Australian Cyber Security expert, Loop Secure, shares essential tips to avoid common SIEM security project failures.
As technology rapidly changes and integrates into organisations, networks grow in complexity. This ever-changing and complex landscape makes it increasingly difficult to detect cybercriminals targeting your organisation. Security Information and Event Management (SIEM) platforms have been integral in creating a central hub for all security events, from across all internal networks and devices. Armed with this data and logs, your security analysts and IT teams can act appropriately to protect your critical data.
According to the 2021 Mandiant M-Trends Report, There were significant findings in the APAC region, including a major increase in the median time cybercriminals were able to spend on a target network undetected. This was up to 76 days in 2020, compared with 54 days in 2019. The longer a cybercriminal spends on a network, the more damage that can be done. Detection and response capabilities are where today’s organisations are suffering. To address this gap, many organisations turn to SIEM as a solution to their problems.
Although SIEM is one of the detection solutions for security information and events, many organisations often fall for the illusion that SIEM implementation is a magic security pill. By simply implementing security tools in their ICT environment, all their problems and their data is protected until the end of time. Such assumptions could further risk the security of your data and create more problems rather than solve them. A SIEM tool should be treated as a tool to be actively used.
Loop Secure’s qualified SIEM Tool and cybersecurity experts share essential tips to avoid common SIEM project failures:
1. SIEM is not the Magic Pill
Having a dedicated and well-resourced security team is an essential step for maximising the value of SIEM. Without a team, a SIEM makes noise. With a team, a SIEM generates valuable visibility for your team of experienced cybersecurity analysts and incident responders to stop breaches in real-time. The visibility provides insight into both internal and external threats targeting your organisation. When configured correctly, with ongoing tuning, and the right team, a SIEM may not be the magic pill, but it will provide the visibility needed when time is of the essence.
2. Create a SIEM Deployment Strategy Before Implementing
As mentioned above, don’t fall into a trap where your mindset is that SIEM will stop a breach, and have every answer you need when there is an incident. Establish a plan for your SIEM deployment, write down objectives and limitations of what SIEM will do for your organisation. Remember, SIEM is just a cog in the wheel of a more extensive security program. Other security controls, security specialists and processes must exist for a SIEM strategy to be successful.
3. Don’t overload your SIEM with Data
Data gives value to a SIEM. It is crucial to lead with data and understand what needs to be protected before further action. Most Security Operations Centre (SOC) teams would start scrambling to collect as many data sources and logs from network devices, services, vulnerability scans and system configurations, etc. However, this is a misguided approach, and will result in an extremely expensive exercise - paying for logging and misuse of the valuable time of your resources. Less is more, and data must be filtered for quality and validity, so that you have the information you need to act when a cybercriminal is attempting to breach your organisation.
4. Establish a Security Incident Response Plan
We’ve said this before on our Top 7 Essential Tips to Detect Attacks Using AlienVault SIEM but having a Security Incident Response Plan (SIRP) is paramount to the strategic implementation of all security tooling - SIEM, EDR, Deception, SOAR, Data lakes... and the next tool. This plan will outline effective and appropriate responses needed when an incident occurs. It is up to the organisation that implements the SIEM to react accordingly to the method put in place, not the SIEM tool itself. Here’s a quick suggestion of areas to cover in your response plan:
- Roles of each person in your team during a breach, compromise or security event
- Appropriate Security Event Documentation
- Incident Response Team Communication Protocol
- External Communication Procedures
- Backup and Disaster Recovery Plan
An extensive Security Incident Response Plan (SIRP) will provide specific guidelines for IT Security teams and the wider business to eliminate a threat effectively, prevent lengthy delays and reduce the impact caused by security breaches and incidents. SIEM can identify hidden threats you may not see, and a SIRP can assist your organisation in understanding how to proceed to eliminate that threat.
5. Tune Your SIEM Constantly
Tuning your SIEM can reduce the sheer volume of log and event data that is presented to you and your IT team. SIEM Tuning will ensure that the data presented is based on the value of the log type and implementation of uses cases. An untuned SIEM is like getting lost in the woods without knowing where the exit and entry point is - no idea where to go and false alarms that generate more confusion than anything more. You might know this as log fatigue.
A perfect example occurred when cybercriminals breached Target US, and stole customer data for 70 million users. CSOOnline reported that although SIEM software managed to identify the initial breach and reported it to the business, the alert was neglected due to the volume of data and false positives from previous events. Constant tuning is a crucial method of minimising unnecessary alerts and false positives.
The purpose of your SIEM project is to manage security logs in one place and appropriately detect and monitor security threats in real-time. Avoid these common problems when deploying SIEM (and any other security tool) so that you can maximise the return on investment and gain the best outcome for your organisation.