Major security breaches seem to be in the news every week. What's more, hundreds of unreported data thefts happen on an hourly basis. The repercussions of these crimes can be huge, not just financially, but in terms of reputation too.
Cybercrime is also rapidly evolving. Threats are now multi-layered, and growing increasingly sophisticated. In order to detect them, organisations need to be aware of everything happening in all their systems, as well as identify and monitor unusual behaviour on their networks. This is driving a growing demand for instant, up-to-date threat information.
One technology that is vital to this process is security information and event management (SIEM), which collates relevant information to provide the necessary context for threat detection. One challenge is that IT environments and the security controls for data protection and infrastructure are more complex and widespread than ever, and therefore difficult to integrate and manage. Another challenge is the 'operationalisation' of emerging threat intelligence, so that organisations know precisely what to do when a threat is detected, based on the actor, their intention, and the best remedy to apply.
The first generation of SIEM vendors focused mainly on the analysis layer - the event correlation engine - assuming that most organisations already had the correct security monitoring capabilities in place through other products. With so many different tools to integrate with the SIEM, SIEM solutions were (and mostly still are) cumbersome to deploy in most environments - alerts and reports take a long time to produce, and administration over time is complicated. As a result, traditional SIEM products are very expensive – besides the product itself, users have had to spend big money on professional services and integration expertise just to get the basics out of their SIEM investment.
Most notably, these tools often lack real-time threat intelligence to identify known malicious actors and their exploits, as well as appropriate guidance when these threats are discovered.
There are six key steps to follow to ensure successful SIEM deployment:
Avoid single purpose SIEM tools
Reduce integration complications by looking for built-in security monitoring capabilities such as asset discovery, vulnerability assessment, threat detection and behavioural monitoring, to fuel the event correlation engine.
One of the main reasons that traditional SIEM takes as long as it does to produce value lies in its reliance on third-party external security tools for basic information about your environment. Without data from tools such as IDS, HIDS, vulnerability scans, asset inventories and netflow analysis, traditional SIEM is just a fancy reporting tool with nothing interesting to report.
Know which use cases you'll need
Understanding which use cases, or which questions you want to ask your event data, is absolutely essential. You need to know why you are evaluating the tool in the first place. Which functions do you want it to fulfil? What information do you need to gather from it? What are you prepared to act on should 'it' happen? What information is your auditor going to want to see?
Define the information you want to receive from the SIEM before integrating log data into your SIEM environment. For example, if you need to validate the security controls in your PCI environment, focus on the event data that resides within the environment, as well as the access control devices that protect and surround it. This will allow for a streamlined process, as you won't be wasting time and computing power analysing data you don't need.
Picture your worst case scenario
All security professionals spend time thinking about worst case scenarios. Thinking about what terrible things are possible and what their potential impacts and consequences could be is essential for building an incident response programme. Having a solid action plan in place will prevent your organisation from being woefully unprepared, should a worst case scenario come to pass.
Include built-in threat intelligence as a requirement
Threat intelligence is key to feeding your SIEM solution. You need to know about emerging threats and how to respond to them when they appear in your network. Threat intelligence should also include detailed instructions on what to do in the case of each alert. Without solid threat intelligence, your business will not be in a good position to recognise the most dangerous threats, and won't be able to build strategic defences to protect against them.
Unify security monitoring across your environments
A truly unified security posture is vital. You may have assets in both the cloud and the datacentre, but if you don't have a way of viewing and uniting all this data, you run the danger of creating a blind spot, or you end up with two different infrastructures to monitor. Irrespective of where your data is stored, you must be able to monitor it effectively.
This is perhaps the most controversial step. SIEM deployment has a bad reputation for many of the points already raised here. The good news, however, is that automation of the process - at least its most critical elements - is possible. Unified security management provides a way to automate the SIEM deployment process. Built-in security monitoring capabilities provide the necessary context to identify eligible data sources to integrate, and guide the security analyst to expand monitoring throughout the environment.
Demand more from your SIEM. It should go where you go - cloud, hybrid cloud, datacentre and beyond. It should offer more than just arbitrary alerts, such as telling you what to do and offering incident response guidance.
Having the right materials when you need them, is crucial. Most time spent on incident investigation will deal with events that have already happened. Having meaningful information on hand is ultimately what will make or break a business' incident response programme.
Sandy Hawke is vice president of product marketing at California-based security solutions firm AlienVault.