SIEM stands for Security Information and Event Management, an approach to security where network activity data is collected from critical points in the network. Typical critical points are network endpoints, firewalls, and intrusion detection systems. The SIEM solution application forwards the collected data to a central event tracking console. There, IT professionals, with the help of automated filtering systems, review event logs, warnings, and alarms to defend against cyberattacks. More sophisticated SIEM products use artificial intelligence (AI) or advanced algorithms to make sense of the network activity and properly rank potential system deviations as threats. While SIEM systems have been around for some time, they have previously been used mostly by large organizations installed on on-site hardware and a monitoring console. The main barrier has been that the human intervention component of SIEM can be prohibitive in cost. 24/7 monitoring requires three shifts of IT professionals, usually at a dedicated console to monitor and review the warnings and alarms that come into the control center. With the rise of cloud-based computing and software-as-a-service (SaaS), IT service providers monitor SIEM systems for multiple clients on a per-seat basis from a remote location. This consolidation eliminates the physical hardware and large IT staff costs for a given organization. This new consolidation model permits a number of small and medium-sized organizations to afford the benefits of this powerful IT security tool.
The largest drawback to a SIEM solution program is a wasted investment due to a poor deployment. Here are some of the best practices for a good SIEM deployment and operation:
Have a good baseline:
Before implementing SIEM, an organization should have a thorough understanding of its IT environment. IT staff should consider hardware, software, network devices such as routers and switches, firewalls and other dedicated security hardware, and all potential network entry points. Organizations often perform this security audit to help identify the best places to track and report back to the central data collection point.
Identify tracking points in the network:
Ensure the logs being collected by the SIEM provides a good overall picture of your network. Merely tracking firewall logs defeats the entire purpose of a SIEM. Good organizations use the security audit to identify more extensive activity logs to provide a better picture of the system. Adding information from network points of entry, and intrusion detection systems and anti-virus software can enhance your SIEM value considerably.
Staff the command center with trained professionals:
As mentioned in the introduction, getting the most out of SIEM requires 24/7 monitoring by trained IT security professionals, who can make sense of the data as it comes in. This job cannot be done part-time by a junior system administrator. If your organization is using a service provider, verify the credentials of the staff that will monitor the SIEM solution and confirm the monitoring will be performed 24/7.
Fine-tune the SIEM:
The most difficult, yet crucial element in a SIEM implementation is fine-tuning. If not set to properly organize and report alerts a poorly tuned system can either inundate the command center with a number of false-positive alerts. Worse still, the system could fail to issue an alert when an attack is actually taking place. For SIEM systems with advanced filtering capabilities, be sure the installer understands how each filter setting will affect the reporting. The installer should also know how to combine minor variances from disparate report logs to better identify an impending attack.
Don’t set and forget:
For the purposes of best practices, it is best to think of a SIEM system like an old engine, where constant adjustment of components are required to keep the engine operating at peak performance. Be sure your SIEM solution provides important alerts while filtering the “noise” logs. Consider performing a simulated system’s attack to see how the SIEM performs, and adjust the SIEM settings accordingly. If you are using a responsible service provider, the provider can perform these tests for you.