Security Information and Event Management (SIEM) allows you to get real time analysis on threats and security alerts that are created by network applications and hardware. It controls the storage, manipulation, analysis, and reporting of different security data and enables you to correlate different events and alerts.
SIEM plays a role in regulatory compliance and isn’t something that you should ignore. A well-implemented Security Information and Event Management solution enables you to stay one step ahead of cyber attacks by providing a centralized view of security-related events and information.
As with any business and IT process, deployment of SIEM systems start with thorough planning and review.
When starting to implement SIEM for your organization, it is important to first review where you stand, and what you want SIEM to achieve for your business – establishing the business case. Begin by coming up with a list of goals and objectives and rank them by their importance to your organization. You should also understand which tasks and processes are critical in supporting the implementation and prioritize them accordingly.
You should also review your security policies, and, as usual, you need to know which of these policies are to be prioritized:
You should also have a clear view of your current controls (used to audit these security policies) that would help you ensure compliance. SANS.org outlines 20 critical controls in this guide, which is a good starting point for exploring your needs and identifying relationships between resources, controls, and business goals. “When an organization makes a plan to implement the 20 critical controls as a whole, SIEM should be one of the first controls implemented,” SANS.org explains. “Vulnerability scanners (based on SCAP), whitelisting tools, and other specific controls are important, but no specific control is more relied upon for effective control implementation than a SIEM. That’s because SIEM can take data from all these tools and more to help organizations understand their vulnerabilities, detect and troubleshoot security incidents and help improve security posture.”
The discovery phase typically involves SIEM implementation on a small but representative subset of the organization’s existing technology and policy, enabling you to gather critical data that can inform changes and improvements prior to a complete rollout. One primary goal is to identify weaknesses and gaps in the execution of controls and implementing plans for remedying them. Ideally, you should be able to plug any gaps before these security elements and controls are incorporated into your SIEM implementation. Otherwise, they won’t add value to your monitoring and alerting processes.
Starting with the implementation phase, you need to have two goals in mind:
During the discovery stage, you should be running SIEM on a small subset of technology that’s representative of all of your organization’s devices and policies. When you get to the pilot stage, you’re then able to apply lessons learned from the data collected during discovery and implement any improvements you’ve made on a larger subset of policies and devices – but the pilot phase is not yet a complete roll-out, either.
In the pilot phase, all assumptions that you have created during the discovery phase should be thoroughly tested, while you deal with a growing number of covered devices. After achieving satisfactory testing results, you should have all the data and information you need to go onto the controlled deployment phase.
SIEM deployment does not need to be done in one swift phase. You can gradually and steadily build capacity first as you go through the controlled deployment phase.
The controlled deployment phase is when you develop a deployment workflow that would allow you to build capacity for full deployment, as well as serve as the testing stage in a real production environment. During this phase, all processes, procedures, and operations should be clearly outlined in the runbook.
Successful SIEM deployments are not a one-time thing. After all, hackers never stop developing more sophisticated methods of attack, so you must continue to evolve in order to remain one step ahead of your would-be foes.
After the controlled development phase, and as you continue to roll out and deploy your SIEM system, you will get more data on how everything works in production. You should use these data and information to fine-tune your deployment and develop your organization’s security policies and processes. This means that your SIEM deployments are under constant change – and this process should never stop.
The best way to implement SIEM? Gradually. A step-by-step approach will help you learn more about your current systems and implement your strategy piece-by-piece, allowing you to fine-tune it along the way. If there are mistakes or gaps in your implementation that leave vulnerabilities unaddressed, you can easily pinpoint where they are and how to correct them. You can also get more data for every step and use the information to improve deployment going forward.
Taking it slow is not the only best practice when it comes to SIEM deployments. Other best practices include:
For more information on implementing a security information and event management solution, visit the following resources and tutorials:
Today’s hackers are often multi-channel operators, meaning that even the best monitoring can fall short of proactively identifying threats if it’s focused only on a single channel. Centralizing alerts and other security-related information in a single, cohesive view enables you to more effectively identify potential threats from activity that, when viewed only in the context of one channel, may seem innocuous. This is what makes tools like Retrace more valuable for SIEM compared to stand-alone log management solutions. By combining logs, errors, metrics, monitoring, and even APM in a single suite of tools, Retrace centralizes essential data that can aid in SIEM.