The Golden Rules of Successful SIEM Deployments

Security Information and Event Management (SIEM) solutions are widely deployed to protect networks from internal and external threats. These solutions perform complex analysis on network data, including log data, to identify security issues, but these analyses can only be as good as the underlying data. The underlying principle of a SIEM is having a single pane of glass to look at all the relevant data about an enterprise’s security, making it easier to spot trends and see patterns that are out of the ordinary – as well as saving time for the security analysts. However, whilst SIEMs play a critical role in preventing or investigating breaches, the reality is that deployments rarely meet expectations. Here we examine how to optimise SIEM investments and the role of log management in improving incident response capabilities.

Current issues

Many organisations are faced with the challenge of fragmented or incomplete log collection. What happens if you are losing logs? What happens if your SIEM is overloaded by the amount of log data? Will your SIEM be able to detect security threats with incomplete data? Organisations need to address these issues in order to avoid unknown costs or over utilisation of the SIEM system.

[easy-tweet tweet=”IT departments are under enormous pressure to do ‘more with less’ ” hashtags=”IT, Data”]

Nowadays, IT departments are under enormous pressure to do ‘more with less’ but even the most well prepared IT teams are overwhelmed with SIEM alerts and events. Organisations frequently make the mistake of feeding the SIEM every log and security event, only to find it inundated with data and alerts. In this case, SIEM simply adds to the noise rather than increasing the efficiency of the security team.

How to solve these issues?

Achieving SIEM optimisation

By following best practices, organisations can significantly improve the performance of their SIEM for faster detection, response and investigation of potential threats and security risks.

One key aspect of improving SIEMs is to optimise log management. Filtering out the irrelevant logs improves SIEM performance while also reducing the amount of log data feeding it – and less volume usually means cheaper licensing as well.

Using granular policies based on log file types and compliance requirements, retention and detection can be achieved easily and reliably. Such a solution also produces higher quality, tamper-proof data, leading to increased confidence in analytics. Being certain that logs aren’t lost or haven’t been tampered with increases the integrity of SIEM data.

By optimising their SIEMs, organisations could save up to 40% on their SIEM licensing costs per year. 

Key practices

By employing the following key practices, organisations can greatly improve SIEM performance:

  • Choose your log management carefully: Choosing a log management tool with a wide platform and log source support – such as Syslog formats – is advisable.
  • Having an ‘SIEM-feeding’ tool that processes and provides structured and unstructured data, as well as having transformation features like filtering, parsing, rewriting, classifying and enriching is recommended. This means only the most valuable information has to be forwarded.
  • Compress your log messages: Compressing log messages reduces bandwidth consumption, resulting in a more stable operation and requiring less storage. Ultimately this also reduces costs.
  • Do not lose log messages: To prevent lost messages look for features like buffering, failover destination support, message rate control and application-level acknowledgement.
  • Pinpoint potential attacks: On average, a security professional has just 7 minutes per SIEM alert to determine its wider context. User Behaviour Analytics can pinpoint the riskiest security issues by comparing any suspicious activity to the baseline activity of the user in question.
  • Integrating a SIEM with a Privileged Activity Monitoring solution will allow organisations to analyse the riskiest user activities in real-time to help prevent cyber-attacks and privileged account misuse.
  • Accompany functionality with highly scalable and reliable performance
  • Guarantee regulatory compliance: With the GDPR due to come into effect in 2018, together with standards such as PCI DSS and HIPAA already in place, it is important that any anonymization services and pseudonym generation are compliant with these regulations.

Continual reassessment

Optimising SIEMs through the implementation of a log management system means organisations will ensure data is being moved and stored safely and securely without the risk of lost messages or of overwhelming the security team, reducing potential threats and security risks. SIEMs are not “fire and forget”. It is essential that organisations continually re-assess their environment and adapt to the business as it changes over time.


+ posts


Related articles

The future of cloud and edge optimisation

As more enterprises use multi-cloud and hybrid infrastructures, the danger of cost overruns and loss of control increases.

Here is how to stage a public cloud migration

As the relationships between CSPs and cloud providers are deepening, CSPs need to develop a clear strategy on how they add value to customer relationships.

The future of work is collaborative

As hybrid work models continue to gain traction, businesses will need to start implementing collaborative tools and processes to meet the needs and expectations of the upcoming workforce, seamlessly integrating them into existing workflows to enhance productivity and performance. Innovations in technology, including AI and machine learning, mean that organisations are in a better position than ever to shape the collaborative future of work – and with the right support in place, they can ensure that these digital tools continue to bring out the best in their workforce for years to come.

How Business Data Can Be Protected, Even with Remote Workers

According to a study conducted by OwlLabs, approximately 69% of survey respondents worked remotely during the pandemic or are now working from home since.

DevOps Metrics – How to measure success in DevOps?

Even though there is no perfect definition for DevOps,...


Please enter your comment!
Please enter your name here

Subscribe to our Newsletter