8 Steps to Level up Your SIEM Game
Published on : Sunday 07-02-2021
SIEM investigations play an incredibly vital role in identifying and addressing enterprise threats, says Shweta Redkar.
If the term ‘Next-Gen SIEM’ (SIEM stands for security information and event management) doesn't excite you anymore but you are still not convinced about the RoI from your existing SIEM investments, then it’s time to consider these 8 steps. The SIEM vendors in today’s world are quickly rolling out new capabilities to their customers that most certainly decrease the management overhead for these systems. And if you are looking to replace your legacy on-premise solution then I hope this article helps you navigate through myriads of alternatives available in the current SIEM market to arrive at the right choice for your organisation.
1. Cost of deployment, storage and total cost of ownership
Purchasing and managing SIEM is often a costly endeavour. Few obvious associated costs that a traditional SIEM solution brings in include hardware, software, support and training; however, cost of intelligence feeds, development efforts for organisation specific detection rules, specialised professional services often get overlooked at the time of the purchasing decision. In today’s competitive SIEM market, vendors nowadays are offering a variety of solutions that are going above and beyond SIEM capabilities while lowering the total cost of ownership by 20X.
2. Hyperscale
As even the smallest of the threat indicators if gone unnoticed can be dangerous, it is imperative to make sure that your SIEM is flexible to accommodate all kinds of device logs that exist in your ecosystem. Although ingesting all logs may seem like a good idea, it soon may turn into a storage apocalypse due to poor compression rate. Today’s promising SIEM players are now offering compression ratios of at least 95% and above, which will make costs on the storage go easy on your pockets. Hyperscaling is possible due to state-of-the-art technologies allowing maximum flexibility to expand the coverage of your SIEM monitoring.
3. All in one SIEM, SOAR and UEBA
Smaller businesses, just like large enterprises, are grappling with similar cyber threats however they often need to exercise conservative expenditure policies. Legacy SIEM solutions usually involve cumbersome integration with third party UEBA and SOAR solutions, which if not carefully managed, will result in a security nightmare that no CISO wants to experience. In a rapidly developing SIEM marketplace, the product that offers coverage of SIEM, SOAR and UEBA within a single security analytics platform is the real hero.
4. Rich, out-of-the-box content
Time and again the use cases to detect threats have proven to be an absolute game changer in any SIEM success story. However, constructing appropriate use cases to solve common problems can be daunting and time consuming. The Next-Gen SIEM solution that can offer a rich set of out-of-the-box content will reduce the time taken to operationalise your SIEM solution quicker.
5. Mitre ATT&CK framework
The MITRE ATT&CK™ framework being the comprehensive matrix of tactics and techniques has proven itself to be extremely resourceful and popular amongst threat hunters, red teamers and other structured defenders. This growing demand for the MITRE ATT&CK™ has compelled almost every SIEM vendor to introduce the MITRE framework aligned detection strategies. However, organisations are urged to be watchful as this framework cannot simply be translated into just a list of alerts. Make sure that your SIEM can comprehend all scattered but potent threat signals and piece them all together into the real threat that’s lurking in your environment. Interactive dashboards based on the MITRE ATT&CK™ framework that can help your SOC analyst navigate through hundreds of signals is a helpful feature to have in your SIEM toolset.
6. Anomalous behaviour not based on static correlation
The amount of manual processes engaged in detecting the anomaly in your security ecosystem directly impairs the ability of your SOC team to deliver on required critical investigations. The SIEM employing detection of anomalous behaviour using machine learning and statistical analysis instead of static correlation rules, will be a boon for your enterprise security.
7. Auto onboarding of devices from Native and/or Cloud
If the device onboarding process takes days and seems frustrating then your SIEM system certainly requires a facelift. The ever improving NextGen SIEM vendors offer auto onboarding of all log sources without much hassle and enhance detection capabilities within minutes. Quite a few SIEM solutions are also offering quicker cloud integration though versatile connectors.
8. Easy pluggable enrichment
In the ever evolving threat landscape, if your security team is spending resources on manual threat analysis then it is constraining your security evolution. The security teams instead must rely on threat intelligence enrichment feeds as a primary source for known threats. A SIEM solution that can offer an easy pluggable enrichment capability that enriches the data at the time of ingestion and store them alongside the raw logs and parsed fields in its data lake will bring radical improvement.
Conclusion
SIEM investigations play an incredibly vital role in identifying and addressing enterprise threats. An optimised SIEM can provide the threat intelligence and detection to stave modern cyber-attacks whereas attackers could easily gain the upper hand over a traditional SIEM These steps can help you receive the information you need to make an informed decision towards choosing the right solution to enhance your enterprise’s security posture.
Shweta Redkar is a cybersecurity enthusiast who brings along rich experience from working with Investment Banking, Insurance, IT Audit and Security Consulting. She is the head of professional services and Advisory, and has been instrumental in bringing about a fundamental shift in content creation for DNIF. She is a travel, fun, food, and book lover, sporadic fitness freak, and committed environmentalist. Truly believes in “Mom’s 'lone' time is for everyone’s safety!”
