There are several factors without which the use of even the most advanced SIEM system will not yield the expected results. For those planning to implement a solution, it is crucial to assess how ready the company’s infrastructure and processes are for this. Experience shows that, in most cases, attention should be focused on three key components. Find out what they are in this article.
SIEM, or Security Information and Event Management, is a class of software products designed to consolidate and enrich security events from all systems and devices within a corporate network. This tool not only archives data and alerts about security incidents but also generates reports for compliance audits in accordance with regulatory requirements.
Start with Basic Security Measures
SIEM acts as a kind of overlay on top of other cybersecurity systems. Its value to a business largely depends on the existing security measures in place, such as firewalls, antivirus solutions, network traffic analysis tools, and others. It is crucial to conduct an inventory of the existing security tools before implementing the SIEM system, as this information will influence both the scope and cost of licenses and future operations.
Most SIEM solutions can integrate with any event source, which includes security tools. The difference lies in what is supported ‘out of the box’ and what requires the development of specific connectors. Therefore, when choosing a provider, it is essential to consider their expertise in creating unique integrations with custom or niche systems, both domestically and internationally.
There is a common misconception that SIEM is another security tool. In reality, the system serves as a tool for monitoring events recorded by other security solutions. Its value lies in automating and consolidating this process.
The question of whether to use security tools from the same vendor as the future SIEM remains debatable. The fact that solutions from a single manufacturer usually integrate more easily and quickly with each other is a compelling argument ‘for.’ The ‘against’ argument includes concerns about potential dependence on a single vendor, with licensing costs that may sharply increase, developers leaving the market, and other negative scenarios.
In my view, it is not advisable to choose security tools based solely on the anticipated SIEM. Whether it is the SIEM system itself or security tools, it is more important to select the best solutions in their respective classes and suitable for your specific needs. Additionally, initiating the implementation of security solutions, starting with SIEM, without fundamental security tools, can render an expensive system practically ineffective. Predicting the future influx of data and events for processing, which affects the choice of license type, is not possible without them. It is much more effective to build a cybersecurity infrastructure as the complexity of the solutions used increases.
Develop an effective cybersecurity policy.
To effectively implement SIEM, a current and contextually relevant cybersecurity policy tailored to the company’s reality is essential. This policy aims to define which events and from which sources the system should collect, the set of rules for processing these events (correlation rules), and any exceptions. Such a framework provides an understanding of what SIEM should identify and categorize as prohibited.
While many SIEM solutions come with predefined rules, they might not be applicable to a specific company with its infrastructure and business processes. This can result in numerous false positives, consuming valuable time and attention from the staff.
For instance, a default SIEM rule might detect simultaneous logins to a single account from different devices, which might be a common scenario in certain situations, such as self-checkout kiosks in retail or service accounts used to execute specific services on multiple servers simultaneously.
Some companies resort to configuring event processing rules during the system’s operation by adding exceptions to built-in correlation rules. However, this approach often leads to inconsistencies among team members and triggers conflicts within teams. Therefore, it is more effective to discuss and document these rules in advance with all relevant stakeholders.
In some cases, policies are written in broad terms, lacking practical applicability and grounding in the system’s real conditions and functionality. They may even contain logical contradictions. For example, specifying that certain events should be logged in sources incapable of such logging in reality.
Moreover, threat models in policies often appear superficial. To illustrate, consider what “data loss” means in technical terms and how it can be identified through SIEM. A well-defined policy should address these questions.
Another challenge is having a formal policy in place but not adhering to it. The good news is that SIEM, by signaling unwanted events, assists in monitoring and enforcing compliance with the regulatory requirements outlined in the policy.
Establish a Committed Workforce
Every system requires maintenance, and typically, IT personnel handle the engineering tasks and ensure the SIEM’s operational functionality. Cybersecurity specialists are responsible for monitoring prohibited events and responding to them. The required number of staff members depends on the company’s size and its infrastructure, with the minimum team consisting of two cybersecurity specialists and one IT department employee.
During the implementation of SIEM, companies face the choice between Open Source and Enterprise solutions. While the first option is more budget-friendly and formally meets regulatory requirements, the technical limitations of maintaining such a system can lead to a significant increase in personnel requirements.
An important aspect of this point is that for the proper functioning of SIEM, there needs to be regular tuning of its triggers and continuous development of a knowledge base about exceptions in correlation rules. Without dedicated staff for these tasks, the company will accumulate a large but useless volume of information over time that no one can effectively manage.
Conclusion
SIEM is a crucial component of the corporate cybersecurity ecosystem, with capabilities that can significantly enhance its proactiveness and effectiveness. However, without thorough work on information sources, operational rules, and maintenance by qualified personnel, the system may become just a line item on the company’s balance sheet. To avoid this, we recommend taking a comprehensive approach to the implementation process.
