Researchers such as Gartner labels SIEM Technology as a booming business. The average network administrator is afraid they don’t have visibility to network threats, which is probably true. SIEM solutions are a step in the right direction but by no means a silver bullet for identifying all attacks. SIEM vendors are also NOT equal in capabilities . If a vendor claims their solution can do it all including being you’re all in one continuous monitoring solution, thank them for the free lunch and walk away. This piece contains an overview of SIEM technology and what to consider while evaluating SIEM solutions.
All Security Information and Event Management SIEM solutions should capitalize the “I” or “E” depending on their focus since none can do both well. INFORMATION based SIEM technology focus on presenting data and typically easier to deploy since they are like a data repository. They perform event log management on millions of logs indexing and compressing files for archiving and future access. Think of these as information management focused or a “google” for organizing and managing logs events.
SIEM technology highlighting EVENT MANAGEMENT typically require more work to be impactful. They leverage near real-time data such as NetFlow and security device logs to correlate events so IT staff can prioritize focus. One main importance of correlation is identifying attacks that can’t be recognized without viewing all associated events from different devices. An example is capturing events from a desktop firewall, NetFlow reading and web content filter which all point to the behavior of a bot “phoning home” to a malicious website. Seeing one log may not be enough information to recognize the attack vector while consolidating everything to a single event simplifies understanding what is going on. Event focused SIEM solutions are typically near real-time analysis tools used to alert staff to high-level threats so action can be performed.
SIEM technology is only valuable if tuned to meet your business needs. You cannot plug in a SIEM and expect it to understand your network. SIEM solutions typically require multiple tuning sessions pre and post deployment to weed out false positive or meaningless data. Poorly tuned SIEM solutions are known for generating white noise and unreadable diagrams known as “the bug splat” diagram.
Here are some tips for identifying the best SIEM solution for your business needs.
1) SIEM solutions can capture a world of information. Regardless which form of SIEM you desire, make sure to only utilize necessary data. Focus on categorizing high, medium and low priority data properly and remove devices that are out of scope.
2) Tune the SIEM evaluation to match your business goals. If you don’t care about archiving security events, remove that from your scope during testing. You need to have your objectives list ready prior to evaluation or you will get lost in the SIEM feature forest.
3) Know your storage and data retention requirements. Many SIEM solutions can archive data but have difficulty utilizing off box data when forensic requirements are desired. Test off box use of the data.
4) Identify what is a high priory alert or key data and work from there to the lowest general data. Less is more! Weed out the unnecessary notification alerts/logging.
5) It’s best practice to deploy a SIEM solution and have your services group spaced out tuning rather than complete all work during the initial install. Post deployment services can kill your budget if you don’t tune a SIEM right the first time. Understand what support is needed to maintain value from the solution.
6) Learn how the SIEM solution captures the network. Automation is key. Test the features as all SIEMS are not equal and accomplish similar things in very different ways.
7) Understand the architecture. Is it simply software nodes or a bunch of appliances? How do you handle HA? How does the workflow alert staff to key events? How easy is it to find data from multiple locations or devices.
8) What are the reporting options? If your goal is compliancy, how does the SIEM solution provide you data to meet that objective? If it’s near-real time alerting, how quickly does the solution help you identify threats? Does the diagram showcase complicated data in a method leadership can understand?
9) What devices are supported? How does the SIEM solution support custom devices? Can customers build custom parsers to report on device the SIEM doesn’t have drivers for?
10) Who can you call when the solution is no longer providing value? Not when it breaks … when its no longer valuable?