May 1, 2018
You’ve set up your SIEM, you have logs flowing and a report or three. You are done, right? You don’t need to look at it every day, right? You can just check it on Friday on the way home, right?
It emails you an alarm, so you are done, right?
SIEM effectiveness, usefulness and maturation come with a measurable price. Professionals must, of course, posses system administration skills to perform tasks like health checks on software, hardware and storage, or handling upgrades. Nuanced and mature skills including : the ability to examine and consider data, experience with highly varied security solutions, and the ability to define and analyze threat correlations, are also required.
SIEM is not merely a rules engine, it is an ever evolving, ever improving tool in your detection arsenal. Accurate data normalization and acquisition is certainly key, but they go hand in hand with correlation concepts. Many companies lack the human talent - and as a result, a large number of SIEM deployments fail to meet goals and expectations. I remember my favorite fail story, I discovered the installation disk duct taped to a 4U unracked server that had never powered on. The CIO was adamant they had a SIEM, but that it provided no value.
Once deployed, SIEM platforms need to be constantly monitored. Triggered events or alarms should regularly be investigated for validity. As it turns out, organizations rely on staff to occasionally review the SIEM, but they are often stretched thin with workload and only do so on a best effort basis. Castra Managed Services can help bridge the gap by providing a co-managed solution, where trained eyes are monitoring alerts, performing initial investigations and triage. Even if you don’t choose Castra, choose a trusted Managed Services partner so you can continue to see a ROI. Never get caught blind sided by your own tool.
We all know 'What action do we take now' can be challenging, yet the ability to even define ‘what is actionable and ‘what is NOT actionable’ is the real elephant in the room. Organizations are expected to employ security experts whose knowledge and experience move far beyond the routine knowledge of security products or general security understanding. Hiring such expertise is not an easy thing to do in today's environment and less so when security experts come at a steep premium.
The evolution of the ‘set it and forget it’ mistake culminates in failing to tune the SIEM frequently; the established Directives, Policies, data sources, and reports, must be continually evaluated for efficacy. Organizations’ change over time. Networks are dynamic (note SDN is no longer the future, it is now). The threat concept has multiple sides including detection capabilities and intel contrasted with which vector is occurring and are you a target. All of this changes rapidly, sometimes daily and weekly. What about new compliance requirements this year? Arguably people and process become the focal point for success, which is why we ask “Who is monitoring yours?”
If the SIEM is doing its job perfectly well, and triggering the appropriate alerts on potential breaches yet the alarm or report is ignored, delayed or missed due to a breakdown in processes, your investment is nullified. We have all read about notable security breaches in the news, the SIEM actually performed its job and the alerts were triggered, yet no one reviewed the notifications, or a broken processes impeded investigation. Will this be you? Who is monitoring yours?