What is SIEM?
While SIEM systems have been around for some time, they have previously been used mostly by large organizations installed on on-site hardware and a monitoring console. The main barrier has been that the human intervention component of SIEM can be prohibitive in cost. 24/7 monitoring requires three shifts of IT professionals, usually at a dedicated console to monitor and review the warnings and alarms that come into the control center.
With the rise of cloud-based computing and software-as-a-service (SaaS), IT service providers monitor SIEM systems for multiple clients on a per-seat basis from a remote location. This consolidation eliminates the physical hardware and large IT staff costs for a given organization. This new consolidation model permits a number of small and medium-sized organizations to afford the benefits of this powerful IT security tool.
Are there drawbacks to implementing SIEM?
The largest drawback to a SIEM program is a wasted investment due to a poor deployment. Here are some of the best practices for a good SIEM deployment and operation:
Have a good baseline: Before implementing SIEM, an organization should have a thorough understanding of its IT environment. It staff shoudl consider hardware, software, network devices such as routers and switches, firewalls and other dedicated security hardware, and all potential network entry points. Organizations often perform this security audit to help identify the best places to track and report back to the central data collection point.
Identify tracking points in the network: Insure the logs being collected by the SIEM provides a good overall picture of your network. Merely tracking firewall logs defeats the entire purpose of a SIEM. Good organizations use the security audit to identify more extensive activity logs to provide a better picture of the system. Adding information from network points of entry, and intrusion detection systems and anti-virus software can enhance your SIEM value considerably.
Staff the command center with trained professionals: As mentioned in the introduction, getting the most out of SIEM requires 24/7 monitoring by trained IT security professionals, who can make sense of the data as it comes in. This job cannot be done part-time by a junior system administrator. If your organization is using a service provider, verify the credentials of the staff that will monitor the SIEM and confirm the monitoring will be performed 24/7.
Fine tune the SIEM: The most difficult, yet crucial element in a SIEM implementation is fine-tuning. If not set to properly organize and report alerts a poorly tuned system can either inundate the command center with a number of false positive alerts. Worse still, the system could fail to issue an alert when an attack is actually taking place. For SIEM systems with advanced filtering capabilities, be sure the installer understands how each filter setting will affect the reporting. The installer should also know how to combine minor variances from disparate report logs to better identify an impending attack.
Don’t set and forget: For the purposes of best practices, it is best to think of a SIEM system like an old engine, where constant adjustment of components are required to keep the engine operating at peak performance. Be sure your SIEM provides the important alerts while filtering the “noise” logs. Consider performing a simulated system’s attack to see how the SIEM performs, and adjust the SIEM settings accordingly. If you are using a responsible service provider, the provider can perform these tests for you.
ETTE and SIEMphonic Can Help
ETTE has partnered with EventTracker to provide SIEMphonic, a managed security service designed for small to medium organizations. SIEMphonic is installed and managed by ETTE, with the alerts and warnings forwarded to EventTracker’s intelligent Security Operations Center (iSOC) to provide enterprise-level security protection. ETTE chose to team with EventTracker because of these key features:
24×7 managed security services: EventTracker’s iSOC is staffed exclusively be security professionals. The veteran staff is deeply familiar with EventTracker’s suite of security applications. They also have the overall security training to make sense of system logs and respond to threats in real time. The technology collects data from a variety of sources, such as platform, application and network logs, alerts from intrusion detection systems (IDS) and vulnerability scans as well as databases of attack profiles and telltales to rapidly identify threats and enable investigation and response
EventTracker 8 SIEM platform: This award-winning and industry-leading platform is the core of SIEMphonic. EventTracker 8 provides network and system administrators with early threat detection, operational awareness and the ability to demonstrate compliance with internal security policies and industry and government regulations, such as NIST 800.
Threat intelligence: threat actor, attack and breach information feeds into the EventTracker platform to adapt the scope and focus of security. The integration of global, local and community-based threat intelligence sources transforms the SOC into an intelligent SOC or iSOC. EventTracker’s expert analysts identify the most important and actionable alerts and help ETTE, as a service provider, immediately stomp out potential cyber risks.
HoneyNet deception technology: Comprised of multiple virtualized “vulnerable” decoys strategically scattered throughout the network, HoneyNet provides the highest value intelligence, identifying suspicious activity specific to the customer’s own environment to proactively hunt down and stop threats
Behavior analysis: Monitoring traffic and calling out suspicious actions or departures from normal operation help identify new malware and zero-day exploits attempting to wreak havoc on the network.
Contact ETTE today to find out more about SIEMphonic and other security technologies we can deploy to help insure your network security.