Outsourcing SIEM

Implementing a SIEM solution is an excellent decision for any business, no matter how small or large.  While larger enterprises have the funds and staff to implement an in-house solution, such options are out of reach for many small businesses.

SIEM stands for Security Incident Event Management and is technology which can correlate logs from many disparate sources on a network.  The SIEM can correlate logs from firewalls, IDS, web servers, authentication systems, MS Windows event logs, etc.  Rather than monitoring logs from many different places, the SIEM serves as a centralized repository where rules and logic can be applied to monitor and alert on potential security breaches and incidents.

Many commercial SIEM solutions as well as solutions offered as a cloud based service will provide some excellent functionality right out of the box.  However, the out of the box functionality is is only a part of the picture and failure to invest the time and attention to the solution in the beginning during implementation, and during the lifespan is a big mistake and negates the value of the investment.

Relevancy is crucial when implementing a SIEM.  Out of the box functionality only provides knowledge of globally accepted and known exploits which usually lack specific contextual relevance to the specific business.  This is very analogous signature based IDS(Intrusion Detection System)  implementations which can trigger alerts for threats which the specific organization may not be vulnerable.  There is a required investment in up front tuning and configuration during the implementation.

Tuning the SIEM configuration to align with the organization’s environment takes time and should not be underestimated.  The investment is well worth it because once in steady state production, the SIEM will monitor and alert on relevant threats which allows the service provider, be they internal or external, as well as the business leaders, to focus attention on incidents which are more likely to be relevant rather than wasting valuable time and resources chasing many false positives which in many cases, can reach 70% in a poorly tuned system.

Configuration, while critical to the implementation phase of the SIEM project, is not just a one time effort.  Environments are dynamic and are subject to constant change as technology evolves, and business needs and requirements change over time.  It is important to periodically review the configuration to ensure that the configuration accurately reflects the current computing environment.  Even better, consider including the SIEM configuration as part of any change management process when changes are made to the environment or new applications are added.

Beyond organization specific configuration, context relevant tuning should also take place.  This step requires a deep understanding of the business process and context within which those processes operate.

For example, I frequently travel internationally on business, and like many, find cloud based storage to convenient in order to access files I may need, and to keep those files in sync across many devices.  However, I often find that my cloud provider has blocked my login because they have recognized that I am trying to login from an unusual place; in this case, a different country.

Context awareness would permit recognition based upon the countries in which I usually conduct business.  For instance, login attempts from the USA, Western Europe, and Thailand may be considered normal logins if I frequented those countries on business.  However, if a location in South America was detected, the system would recognize that I do not customarily conduct business there and raise an alert.  Or, if this is a new location that is acceptable, the system could be tuned to view the South American login attempt as normal and de-alert the event.

The point of this article is not to teach how to configure a SIEM; that is a complex endeavor which requires skill and experience.  Instead, consider some of the issues raised here as a baseline for asking questions of the provider when outsourcing a SIEM solution.  A SIEM solution is a significant investment and well worth the effort to leverage the best value from that investment.


Comments are closed.