A security and information event management (SIEM) tool can be a valuable component of a mature security strategy. Indeed, effective SIEM solutions have been available for well over a decade.
Organizations typically purchase SIEM tools expecting fast implementation and reliable security threat alerts that provide the intelligence required to respond promptly and prevent breaches.
The reality is quite different.
According to a study from McAfee and UC Berkeley:
- 45% of respondents stated that lack of interoperability hampered their SIEM efforts.
- 43% had difficulty mapping SIEM event data to known techniques and tactics.
- 36% reported too many false positives from their SIEM system.
Information security expert Kim Jones from Arizona State University explains a key underlying issue:
The most challenging problem for an organization is its desire to use any toolset, application, system, or framework as an instant panacea that’s going to solve all its problems. Taking an existing detection posture and attempting to drop a framework on top without doing your own analysis and prioritization or evaluating your tool appropriateness is shortcutting the effort.
This article will help you ensure your organization is ready for a SIEM solution. It explains how to develop strong SIEM use cases, how SIEM rules and alerts work, and the best practices for SIEM implementation and use.
Benefits and Limitations of SIEMs
SIEM systems can help organizations improve security and compliance by offering:
- Detection of internal and external threats with near real-time monitoring across multiple applications and systems
- User activity monitoring that facilitates proper access control, with alerts and reports on policy infringements and suspicious behavior that provide details to establish context
- Libraries of proven rules and scenarios, and prebuilt dashboards and reports
- Incident investigation that provides correlation and analytics of events such as anomalous behavior
- Stronger network security with monitoring of alerts from firewalls and other edge security devices to identify attack patterns in network traffic
- Better incident response, with the ability to orchestrate and automate related workflows
- Easier compliance with data privacy and security mandates
Before leaping into a SIEM purchase, however, consider this: SIEM solutions are expensive and can be difficult to deploy and configure. They need to be fine-tuned to your IT environment and maintained as your systems and the threat landscape change.
Moreover, SIEMs often generate numerous alerts without providing meaningful data for analysis and response. As a result, your IT team could spend inordinate amounts of time chasing false positives while allowing true security threats to fall through the cracks.
Therefore, before you begin your SIEM journey, you need to do some prep work. For example, you should assess what types of data you have, the threats you face and your weak points, and determine which data is at the greatest risk. You also need to plan how you can integrate your SIEM software with other solutions to maximize its value.
Defining and Implementing SIEM Use Cases
The key to using a SIEM effectively is to build a set of use cases that detail the security threats you want to overcome and the outcomes you want to achieve.
Common examples include ensuring HIPAA compliance, identifying privileged access abuse, detecting insider attacks, and general threat hunting that looks for any anomalous activity. Avoid attempting to capture every threat. Instead, define the most important use cases for your organization based on the impact of potential incidents, including the cost of data loss, recovery time, damage to your reputation and so on.
Implementing Your Use Cases
Based on your answers, you can build a ranked set of SIEM use cases. Starting with the highest priority one, take the following steps to implement them.
Step 1. Define requirements and scope
While defining your requirements and scoping the SIEM work, start by answering the following questions:
- What are the most important IT assets to protect?
- What threats is the organization facing? Which are the most likely to occur and which would cause the most damage?
- What are the business, compliance and security priorities?
Step 2. Choose your data sources and add them to your SIEM.
Determine which logs and other data sources would be valuable in identifying the threat for the use case. As part of your analysis, be sure to consider the characteristics of the data source, such as:
- Location
- Verbosity level
- Average size
- Data type
- Data points
- Rotation frequency (how quickly the data is overwritten)
Also be sure to capture details about the application generating the data, including its name, version, operating system. Use vendor documentation to determine how the application assimilated the data and wrote the log files.
Integrate all the data sources you choose with your SIEM and confirm that the data source communicates correctly.
Step 3. Build the rules for your use case.
SIEM correlation rules govern how the solution aggregates and analyzes the different types of data for your use case. Your devices and applications constantly generate log events that feed into the SIEM, and the correlation rules define the specific events the SIEM should flag as an cyberattack attempt, compliance violation, privilege escalation and so on. For example, you can create a correlation rule to send an alert if a user generates a certain number of failed logon attempts within a certain period of time, so the appropriate person can investigate and address the issue. More advanced analytics can include pattern matching and machine learning.
