5 Questions to Ask to Determine SIEM Readiness
May 10, 2018 • Bill Ouellette and Jon Papp, Aditum
Are you ready for a SIEM (security information and event management) solution? It’s a question that’s top of mind for many security professionals today. A SIEM is a powerful tool that will analyze security and threat-related data from numerous sources, but your organization must have certain underlying, foundational security in place to maximize its potential.
As Splunk professional services consultants, we’ve found that security process maturity can be a significant barrier to getting the most out of a SIEM. In this post, we examine five considerations to take into account when determining your organization’s SIEM readiness.
This post is an excerpt from our new e-book, “Are You Ready for a SIEM?” You can access the full version of the e-book here.
Triage Security Alerts Rapidly
A SIEM significantly increases visibility into vulnerabilities, deviant behavior, and critical security threats. SIEM tools can do this because they correlate logs that were previously in siloed data stores (the various security point solutions throughout the enterprise). More data sources plus the correlation of that data equals the application of security analytics that eliminates security blind spots to perform that detection much more quickly.
This improved availability of data and data correlation ensures more rapid triage of security incidents. This enables:
- Faster mean time to resolution for security incidents.
- Increased volume of incidents a security team can investigate.
- More time for proactive threat hunting activities.
Despite the clear benefits that a SIEM delivers to significantly enhance an organization’s security posture, not every organization is ready to deploy a SIEM.
Let’s examine five questions to determine if you are ready for a SIEM.
1. What problem(s) are you trying to solve?
You must understand the security use cases that you want to address prior to deploying a SIEM. Just as important, how many security use cases are you trying to address? If you are only trying to solve one problem — for instance, gaining visibility into Windows security event logs — a SIEM would be overkill. If you have many security use cases to address and already bring in a larger set of source data, a SIEM starts to make much more sense.
2. How large is your security team?
An organization with a smaller security team, or no security team in place, would be crushed by a SIEM. Managing the generation and investigation of alerts could overwhelm a smaller team. This will increase the risk that these alerts — many of which will be critical — will become “white noise” and may eventually be ignored.
On the other hand, if you have a team of security analysts (or a SOC) in place to handle events and tune the system, it makes much more sense to have a SIEM.
3. What security tools are currently in place?
A SIEM primarily aggregates and correlates data from other sources. The more security tools that an organization is using, the greater the benefit of the SIEM to provide end-to-end monitoring via the correlation of data from these various point solutions. Organizations with limited or incomplete security data sets — for instance, just firewalls, antivirus, and Active Directory (account activity) data — will not realize as many benefits from a SIEM as organizations with additional security tools (and data sources) in place such as vulnerability scanners, network intrusion detection, packet sniffers, threat intelligence sources, or password crackers. Organizations with all of these tools in place would gain tremendous value from the correlation a SIEM can provide.
4. How security focused is your company?
Risk reduction, compliance, and the creation of a more secure organization comes down to culture. This is driven at the executive level and cascades down through leadership to the staff level. When your security team needs to install monitoring software on someone else’s equipment (developers’ application servers, network infrastructure, user desktops, etc.), do they get pushback? Is the request met with a lack of urgency? An uncooperative culture makes a SIEM deployment, while certainly not impossible, much more difficult. Conversely, a security-focused culture where everyone works together to meet overall organization security goals can drive the success and value of a SIEM deployment.
5. Are your security policies well defined and documented?
The foundation of IT security is the existence of proper security policies. Rules that are built into a SIEM tool and the subsequent actions taken by security professionals are driven by underlying security policy. In other words, these policies feed into security tools, including your SIEM. What are the most sensitive targets in your environment? What are the most accessible or likely targets? Your security policies should be designed to defend your business priorities. A successful SIEM takes these priorities and makes them actionable. If it is a priority to prevent unauthorized access to information, your SIEM should monitor for brute force attempts, impossible travel logins, or terminated user logins. Without a security policy in place, actionable rules can’t be built into a SIEM tool, including downstream responses.
Would you like to learn more about SIEM readiness and which tools are best for your organization’s maturity level? Download your complimentary copy of “Are You Ready for a SIEM?”