10 things you need to run a successful SIEM
Before we go through using SIEM technologies we need to know that there are few things to follow to successfully defend a network, by the end of this article you will understand how to choose your SIEM and why your SIEM doesn’t provide such good results.
Some people expect that the day they will implement SIEM they will detect all the attacks that may cross their network, which is not true.
Running a SIEM requires an average of knowledge to understand what assets you need exactly in your network to better implement it in your SOC environment.
In this article, we will define briefly SIEM and SOC then we will go through the 10 principles needed to run a successful SIEM.
SIEM is a security event/log management, SIEM basic capabilities are log collection, normalization, notifications and alerts, security Incident Detection, and Threat response workflow.
SIEM records data from users’ internal network (network, devices, servers, and firewalls) and identifies potential issues of attacks.
To have more details you can check this article SIEM Technology.
SOC (Security Operation Center), is a division within a security cell, which ensure the security of the organization, at technical and organizational levels.
In a building, a SOC is a place from which employees supervise the site with specific data processing software, monitor access, control power, alarms, etc…
To have more details you can check this article SOC technology and Best Practice.
10 Things You Need To Run A Successful SIEM
- SIEM is a plan of action
SIEM deployment is a program, not a one-time project that ends after the day you finish the deployment.
The quality of the information generated by the SIEM tool improves as there is a long-term process that ensures care and feeding the SIEM with security information.
As we know SIEM is the primary enabling and supporting tool for SecOps, that means that such a platform need to have:
- Dedicated budget support
- Team training
- New use cases to be developed
- Ensure a well-coordinated data
- Check the old feed if they still valid or not
- Make sure that you provide a good quality of intelligence
- Integrate the latest detection method.
You need to make sure that this process doesn’t fail and that you prepare the full recovery sequence in case something happens.
- Plan, Write then implement
There is no reason to create an alarm if the SOC doesn’t know how to respond to that incident.
By taking the time to document the idea and determine how a soc analyst need to act you can then create an alarm or an event-specific dashboard.
Each alarm needs to be validated with the security team to ensure that the following actions will allow the SOC to detect that incident (best SIEM detection is based on the correlation of event: Event A + Event B), also it will be better to make sure that the attack cannot escape detection even if its behavior changes.
Developing SOC and SIEM focused use cases will help to better manage such a situation.
- SIEM maybe that important but not enough
SIEM is the primary network monitoring tool, however, it cannot do the job alone.
SIEM needs to be well maintained where the SOC controls his system health, check alarms and rules that need to be updated after different incidents, and aggressively defend the information feeds.
The software does half of the job and implementing the right incident response in a timely manner is the other half.
Calculating all the metrics such as whether the software produces the right alerts and how much time do the SOC needs to respond to that incident will help to evaluate the status of the process.
- Technology changes
Different log and data events that the SIEM receives may be changed after an upgrade.
The SOC team needs to be aware of all the applications, systems, OS upgrades that may affect the data events received by the SIEM.
The SIEM must keep pace with data changes and event format changes.
Checking all compliance requirements and compare them to the potential SIEM solution that you will implement is so important.
- Environment awareness
In SIEM implementation you need to determine your scope (what you will monitor and what log are more valuable), the bigger the scale the bigger the complexity. Those aspects are related to each other.
Each information in the network is valuable and may enhance the SIEM feeds. As network changes over time, different SIEMs will do not give the same output. Such information like department names and user information will help the analyst to easily find out the alerts from where it’s coming exactly without opening other tools that may create a delay in response. Decreasing access to other resources improves usability.
- Focus on the outcome
Make sure that you 100% use all the outcomes of the SIEM by understanding what you are really monitoring and the value that the SIEM will provide as also the limitation of your SIEM to assure that the value chain is functional and it is as secure as possible.
- DNSs are better than IPs
Use logical DNS names to systems (logging infrastructure, site model, and security zone infrastructure) that will report to the SIEM to make replacing servers easier during a maintenance period or load balancing.
- 40 days plan
Sometimes when you are investigating an incident you will need to check old reports especially if you want to know went the first time you were affected by such an attack or you want to check how your team resolved previous incidents. In such cases, the SOC team will need fast data access.
- Implement a good data source
When adding a new source of data to the SIEM, exercise its monitoring capability to make sure that you get the most out of it and to remove all the unnecessary data.
Bad things happen and at some point, you may lose access to long-term data.
Searching all the previous logs generated by the SIEM and import them again to the SIEM will not be a good idea. For that, you need to develop your own report that shows the important activity that you may need in the future.
In such a case, create a cron that will remind you to generate those reports periodically and store them on a web server that will provide an easy parsing.
You may ask here, what information I need to include in my report?
You need to include the most important data that will help you to recreate the time-base details to reconstruct an event timeline.
In this article, we discussed different important things that we need either before or after implementing the SIEM. The values added by the SIEM to your SOC is based on how you will handle it.
This article is an introduction to a different article that will follow about SIEM, please don’t hesitate to ask a question and to propose other subjects about SIEM that you want me to talk about.