIES Connected Product Maturity Model. white paper

PTC FlexPLM 11 offers Next Generation Retail Product Lifecycle Management (PLM) capabilities through connectivity and enhanced usability that are

Customer FIRST Program Guide for SimSci Process Optimization

CLOUDCHECKR ON AWS AND AZURE: A GUIDE TO PUBLIC CLOUD COST MANAGEMENT

IBM Intelligent Operations Center for Smarter Cities

E-Guide. Sponsored By:

Implementing a Service Management Architecture

SYSTIMAX Solutions. imvision. Infrastructure Management. Made Easy.

Access and present any data the way you want. Deliver the right reports to end users at the right time

Dynamics 365 in Retail. Engage Your Customers

VULNERABILITY MANAGEMENT BUYER S GUIDE

HID Professional Services Supporting the HID Advantage Partner Network

RouteONE Helping enhance the real value from SAP GRC Risk Management

Value Beyond Virtualization

Operations as a Service with Rundeck

20 Signs That Your Business is Ready for Managed Services. Find out when your business will truly benefit from a technology provider.

Cloud-Based Integrated Demand Side Management

Featuring as an example: NexJ Systems

The business owner s guide for replacing accounting software

The Benefits of Office 365

Your Business Needs Managed Services. Find out when your business will truly benefit from a technology provider.

Alchem-e CCM Platform HELPING TO IMPROVE PERFORMANCE THROUGH INFORMATION

Entuity Delivers a Unified Solution and Proactive Management to Dell Services

20 Signs That Your Business is Ready for Managed Services. Find out when your business will truly benefit from a technology provider.

20 Signs That Your Business is Ready for Managed Services. Find out when your business will truly benefit from a technology provider.

Ricoh IT Services. Predictable, scalable solutions from Ricoh IT Services. Contact:

TBR. HCLT s Intelligent Tech Support Service Line Unit delivers data insights to improve the customer experience. November 2013

Disrupt or be disrupted

SIEM 101. Keith Stover, Solutions Delivery Manager. #HPProtect

Transcription:

Getting the most out of your SIEM technology Co-management helps to maximize existing investments and rapidly advance security Whitepaper Make Security Possible

Table of Contents Maximizing the SIEM s potential...3 Purchase and Selection...3 Use-cases, content and correlation...4 Best Practices...4 Management, care and feeding of the SIEM...5 Best Practices...5 Next Steps...5 Make Security Possible Page 2 of 6

Maximizing the SIEM s potential Security Information and Event Management (SIEM) solutions have been used for more than 15 years to give organizations broad security visibility through real-time monitoring of data logs. Businesses spend millions of dollars buying, maintaining, operating, and optimizing these tools, but they still may leave potential benefits on the table. As is often the case with technology, typical use may only tap into a small percentage of a SIEM s total capability. Maximizing this capability is critical not only to demonstrate adequate return on investment to the larger organization, but also to ensure continuous advancement of security as threats evolve. There are a number of reasons for SIEM underuse. But regardless of the reason, there are several strategies that any organization can use to take full advantage of the SIEM s capabilities. Purchase and selection Maximizing a SIEM investment starts at the initial purchase stage. Whether the tool is needed to remain in compliance with an organization s industry regulations or because the security team wants to simply enhance visibility into its environment, having a methodical plan in place for implementation, operation and maintenance is critical to the tool s success. The plan should clearly identify all necessary ongoing support resources, such as continuous training for security staff. This blueprint should be a living document that is adaptable as new threats or capabilities emerge. Often times, the decision to purchase a SIEM comes in the form of a directive from senior executives. This directive may come as a result of a highly publicized breach or in order to check a box for compliance. In these cases in particular, organizations often turn to third-party security assessment companies to run a full scan on the company s security capabilities and make suggestions on which tools are needed. The problem with these assessments is that they are based on one snapshot of time and do not take into consideration the organization s holistic security goals. Additionally, while outside firms may recommend suitable tools, they seldom provide tailored guidance to overburdened security teams on how to best implement, operate or maintain the tools. Organizations should plan around three critical phases of SIEM deployment: 1 2 3 Initial install First 3-6 months of optimization and customization Ongoing management and enhancement In some cases, it is left up to one person on a security team to oversee the new SIEM, on top of any other technologies they may be managing. This person undoubtedly has limited time for training or back-up support to help make best use of this tool, leaving senior management questioning the purchase altogether. Imagine purchasing a model home and then being frustrated that it isn t furnished to your specific taste or needs. Is it the fault of the architect? SIEM technology is not so different. In order for the tool to work most effectively, it must be customized for an organization s specific needs, threat landscape and security goals. Make Security Possible Page 3 of 5