You write the rules and define your baselines and thresholds according to your deep knowledge of your own IT environment, threat landscape and attacker behavior. Since attackers consistently change tactics, new correlation rules must always be in the pipeline.
The best practice is to start with the SIEM’s built-in rules. Take the time to fully comprehend them, and then adapt them as necessary. After you have some experience, you can then start to build your own rules. More information about creating and fine-tuning correlation rules is provided below.
Step 4. Test and tune.
Your first attempt at implementing a use case may not hit the bull’s eye. In particular, you may get false positive alerts that notify you about an event that isn’t actually a security threat. For example, the SIEM system might be mis-identify a legitimate vulnerability scanner as an aggressive attacker and generates a stream of alerts. You should also look for false negatives — cases in which your rules fail to spot a true security threat.
Test each use case and make changes to your rules and thresholds until it behaves as you need. The goal is to minimize false positive alerts without missing true threats.
Step 5. Monitor performance.
Don’t set and forget. Keep checking the results to ensure your SIEM is performing as expected. Given that the threat landscape changes rapidly, monitoring performance will help you maintain your use cases and develop new ones to stem the tide of bad behavior.
Tuning Your SIEM Correlation Rules
Here are some typical issues that can cause correlation rules to not be set up properly:
- Disabled rules — SIEM solutions come with numerous out-of-box rules. Often, many of them are disabled during implementation because they don’t seem to apply to the company’s environment. Unfortunately, some may be disabled in error, causing the security team to miss legitimate threats.
- Lack of customization — Most out-of-box rules won’t fit your security needs perfectly. Invest the time to adapt these rules to ensure you get the alerts and reports you want.
- Lack of filtering — IT environments generate so much data that the resulting volume of logs can overwhelm the SIEM, which is limited in the number of events per second (EPS) it can process. To avoid this problem, send only relevant data to the SIEM.
- Poor rule maintenance — Rules need maintenance. For example, as you add data sources to your SIEM, applying existing rules to that irrelevant data can slow SIEM processing, increasing the risk that threats will not be detected promptly.
- New rules that damage existing processes — New rules placed in service can interfere those that already exist. When creating new rules or changing current ones, consider the logic of the whole set.
Tuning Your SIEM Alerts
The goal is for your SIEM to issue an alert when a security event occurs, without missing any true threats or flooding you with noise. The alert provides key details like IP addresses, authentication statuses, network protocols and error codes, so you can respond in time to prevent or mitigate consequences like a data breach.
Reconsider the behavioral baseline and unusual behavior encoded in a rule. What do you consider an anomaly? Do all of those events have SIEM alerts? Are all notifications going to the right individuals or teams. Also be sure to track new systems and applications and roll them into your SIEM to improve on-prem and cloud security.
Best Practices for SIEM Implementation and Maintenance
To get maximum value from your SIEM, follow these best practices:
- Set clear goals based on the threat landscape and your business, compliance and security goals.
- Assign a dedicated SIEM administrator to ensure proper maintenance.
- Start with the out-of-box rules and carefully customize them as you gain experience with the system. Then, develop your own rules.
- Test and tune.
How Netwrix Solutions Can Complement Your SIEM
Experts recommend using the NIST Cybersecurity Framework to assess and improve cybersecurity. It identifies five pillars of a holistic security program:
- Identify — Understand what IT assets are at risk.
- Protect — Proactively reduce that risk.
- Detect — Watch for suspicious activity that might affect this data.
- Respond — Take appropriate action to block attacks and mitigate damage.
- Recover — Restore business-critical data damaged or deleted in an attack.
Unfortunately, most SIEM solutions cover only two of these security functions: Detect and Respond, and, as noted earlier, they can flood you with so many alerts that you cannot detect true threats in all the noise and respond effectively.
Netwrix solutions complement SIEMs by engaging across all five NIST pillars. You can:
- Identify what data requires protection and what doesn’t.
- Proactively spot gaps in your IT security controls and remediate them before they are exploited.
- Avoid alert fatigue and detect true threats quicker.
- Speed incident response with actionable context about each incident.
- Restore operations faster by accurately prioritizing the recovery of the most critical assets.
Read this eBook to learn how the Netwrix data security platform helps you close the gaps your SIEM solution leaves, helping you avoid becoming the next data breach headline.
