Making the Most of Your SIEM Security From the Beginning
As the complexity of your company’s digital network grows, Security Information and Event Management, or rather SIEM technology, can significantly help support your IT team with the viewpoint they need to ensure compliance and operations support for the successful continuation of the business. Unfortunately, with great power comes great pain points and problems. I sat down with Paul Caiazzo, Founder and Chief Security Architect of TruShield, to talk about the common blunders he sees when company’s DIY SIEM integrations and here is what I found out.
Prevalent Problem is Coverage
When implementing a SIEM security solution, the first and foremost objective here is to make sure coverage is occurring for the entire environment. The problem most often seen is incomplete coverage by which devices or data sources in the environment have not been integrated into the SIEM solution.
“A lot of people think, ‘Well, I’ve got my firewalls logged and that’s all I really need to worry about.’ But that’s missing the point of SIEM security. Having the ability to correlate events across different devices, segments, and trust zones allow for visibility across multiple device classes and a bigger picture of the entire environment. Monitoring all aspects within an environment needs to start from the beginning, so by planning the architecture from the start will help to avoid blind spots,” Caiazzo advises.
Another element commonly seen by Caiazzo’s team is the integration of logs into the SIEM security at the host level or operating system level, but not at the applications or database level. Each of these applications or databases running on servers is a data source that could provide interesting additional security information and should be logged. Typically, they would count as a new data source, above and beyond just the host. So when an organization is planning to integrate SIEM security, it is imperative to include multiple data sources for each individual host so that the SIEM security solution is pulling all the available and applicable information in as well.
Make Sure to Integrate the Right Enterprise Service
Another element that commonly contributes to a poorly implemented SIEM is when the wrong enterprise services are integrated. Regardless of the size of your organization, industry, or location, all businesses are evolving to technology businesses. So the right enterprise services are not only necessary for the proper functioning of your operations, they are needed for the network to operate. For example, the Domain Name Server (DNS) helps with translating Internet Protocol (IP) addresses, while a Network Time Protocol (NTP) is used for comparing time stamps from one device to another. Timestamps across all devices is a critical linchpin for your SIEM and effective log management.Simple Mail Transfer Protocol (SMTP) is important to be included in your SIEM so that you are able to see phishing attacks at the SMTP level. Authentication is another important element to include in the SIEM’s depth of coverage so that you are able to view administrative logins as well as failed logins. Integrating all of these elements allows for a bigger picture of the organization’s digital environment, which is the ultimate goal of a SIEM security solution.
Weighing Criticality for the Digital Environment
Another key element to address as you are planning out the onboarding process for your SIEM security is to make sure that criticality of the different devices is correctly weighed within the environment. For example, a workstation should have a different criticality level than a key database server since they should be treated differently and scored differently. The criticality weight will need to be built into the SIEM security tool and is able to change when necessary, but should be assigned day one. This will enable the alerts that are a higher risk to be calculated at a higher point-value within the tool as well.
Incorporate Threat Analytics
Not connecting to the current information that is available regarding the growing number of cyber threats is just turning a blind eye to a spreading problematic situation. Make sure you are incorporating data feeds from threat intelligence sources so that you are able to match it against information from your digital environment.There are several options available, including paid and free sources, that can be integrated into your SIEM solution. Make it even easier on your future self by automating the process of ingesting those new indicators, or IOCs, into the SIEM tool. What this will do is allow for new threats to be discovered and the signature associated with that threat or a new set of indicators of compromise to be automatically integrated into your SIEM platform. By doing this, you will also be able to look back at what’s already happened in your digital environment to see if any of those new indicators are present. Having a process in place to be able to look for indicators that weren’t previously known is called active hunting. This does require resources and bandwidth, which may not be a capability for many organizations, but could be with a managed SIEM provider.
Another thing that should be part of the SIEM security strategy is to write new correlations, new rules, and new directives. This is what will contribute to a more powerfully utilized SIEM that is able to pull information from different data sets and piece them together in a single picture. Correlation.
Care and Feeding Your SIEM
SIEMs are super complicated and while you are integrating them with a variety of data sources, keep in mind your environment is not going to be perfectly static. There will be new data sources that will to be added and integrated into your SIEM at some point. There will be data sources that you are going to need to decommission as well. You will need to make sure that those data sources are logging correctly and functioning correctly to ensure the information going into your SIEM tool provides accurate information for your big picture view of your digital environment.You will also want to be able to be alerted if one or any of those data sources goes offline or if it sees a significant drop in log volume. This is necessary because it could provide insight into a situation with your environment. With all of these updates and new integrations into the SIEM tool, the care and feeding of your SIEM security is of utmost importance to ensure the information you receive back is valid.
Notably, the most critical aspect of proper utilization of your SIEM is that the data is correct. If the tools and the different things that are feeding the SIEM tool, like the firewall and IDS, are not updated regularly, then the data into the SIEM tool is not going to be as good. So it is imperative to keep the rest of the environment up-to-date and functional. A SIEM security solution is an aggregation and analytics tool that is going to make the best use of the data available to it. Ensuring that good data goes into your SIEM tool will strengthen your security posture as well as increase the effectiveness of your security system when detecting vulnerabilities before they negatively impact your business.
Whether you have already purchased a SIEM solution, or are just starting to think about it, or even if you don’t know what a SIEM is, this webinar can help you make an informed and educated decision on what the best choice is for your business.
Not sure where to begin? Find out how TruShield can help you with our Managed SIEM solution.
Learn how a robust cybersecurity plan in place will enable you to protect your digital assets around the clock.