Security Information and Event Management (SIEM) solutions are widely deployed to protect networks from internal and external threats. These solutions perform complex analysis on network data, including log data, to identify security issues, but these analyses can only be as good as the underlying data. The underlying principle of a SIEM is having a single pane of glass to look at all the relevant data about an enterprise’s security, making it easier to spot trends and see patterns that are out of the ordinary – as well as saving time for the security analysts. However, whilst SIEMs play a critical role in preventing or investigating breaches, the reality is that deployments rarely meet expectations. Here we examine how to optimise SIEM investments and the role of log management in improving incident response capabilities.
Many organisations are faced with the challenge of fragmented or incomplete log collection. What happens if you are losing logs? What happens if your SIEM is overloaded by the amount of log data? Will your SIEM be able to detect security threats with incomplete data? Organisations need to address these issues in order to avoid unknown costs or over utilisation of the SIEM system.
Nowadays, IT departments are under enormous pressure to do ‘more with less’ but even the most well prepared IT teams are overwhelmed with SIEM alerts and events. Organisations frequently make the mistake of feeding the SIEM every log and security event, only to find it inundated with data and alerts. In this case, SIEM simply adds to the noise rather than increasing the efficiency of the security team.
How to solve these issues?
Achieving SIEM optimisation
By following best practices, organisations can significantly improve the performance of their SIEM for faster detection, response and investigation of potential threats and security risks.
One key aspect of improving SIEMs is to optimise log management. Filtering out the irrelevant logs improves SIEM performance while also reducing the amount of log data feeding it – and less volume usually means cheaper licensing as well.
Using granular policies based on log file types and compliance requirements, retention and detection can be achieved easily and reliably. Such a solution also produces higher quality, tamper-proof data, leading to increased confidence in analytics. Being certain that logs aren’t lost or haven’t been tampered with increases the integrity of SIEM data.
By optimising their SIEMs, organisations could save up to 40% on their SIEM licensing costs per year.
By employing the following key practices, organisations can greatly improve SIEM performance:
- Choose your log management carefully: Choosing a log management tool with a wide platform and log source support – such as Syslog formats – is advisable.
- Having an ‘SIEM-feeding’ tool that processes and provides structured and unstructured data, as well as having transformation features like filtering, parsing, rewriting, classifying and enriching is recommended. This means only the most valuable information has to be forwarded.
- Compress your log messages: Compressing log messages reduces bandwidth consumption, resulting in a more stable operation and requiring less storage. Ultimately this also reduces costs.
- Do not lose log messages: To prevent lost messages look for features like buffering, failover destination support, message rate control and application-level acknowledgement.
- Pinpoint potential attacks: On average, a security professional has just 7 minutes per SIEM alert to determine its wider context. User Behaviour Analytics can pinpoint the riskiest security issues by comparing any suspicious activity to the baseline activity of the user in question.
- Integrating a SIEM with a Privileged Activity Monitoring solution will allow organisations to analyse the riskiest user activities in real-time to help prevent cyber-attacks and privileged account misuse.
- Accompany functionality with highly scalable and reliable performance
- Guarantee regulatory compliance: With the GDPR due to come into effect in 2018, together with standards such as PCI DSS and HIPAA already in place, it is important that any anonymization services and pseudonym generation are compliant with these regulations.
Optimising SIEMs through the implementation of a log management system means organisations will ensure data is being moved and stored safely and securely without the risk of lost messages or of overwhelming the security team, reducing potential threats and security risks. SIEMs are not “fire and forget”. It is essential that organisations continually re-assess their environment and adapt to the business as it changes over time.