IT IS COMMON KNOWLEDGE among security professionals that security information and event management (SIEM) technologies can be complex. No matter the vendor or the solution, SIEM systems require hard work and dedication to ensure they are running at their maximum capabilities and providing the most benefit to an organization.
A properly deployed SIEM solution can be a significant asset to numerous teams within a business. While your information security team will reap the greatest benefit, other internal departments such as networking, support, and HR can use the information provided as well.
Even the most seasoned security professionals, however, can commit oversights when deploying SIEM technology. The primary reason for this is that deploying and managing a SIEM solution is time consuming. Most security groups are stretched thin already, so they may not be able to devote the necessary resources to tune and configure a SIEM system correctly, in which case it will fail to produce much value.
For a successful and beneficial implementation, organizations must dedicate staff and time to the technology. Without these dedicated resources, the security team is going to be frustrated with the SIEM system and might not utilize it in an optimal way.
Users should plan carefully before buying SIEM technology. Organizations often purchase a SIEM system for a specific purpose, but then use it for something else too after installation. As with other technologies, however, the more information you send a SIEM solution, the more resources it will use.
Plus, a SIEM system that’s overloaded can cause failures. Those can be a big deal, especially when so many groups depend on a SIEM solution for critical information. Just as other IT systems are monitored for resource utilization, it is important to monitor a SIEM’s health and resource utilization.
Before you purchase a SIEM system, discuss internally how and why you will use it. Don’t send the SIEM every security event—from end-user devices, servers, network equipment, firewalls, anti-virus, or intrusion prevention systems—just because you think it needs to be logged. Instead, figure out why it needs to be logged and what you are going to do with the information coming out of it.
Also, determine which systems and applications you want to send to it and figure out the estimated events per second. This information will help you understand how many servers, databases, and additional resources are needed to log events. Each vendor will have its own calculations and will assist in determining what is necessary for your company’s needs.
Unlike some technologies, SIEM systems require constant care and feeding to ensure they are operating at full potential. One area that may be overlooked, for example, is ensuring source logs are parsing correctly. If data is not formatted correctly, it will not provide the SIEM analyst with the correct information. SIEM systems rely on information from other devices to correlate and alert correctly. We often see organizations with a false sense of security because they are under the impression that if the data is going into the SIEM, it will alert them when something triggers it. Test parsers, rules, and alarms regularly to ensure an upstream log source did not change during an update.
Without proper knowledge and management, SIEM systems can end up frustrating everyone in your security department and going underutilized—or not used at all. Deployed and overseen diligently, however, a SIEM system can offer meaningful benefits.
DAVE DESIMONE is the chief security officer of security solution provider Binary Defense and has 15 years of experience in various roles within information security. In addition to being an organizer of DerbyCon, a 3,000 person information security conference, he sits on technology boards of local colleges and universities and has spoken at DefCon and other security conferences.