Getting the most out of your SIEM technology Co-management helps to maximize existing investments and rapidly advance security Whitepaper Make Security Possible
Table of Contents Maximizing the SIEM s potential...3 Purchase and Selection...3 Use-cases, content and correlation...4 Best Practices...4 Management, care and feeding of the SIEM...5 Best Practices...5 Next Steps...5 Make Security Possible Page 2 of 6
Maximizing the SIEM s potential Security Information and Event Management (SIEM) solutions have been used for more than 15 years to give organizations broad security visibility through real-time monitoring of data logs. Businesses spend millions of dollars buying, maintaining, operating, and optimizing these tools, but they still may leave potential benefits on the table. As is often the case with technology, typical use may only tap into a small percentage of a SIEM s total capability. Maximizing this capability is critical not only to demonstrate adequate return on investment to the larger organization, but also to ensure continuous advancement of security as threats evolve. There are a number of reasons for SIEM underuse. But regardless of the reason, there are several strategies that any organization can use to take full advantage of the SIEM s capabilities. Purchase and selection Maximizing a SIEM investment starts at the initial purchase stage. Whether the tool is needed to remain in compliance with an organization s industry regulations or because the security team wants to simply enhance visibility into its environment, having a methodical plan in place for implementation, operation and maintenance is critical to the tool s success. The plan should clearly identify all necessary ongoing support resources, such as continuous training for security staff. This blueprint should be a living document that is adaptable as new threats or capabilities emerge. Often times, the decision to purchase a SIEM comes in the form of a directive from senior executives. This directive may come as a result of a highly publicized breach or in order to check a box for compliance. In these cases in particular, organizations often turn to third-party security assessment companies to run a full scan on the company s security capabilities and make suggestions on which tools are needed. The problem with these assessments is that they are based on one snapshot of time and do not take into consideration the organization s holistic security goals. Additionally, while outside firms may recommend suitable tools, they seldom provide tailored guidance to overburdened security teams on how to best implement, operate or maintain the tools. Organizations should plan around three critical phases of SIEM deployment: 1 2 3 Initial install First 3-6 months of optimization and customization Ongoing management and enhancement In some cases, it is left up to one person on a security team to oversee the new SIEM, on top of any other technologies they may be managing. This person undoubtedly has limited time for training or back-up support to help make best use of this tool, leaving senior management questioning the purchase altogether. Imagine purchasing a model home and then being frustrated that it isn t furnished to your specific taste or needs. Is it the fault of the architect? SIEM technology is not so different. In order for the tool to work most effectively, it must be customized for an organization s specific needs, threat landscape and security goals. Make Security Possible Page 3 of 5
Set the SIEM in motion with an expert partner Many organizations find that it is not feasible to expect a current security team member to fully manage and maximize the new SIEM technology on top of all other responsibilities. In these cases, organizations often turn to security service providers to help them get the new technology off the ground and ensure its sustained success. First, when selecting a service provider, find out how many SIEM technologies the provider has managed. Implementing a SIEM tool correctly requires extensive security engineering experience, ideally in that specific SIEM technology. Ideally, a provider has experience in multiple SIEM technologies and can explain the benefits and challenges of each tool as it relates to a number of different industries or organizations. Secondly, include all stakeholders in the product demo, proof of concept inquiry, and selection phases to ensure buy-in across all functional areas. The nature of the SIEM is such that it must integrate with multiple areas across an organization s network, thus the network team must be aligned with the security team s expectations for the new SIEM. Finally, before the tool is purchased, the organization should take some time to fully understand its current environment. What is on the network? Who has administrative rights? What applications are in use? What are the relevant compliance drivers? Answering these questions will help a security team build a road map with measurable milestones to guide the SIEM s deployment and long-term effectiveness. Use-cases, content and correlation Not all use-cases are created equal. Almost all SIEM technologies come with only the basic connectors that integrate basic usecases pulled from the most common security needs. Organizations use SIEM technologies for many different reasons, and thus need the SIEM to be flexible and adaptable. Most SIEM tools have this capability. SIEM s are typically used for security monitoring, but they can also enable operational monitoring, and even executive/compliance monitoring. It all depends on the use-cases and custom rules that are built into the SIEM. Enabling API