Talking with customers during the past few months, the key topics and questions we heard were all about targeted attacks, threat intelligence, and security information and event management (SIEM). However, there seems be a myth that “once we have SIEM, we will have visibility into threats”—as if SIEM will give us all the answers.
To successfully deploy SIEM and benefit from its capacity and functionality, you must first lay a proper foundation. Like building a house, you don’t build it on sand, but on solid ground. The foundation is deeply anchored. Your solution needs to withstand and survive a (log and event) storm and report what you need to see.
To lay the foundation for SIEM, you must carefully review the following pillars:
- Identify what to protect: critical assets
- Log management
- Event cases
- Incident response management and capacity
Identify what to protect
In many of our engagements to build a security operations center, we’re told “everything needs to be protected.” If that’s the case, you have just decided to overflow your SIEM with tons of events. You will certainly miss the events you need to react to. We recommend first monitoring your critical assets. What are they? Those are the systems and services that are the moneymakers for your company. If they were down/lost/damaged, it would have a huge impact on you and could ruin your business, resulting in financial loss. An example of a critical asset might be your SAP or ticket-booking system.
Once you have identified the critical assets, what kind of logging is available for the systems that are involved? Is logging enabled? What is the retention policy of the log files? Are all assets in sync with regards to time, or is there an offset causing a gap during a timeline analysis of an incident?
Once the critical assets are identified and you have an insight on the logs you’re maintaining and what log artifacts are available for those systems, you can build event cases for these systems. Think like an attacker: How would you try to access or compromise your critical assets? What would be abnormal versus normal behavior with regards to these systems? Of course, event cases need fine-tuning now and then, especially after changes have been made to your critical environment.
Incident response management and capacity
What if the fire-alert system of your house detects a fire but there is no sprinkler system and the nearest fire brigade is miles away? This is something to think about before deploying SIEM. You need procedures that define what to do if events are triggered for a critical component and, after initial analysis, escalate as an incident. Who has the capacity to respond to respond to incidents?
Deploying SIEM is not simply putting a box on the network. That’s only the technology part. What about people and processes? Preparing for a SIEM deployment requires having the right visibility of your company’s critical assets and responding in a timely matter to events. These pillars are a guide that we have successfully used in many deployments of SIEM and building a security operations center.