Set the SIEM in motion with an expert partner Many organizations find that it is not feasible to expect a current security team member to fully manage and maximize the new SIEM technology on top of all other responsibilities. In these cases, organizations often turn to security service providers to help them get the new technology off the ground and ensure its sustained success. First, when selecting a service provider, find out how many SIEM technologies the provider has managed. Implementing a SIEM tool correctly requires extensive security engineering experience, ideally in that specific SIEM technology. Ideally, a provider has experience in multiple SIEM technologies and can explain the benefits and challenges of each tool as it relates to a number of different industries or organizations. Secondly, include all stakeholders in the product demo, proof of concept inquiry, and selection phases to ensure buy-in across all functional areas. The nature of the SIEM is such that it must integrate with multiple areas across an organization s network, thus the network team must be aligned with the security team s expectations for the new SIEM. Finally, before the tool is purchased, the organization should take some time to fully understand its current environment. What is on the network? Who has administrative rights? What applications are in use? What are the relevant compliance drivers? Answering these questions will help a security team build a road map with measurable milestones to guide the SIEM s deployment and long-term effectiveness. Use-cases, content and correlation Not all use-cases are created equal. Almost all SIEM technologies come with only the basic connectors that integrate basic usecases pulled from the most common security needs. Organizations use SIEM technologies for many different reasons, and thus need the SIEM to be flexible and adaptable. Most SIEM tools have this capability. SIEM s are typically used for security monitoring, but they can also enable operational monitoring, and even executive/compliance monitoring. It all depends on the use-cases and custom rules that are built into the SIEM. Enabling API s/connectors/etc. for firewalls, servers, and other point products to flow into the SIEM tool is the first step, but it still takes a significant amount of custom effort to create true situational awareness on a single pane of glass, as most SIEM tools promise to provide. Custom use-cases help an organization fully utilize the capabilities of the SIEM. There are many types of such use-cases. In more than 70% of the SIEM engagements performed by ReliaQuest, the majority of use-cases only address one technology being fed into the SIEM. Some may also include a specific alert based on built-in content included with the SIEM. This is a positive first step, but it is just the tip of the iceberg. So much more is possible when additional context is added from multiple areas of the environment. Properly correlating events from multiple systems, as well as data from ongoing vulnerability scans, can provide visibility into an entire attack chain and provide a complete picture of the security environment. Best practices Whether an organization decides to deploy the SIEM technology on its own or through a third-party, systematic use-cases can make or break a SIEM s success. Every SIEM technology includes a number of out-of-the-box connectors and API s that help integrate pieces of critical infrastructure, but it may be necessary to perform custom parsing or scripting to fully support additional technologies or proprietary tools. Use-cases should also automatically coorelate multiple feeds of data to provide a comprehensive picture of an organization s security. Make Security Possible Page 4 of 56

Once an organization funnels all its data into the SIEM, meaningful and tuned use-cases can limit the amount of alerts to only those that are most relevant. Ultimately, alerts should be actionable, not just for the benefit of the security team but also for the operational health of the organization. High-quality alerts provide an organization s executive level with a clearer view of security as a whole, in addition to compliance assurances. If used properly, the SIEM can be a window into a new world of security. Management, care and feeding of the SIEM SIEM technologies are not meant for teams to set it and forget it. Though these technologies may be sold as the all-encompassing solution, at their core, they are still simply aggregating data. They may be able to bring information together, but they still need expertise to make sense of it all. Organizations need a dedicated resource to monitor and maintain the SIEM solution on a continual basis. This includes maintaining the internal health of the SIEM s individual components, ongoing content development, and ongoing analysis of security events. At least two formal health checks should be performed on the SIEM per year. Larger organizations often require more frequent checkups. Like any other piece of technology, SIEMs require continual care from a proven expert. Best Practices The ongoing development and management of the SIEM is key to ensuring that an organization maximizes its capabilities. It is not often feasible in the long-term for one internal team member to perform all of the ongoing tuning, testing, and repair of the SIEM. Most successful security teams benefit from a partnership with a proven expert in SIEM optimization. But not all outsourcing is created equally. The traditional Managed Security Service (MSSP) model requires the customer to send all its logs to the MSSP for analysis in the MSSP s own SIEM tools. But it s not always easy to ensure this third-party is set up to securely receive and store that sensitive information. Another common challenge is exporting data from the MSSP into an organization s own data analysis systems. On the contrary, co-management providers enable customers to retain full control of their log information and utilize the SIEM or other technologies they already own. These kind of service providers connect into customers environments remotely to manage, maintain and advance the organization s security from the provider s own Security Operations Center(s). This highly efficient, cost-effective method frees customers from day-to-day SIEM management, allowing them to spend more time interpreting the intelligence the tools are generating as the security landscape rapidly changes. Next steps SIEM System Monitoring Source Device Feeds SIEM Components SIEM Component Performance SIEM System Maintenance Use Case Library/RQ Best Practices Troubleshoot SIEM Components Interfacing with Support Update Config Settings ReliaQuest advances the delivery, reliability and outcomes of IT Security. Founded in 2007 and serving Fortune 2000 enterprises across diverse industries, ReliaQuest is a leading provider of co-managed IT security solutions. Through co-management, ReliaQuest helps its customers better understand the security threats facing their organizations, enabling them to continuously evolve their security platforms to stay ahead of the curve. The company takes a collaborative approach to develop customized solutions SIEM Database Storage Import of Customers Intel Feeds Content Turning Change Mgmt Support based on each organization s risk profile and business goals, while leveraging their existing investments in security hardware and software. Headquartered in Tampa, FL, ReliaQuest provides Incident Response, Security Engineering, Security Analytics and Threat Management solutions 24 hours a day, 365 days a year from Security Operations Centers in both Tampa and Las Vegas, NV. Contact ReliaQuest today to schedule a security assessment and learn how to maximize your SIEM s total capability. Make Security Possible Page 5 of 56

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback