How to Manage SIEM Solutions

February 13, 2019 Eric Dosal Eric Dosal

Security information and event management tools, or SIEM tools, are a crucial part of modern network security architectures. However, unlike many other cybersecurity tools, SIEM solutions don’t directly work to stop cyberattacks. Instead, SIEM solutions collect information about security events on the network to generate alerts or instruct other security controls to take a pre-set action. In this way, security information and event management solutions can be invaluable for automating security incident response.

The challenge is in managing SIEM tools to eliminate false positives and sort through the massive amount of data they supply quickly and efficiently. Many organizations adopt an SIEM tool without the appropriate resources on hand to manage them—which leads to suboptimal incident response as they struggle to keep up with the ocean of data an SIEM solution can generate.

So, how can organizations manage an SIEM solution to achieve better cybersecurity without drowning in an ocean of noise?

Choosing the Right SIEM Solution

Not all SIEM solutions are the same, so it’s important to do some research before choosing one. Some things to look for in an SIEM include:

  • Use of Machine Learning. Can the SIEM learn from the data it collects to eliminate false positives and reliably discover unusual traffic or activity that indicates an active security breach? SIEM tools with machine learning capabilities help to minimize the “noise” of irrelevant data by learning to differentiate normal traffic from suspicious activity.

  • Threat Intelligence Feeds. What threat intelligence tools does the SIEM solution integrate with to “learn” about new cyber threats? Can it work with the organization’s existing threat feeds, or can it only use a few proprietary ones? Being able to work with the threat intelligence tools that are most relevant to the threats faced by the organization is crucial for ensuring long-term SIEM effectiveness.

  • Post-Incident Reports/Forensics. What reports does the SIEM tool generate following suspected security events? What information does it capture about these events to empower thorough investigations and allow cybersecurity experts to prevent future incidents? A security information and event management tool should make it easy to investigate the methodology behind an attack so future attacks may be prevented.

  • Integration with Other Security Solutions. Does the SIEM solution have the capability to trigger responses from other security tools to automate cyber threat response? If an SIEM tool can send commands to other security solutions based on observed traffic, it may be able to contain an attack before the attacker has time to break out into other assets on the network.

  • Deployment Method for the SIEM Product. The deployment method for an SIEM solution can affect its management and cost. As noted by TechTarget, “Most SIEMs require the purchase of hardware or software, while usage fees determine the costs of cloud-based SIEM services.” Hardware-based SIEM solutions that are installed locally might have a higher upfront cost for installation and hardware, while cloud-based solutions will have an ongoing subscription fee.

These are just a few of the capabilities that organizations should check for when selecting an SIEM solution. Picking the right SIEM solution is just one of the challenges of managing these network security tools effectively, however.

Managing the SIEM Data Feed

Security information and event management solutions parse a lot of information each day. For example, say that a business has just 20 employees who use the company’s network and applications regularly. If each employee has 15 interactions each hour for an eight-hour shift, that’s 2,400 total interactions each day. If the company has customer-facing apps, the sheer amount of traffic quickly becomes impossible to manage manually.

Managing an SIEM tool is, in some ways, similar to managing other “Big Data” systems. Big data tools sift through amounts of data that would be impossible to manage manually—so it’s important to consider their configuration for reports to ensure that only the most relevant data is being presented for the person (or team) managing the tool. The exact process for managing an SIEM solution may vary depending on how the solution’s dashboard is set up (or if it supports custom dashboards).

For effective SIEM solution management, organizations should have at least one person dedicated to the task. This solution expert should be familiar with the tool the organization is using—or become familiar with it through training provided by the solution maker (if available) or from someone else experienced in using the SIEM solution.

Using Managed SIEM Services

Instead of dedicating a single internal employee to manage their SIEM tools, some organizations use a managed SIEM service from a managed security service provider (MSSP). With a managed SIEM service, the MSSP provides the labor for directly managing the SIEM solution—including reviewing activity logs, configuring alert settings, and checking the SIEM software’s integrations with other network security measures.

There are a couple of benefits to using a managed SIEM service where an MSSP takes over the majority of the work:

  1. Reduced Workload for the Internal Team. Managing some of the more robust SIEM solutions internally can put significant strain on a company’s internal network security team. It can take some time for the internal team to learn to sift the important information from the “noise” that big data software can generate. Using managed SIEM helps to make sure the company’s internal network security team is only presented with the most important information.

  2. Instant Access to SIEM Specialists. SIEM management can have a steep learning curve. Until the network security team has overcome this learning curve, they may not be able to get the most value out of the company’s SIEM solution. Managed SIEM services provide near-instant access to experts in managing these big data tools—experts who can train the company’s internal cybersecurity team.

Some businesses take advantage of the MSSP’s expertise to manage an SIEM solution in the short term while providing the company’s internal team of experts with training on how to manage the solution themselves.

Need help managing your company’s SIEM solution? Contact the cybersecurity experts at Compuquip for advice on how to pick the right solution and get the most value out of it today!

back-to-cybersecurity-basics

cdo-guide-to-omnichannel-security