A defense-in-depth security strategy is built upon the premise that no one tool or process is enough to ensure the protection of an organization’s entire technology infrastructure.
But if there is one layer that should be considered foundational to any effective cybersecurity strategy, it is Security Incident and Event Management (SIEM).
What Is SIEM?
SIEM is a cybersecurity software that acts as an aggregator and analyzer of many different sources of data across your organization’s entire network.
How Does SIEM Work?
SIEM takes the inputs from Endpoint Detection and Response Tools (EDR) and collates it with network log data. It processes it with additional information from a variety of sources through advanced analytics to provide next-level threat monitoring and response capabilities.
And this enhanced visibility is put to best use through a Managed Detection and Response (MDR) model to ensure SIEM’s capabilities are fully maximized.
Benefits of SIEM
The convergence of EDR, SIEM, and MDR enables companies to ingest, analyze and act on the thousands of security alerts that pour in from their environment every day.
It provides the data points to gain visibility and translate it into action, combined with the expertise to understand the nature of the attack and formulate the best strategy to contain it.
What to Consider When Comparing SIEM Solutions
But even when utilized through professional services, an organization must have a clear understanding of what it’s hoping to achieve if it plans to get the most out of the SIEM platform that it selects.
As an example, think about planning to purchase a new 4K HDTV. As you evaluate your options, consider the following mindsets:
- I want to buy a tv with the broadest feature set possible, regardless of cost.
- I want to buy a “cookie-cutter” TV with standard features and a low cost.
- I want to understand which features and capabilities are most important to me, and then find the right TV with that feature set to give me the most desirable performance for my investment.
Most would agree that option three is the smart choice. And this type of mindset, a targeted approach that matches capabilities to requirements, can be very useful in the world of information security.
When evaluating SIEM, you can use this mindset to determine what attributes have the most security relevance to your organization.
Understanding what you’re looking for can provide a roadmap to your SIEM selection and deployment before you even talk to a vendor.
Questions to Ask When Comparing SIEM Platforms
To develop the right mindset going into this process, it’s very helpful to ask yourself the following questions.
What’s my budget for this project?
Your budget will dictate the types of data you can send to the SIEM platform, how it will be analyzed and will determine the scope of ongoing monitoring.
If you have a limited budget, you can still get started with SIEM by focusing your efforts on the highest visibility per dollar spent.
What types of log retention compliance standards do I need to meet?
Specific types of regulatory compliance require you to not only store log data but ensure this data is tamper-proof.
There can also be a requirement that determines how long logs need to be kept.
What devices throughout my enterprise contain security-relevant/security actionable log data?
The philosophy on “what’s important” is continuing to change to keep pace with how end users work, and how the threat landscape continues to evolve.
User attribution through Active Directory logs (or however a company chooses to centrally enforce policy), VPN logs, SSO, and wireless authentication are all great starting points to consider.
Network threat detection, web proxies, and traditional firewall logs should be the next step.
The sky is truly the limit, as many SIEM vendors process from as few as one hundred log types, expanding all the way up to thousands.
What do I do with these logs that are coming into my SIEM platform?
Now that you have decided what you want to ingest, you must determine how to take action on the information. Not all logs are created equal.
As an example, one log in an active directory stating, “Login Success” for user John Smith may not be an issue. But several denied logins for that same user may possibly indicate a threat.
Also, consider that if U.S.-based user John Smith is able to successfully log in from overseas during non-business hours it may indicate that further action needs to be taken.
How many people will I dedicate or charter to handle alerts from my SIEM platform?
The number of people you need will depend upon how you answered the previous question and is based in part on the level of risk you’re willing to accept.
How long does it take to implement SIEM as part of my incident response program?
With the support of the right MDR provider, many organizations can often stand up SIEM in 6-8 weeks, while in-house implementations can take up to a year.
Generally, the more users that will be consuming the information provided by the SIEM, the longer it may take to stand up.
Benefits of MDR Services
A managed detection and response service can help you answer these questions and match SIEM capabilities to meet those needs.
Businesses need a feature set that can match their unique use cases, but that usually should not extend into an expensive, time-consuming, fully-customized deployment.
An MDR can ensure a successful implementation by analyzing your current environment, threat matrix, and industry demands and then develop a SIEM strategy that places it at the heart of your security operation.
MDR providers structure the deployment so that SIEM can evolve as your technology and the world around you change.
MDR integrated with SIEM can be attained by organizations of all sizes without breaking the bank.
An MDR service provider can design a platform designed to work within the demands of your budget that can be delivered in a reasonable amount of time.
Most importantly, after implementation, an MDR can process the millions of events coming out of the SIEM.
But here’s where it can get tricky: The prevailing wisdom is that with the sheer volume of events coming in, only high-priority alerts should receive attention.
This is a potentially dangerous fallacy, as many ransomware attacks may only trigger a medium or low priority alert.
Resolve Every Alert with a Trusted Behavior Registry
CRITICALSTART’S methodology is to treat every alert as equal. This can be accomplished by working with an organization to build out a trusted registry to show what types of activities should be considered normal.
This enables the MDR to focus on all other alerts that fall outside the registry, regardless of their priority status.
Where an MDR really performs is if they can use the data provided by a SIEM to track an attack back to its source.
MDR tools can change passwords, isolate endpoints, and effectively lock down a cyber-attack before it can spread to critical components of the network.
MDR & SIEM: Cybersecurity Evolved
That’s why an MDR team using SIEM can really outshine the legacy security methods of the past and stand firm against today’s broad-spectrum world of security threats.
Still, have questions about how MDR and SIEM can work together to strengthen your organization’s security posture? CRITICALSTART’s cybersecurity experts are here to help.