s/connectors/etc. for firewalls, servers, and other point products to flow into the SIEM tool is the first step, but it still takes a significant amount of custom effort to create true situational awareness on a single pane of glass, as most SIEM tools promise to provide. Custom use-cases help an organization fully utilize the capabilities of the SIEM. There are many types of such use-cases. In more than 70% of the SIEM engagements performed by ReliaQuest, the majority of use-cases only address one technology being fed into the SIEM. Some may also include a specific alert based on built-in content included with the SIEM. This is a positive first step, but it is just the tip of the iceberg. So much more is possible when additional context is added from multiple areas of the environment. Properly correlating events from multiple systems, as well as data from ongoing vulnerability scans, can provide visibility into an entire attack chain and provide a complete picture of the security environment. Best practices Whether an organization decides to deploy the SIEM technology on its own or through a third-party, systematic use-cases can make or break a SIEM s success. Every SIEM technology includes a number of out-of-the-box connectors and API s that help integrate pieces of critical infrastructure, but it may be necessary to perform custom parsing or scripting to fully support additional technologies or proprietary tools. Use-cases should also automatically coorelate multiple feeds of data to provide a comprehensive picture of an organization s security. Make Security Possible Page 4 of 56
Once an organization funnels all its data into the SIEM, meaningful and tuned use-cases can limit the amount of alerts to only those that are most relevant. Ultimately, alerts should be actionable, not just for the benefit of the security team but also for the operational health of the organization. High-quality alerts provide an organization s executive level with a clearer view of security as a whole, in addition to compliance assurances. If used properly, the SIEM can be a window into a new world of security. Management, care and feeding of the SIEM SIEM technologies are not meant for teams to set it and forget it. Though these technologies may be sold as the all-encompassing solution, at their core, they are still simply aggregating data. They may be able to bring information together, but they still need expertise to make sense of it all. Organizations need a dedicated resource to monitor and maintain the SIEM solution on a continual basis. This includes maintaining the internal health of the SIEM s individual components, ongoing content development, and ongoing analysis of security events. At least two formal health checks should be performed on the SIEM per year. Larger organizations often require more frequent checkups. Like any other piece of technology, SIEMs require continual care from a proven expert. Best Practices The ongoing development and management of the SIEM is key to ensuring that an organization maximizes its capabilities. It is not often feasible in the long-term for one internal team member to perform all of the ongoing tuning, testing, and repair of the SIEM. Most successful security teams benefit from a partnership with a proven expert in SIEM optimization. But not all outsourcing is created equally. The traditional Managed Security Service (MSSP) model requires the customer to send all its logs to the MSSP for analysis in the MSSP s own SIEM tools. But it s not always easy to ensure this third-party is set up to securely receive and store that sensitive information. Another common challenge is exporting data from the MSSP into an organization s own data analysis systems. On the contrary, co-management providers enable customers to retain full control of their log information and utilize the SIEM or other technologies they already own. These kind of service providers connect into customers environments remotely to manage, maintain and advance the organization s security from the provider s own Security Operations Center(s). This highly efficient, cost-effective method frees customers from day-to-day SIEM management, allowing them to spend more time interpreting the intelligence the tools are generating as the security landscape rapidly changes. Next steps SIEM System Monitoring Source Device Feeds SIEM Components SIEM Component Performance SIEM System Maintenance Use Case Library/RQ Best Practices Troubleshoot SIEM Components Interfacing with Support Update Config Settings ReliaQuest advances the delivery, reliability and outcomes of IT Security. Founded in 2007 and serving Fortune 2000 enterprises across diverse industries, ReliaQuest is a leading provider of co-managed IT security solutions. Through co-management, ReliaQuest helps its customers better understand the security threats facing their organizations, enabling them to continuously evolve their security platforms to stay ahead of the curve. The company takes a collaborative approach to develop customized solutions SIEM Database Storage Import of Customers Intel Feeds Content Turning Change Mgmt Support based on each organization s risk profile and business goals, while leveraging their existing investments in security hardware and software. Headquartered in Tampa, FL, ReliaQuest provides Incident Response, Security Engineering, Security Analytics and Threat Management solutions 24 hours a day, 365 days a year from Security Operations Centers in both Tampa and Las Vegas, NV. Contact ReliaQuest today to schedule a security assessment and learn how to maximize your SIEM s total capability. Make Security Possible Page 5 of 56