Security Information and Event Management (SIEM) is a foundation most organisations use to build the basic Information Security controls (endpoint, firewall, web/email filtering) to get more contextual awareness of their security incidents and help prioritise and direct future investment. Security is a small part of the budget, and it needs to be allocated effectively. Getting visibility is therefore the priority.
Often when we ask clients the usual question “Are you using SIEM right now?” we brace ourselves for a common response. A groan, followed by a story we’ve heard many times:
- We are using X Technology
- My predecessor bought and installed it
- I’m not sure it was installed correctly
- The only people who knew how to run it have since left the organisation
- We’re paying for big annual maintenance renewals
- All we can really get out of it is log management
For someone looking to deploy a SIEM for the first time, the possibility of this scenario is quite scary. A well-running SIEM needs to be configured correctly to generate the right data and reporting for the business. Otherwise, it’s a failed project. Some of the below ideas can help you avoid these pitfalls and increase the likelihood of a successful project.
Picking the right technology
Before you make a decision you need to make sure you speak to reference sites and validate they are similar to yours. There’s no point buying a big, powerful technology solution if you’ve only got a third of an FTE to manage it. Large, complicated SIEMs require a large Professional Services budget, as well as specialised skills which are difficult to learn on the job. Older “Gen 1” SIEMs are often architected in such a way that your log data is stored in a flat file or standard database, making it slow to index and search billions of event logs. Buying a lower-cost, less powerful technology can also lock you into a technology you can’t build on as you progress beyond basic event management. Examine your long-term security roadmap to ensure the technology will be fit for purpose over the next five years.
Adequate planning and resourcing
Ensure business outcomes are clearly defined and resources are budgeted to both implement and manage the solution. One way to offset the risk is to contract with a Managed Services Provider to deliver and manage the technology on an ongoing basis. Allocating a quarter of a resource who is already 100% utilised on operational work will result in a substandard outcome, especially if you need to occasionally bring in experts on project-based arrangements without a broader implementation strategy. MSPs are generally very good at calculating the correct effort for a skilled team to manage a SIEM, which can help your business case and confirm whether you have the resources and capabilities to deliver in-house. A live POC can also help confirm how much effort is required.
What’s your use case?
The two big use cases we see in Australia are for compliance (PCI 10 is centred around log management) and general security maturity. Understanding what you need visibility of now and into the future will help you clearly define desired business outcomes, and plan your deployment to hit these objectives. A woolly plan full of “nice to haves” won’t just be difficult to deliver, it’ll be hard to get budget in the first place. If you can, start by designing the ideal reports you’d like to generate, and work backwards to select your technology and deployment/management plan. It’s also beneficial to involve other stakeholders outside IT to get buy-in across the business and demonstrate greater ROI. Having a long term roadmap which begins with compliance and grows to incorporate incident response in the future with some SOC functionality means you’re more likely to get long-term value out of your SIEM.
What's the roadmap?
Nobody racks and stacks a SIEM appliance, flicks the switch, and has full incident response. A better approach is to build a roadmap starting with log management and compliance, and over time turn on event correlation and incident response. If you're working with an MSP, this gives both parties the opportunity to get to know their security events, and build a set of correlation rules and incident response workflow that is appropriate to your security events profile:
Conclusion:
Whether you’re buying your first SIEM, or replacing an ageing technology, there are a number of considerations to keep in mind. By addressing your use case, selecting an appropriate technology and properly budgeting resources for both implementation and ongoing management, you’ll have a powerful new tool to gain greater visibility into your security incidents and provide more security intelligence back to your organisation.
If you are interested in hearing more about what Loop is doing with our SIEM clients, you can contact us here
