Last Updated on July 19, 2020
This post was originally published on the Recorded Future blog. It was co-authored by Bill Oullette, Professional Services Consultant and Jon Papp, Professional Services Manager at Aditum.
A SIEM (Security Incident and Event Management) solution significantly increases visibility into vulnerabilities, deviant behavior, and critical security threats. SIEM tools can do this because they correlate logs that were previously in siloed data stores (the various security point solutions throughout the enterprise). More data sources plus the correlation of that data leads to the application of security analytics that eliminates security blind spots to perform that detection much more quickly.
This improved availability of data and data correlation ensures more rapid triage of security incidents. This enables:
- Faster mean time to resolution for security incidents
- An increased volume of incidents a security team can investigate
- More time for proactive threat hunting activities
Despite the clear benefits that a SIEM delivers to significantly enhance an organization’s security posture, not every organization is ready to deploy a SIEM.
Let’s examine 5 questions to determine your organization’s SIEM readiness:
Question 1: What problem(s) are you trying to solve?
You must understand the security use cases that you want to address prior to deploying a SIEM. As important, how many security use cases are you trying to address? If you are only trying to solve one problem – for instance, gaining visibility into Windows security event logs – a SIEM would be overkill. If you have many security use cases to address and bring in a larger set of source data, a SIEM starts to make much more sense.
Question 2: How large is your security team?
An organization with a smaller security team, or no security team in place, would be crushed by a SIEM. Managing the generation and investigation of alerts could overwhelm a smaller team. This will increase the risk that these alerts – many of which will be critical – will become “white noise” and may eventually be ignored.
On the other hand, if you have a team of security analysts (or SOC) in place to handle events and tune the system, it makes much more sense to have a SIEM in place.
Question 3: What security tools are currently in place?
A SIEM primarily aggregates and correlates data from other sources. The more security tools that an organization is using, the greater the benefit of the SIEM to provide end-to-end monitoring via the correlation of data from these various point solutions. Organizations with limited or incomplete security data sets – for instance, just firewalls, anti-virus, and Active Directory (account activity) data — will not realize as much benefit from a SIEM as organizations with additional security tools (and data sources) in place such as vulnerability scanners, network intrusion detection, packet sniffers, threat intelligence feeds, or password crackers. Organizations with all of these tools in place would gain tremendous value from the correlation a SIEM can provide.
Question 4: How security-focused is your company?
Risk reduction, compliance, and the creation of a more secure organization comes down to culture. This is driven at the executive level and cascades down through leadership to the staff level. When your security team needs to install monitoring software on someone else’s equipment (developers’ application servers, network infrastructure, user desktops, etc.) do they get pushback? Is the request met with a lack of urgency? An uncooperative culture makes a SIEM deployment, while certainly not impossible, much more difficult. Conversely, a security-focused culture where everyone works together to meet overall organizational security goals can drive the success and value of a SIEM deployment.
Question 5: Are your security policies well-defined and documented?
The foundation of IT security is the existence of proper security policies; rules that are built into a SIEM tool and the subsequent actions taken by security professionals are driven by an underlying security policy. In other words, these policies feed into security tools, including your SIEM. What are the most sensitive targets in your environment? What are the most accessible or likely targets? Your security policies should be designed to defend your business priorities. A successful SIEM takes these priorities and makes them actionable. If it is a priority to prevent unauthorized access to information, your SIEM should monitor for brute force attempts, impossible travel logins, or terminated user login. Without a security policy in place, actionable rules can’t be built into a SIEM tool, including downstream responses.
Would you like to learn more about SIEM-readiness and which tools are best for your organization’s maturity level? Download your complimentary copy of “To SIEM or Not to SIEM?” here.
Security Best Practices at Your Fingertips
Aditum’s Splunk Professional Services consultants can assist your team with best practices to optimize your Splunk deployment and get more from Splunk. Our certified Splunk Architects and Splunk Consultants manage successful Splunk deployments, environment upgrades and scaling, dashboard, search, and report creation, and Splunk Health Checks. Aditum also has a team of accomplished Splunk Developers that focus on building Splunk apps and technical add-ons.
Contact us directly to learn more.
- Splunk Enterprise Security – Understanding the Basics - October 23, 2018
- Splunk Deployment Best Practices- Things I Wish I’d Known - July 20, 2018
- How to Slash Incident Response Stress With Threat Intelligence - June 21, 2018