The importance of configuring and optimising your SIEM
Security Information and Event Management (SIEM) platforms play a vital role in monitoring and responding to security incidents. SIEM tools collect, analyse, and make inferences about security data from multiple sources, enabling organisations to quickly identify and respond to potential threats.
Configuring and continually optimising your SIEM around your business and its data is the only way to derive value from the tool. In this article, we’ll discuss what can go wrong if you don’t, and what expertise is needed to do justice to these powerful tools.
For any organisation wishing to build their cyber defences, a SIEM is now a crucial tool. SIEM solutions monitor and analyse data from logs, applications, devices, firewalls, antivirus software, and other security tools to aid organisations in identifying and responding to security threats as they occur.
Why do you need a SIEM?
- To know if you’ve been compromised. In a cyber attack, speed is of the essence. SIEM tools help you detect and stop illicit activity on your network sooner, so you can minimise the damage a cyber attacker can cause.
- To understand the extent and the impact of a cyber breach. SIEM tools provide valuable information needed for digital forensics and analysis, so you’ll know what access a threat actor has obtained and what systems or data have been compromised. This is essential for reporting and managing any cyber incident.
- To spot security vulnerabilities that could result in a breach in future. SIEM tools help you spot gaps in your security controls which provide an early warning system so you can improve your overall cybersecurity posture step by step.
Why should you optimise your SIEM?
SIEM platforms are only as useful as the time and effort that has gone into configuring them to suit your business and its data. Merely deploying the SIEM out of the box, or without proper configuration, can do more harm than good.
A well-optimised SIEM provides real-time visibility into an organisation’s security posture, allowing security teams to rapidly identify and mitigate security threats. This involves defining rules and policies, setting up alerts and notifications, configuring data streams, and integrating related tools with the SIEM. To do all this effectively requires a thorough understanding of your IT estate, your data, and your organisation’s security goals.
But, attempting this in isolation has its pitfalls; to derive maximum value from your SIEM, its configuration must align with your IT security policies, and beyond that, the broader business objectives. Conducting regular evaluations to ensure its optimal performance is also necessary.
What a SIEM should do:
Aggregate data and manage logs
Your SIEM should collect and log event data from selected sources such as databases, servers, users, firewalls, and applications. The solution will then aggregate, analyse, and present the data in a single location where security teams can evaluate it. Knowing which log sources to choose is vital in ensuring you have the right detection rules, and is highly specific to your business and its data.
Generate alerts from suspicious behaviour
A SIEM’s main function is to detect anomalous behaviour that may indicate a cyber attack in progress. In this event, the SIEM immediately generates an alert, allowing the team to investigate and determine whether the alert constitutes a genuine threat.
Detect data theft
SIEM solutions should detect and flag any unauthorised attempts by users to delete, copy, or transfer sensitive data outside the system.
Monitor system changes
Users attempting to tamper with security configurations and audit logs is suspicious. SIEM platforms have the ability to identify the deletion of logs or changes in event histories, which may indicate a cyber-attack in progress.
Create a paper trail for compliance purposes
SIEM solutions should provide a clear record of what data was accessed, read, or copied, that includes the time and the user responsible. This helps you understand the extent and impact of a breach and guide how you will remediate any security vulnerabilities. This paper trail also helps organisations comply with privacy and data protection regulations. In the event of a data breach, a detailed paper trail will help you fulfil your reporting requirements to your data protection regulator.
The consequences of a poorly-configured/optimised SIEM
For the purposes of this article, we will use two terms:
- Configuration, to describe the initial set-up of the SIEM platform to collect log sources, correlation rules and detection rules.
- Optimisation, to describe fine-tuning the SIEM on a recurring basis, based on analysing how accurate and useful its alerts are.
The worst case scenario for a poorly-configured SIEM is the increased risk of a successful cyber-attack, which results in the breach of sensitive information. However, long before this worst case scenario has been reached, poorly-configured SIEM platforms can lumber IT and security teams with a range of problems – some of which are technical, while others relate to people and process.
False positives and alert fatigue
If the SIEM is deployed with a standard out-of-the-box configuration, or it is poorly configured, the first thing any team will see is an avalanche of alerts. Most of these will be false positives, and sifting through them will quickly overwhelm IT and security teams, leading to alert fatigue.
Alert fatigue essentially means becoming desensitised to the alerts that come through…When you become desensitised, you start to miss the wood for the trees. You would rather filter it out, and make assumptions on what the alert is about, instead of actively taking a proper look into what's going on. That happens because you've got so much going on.”
Shane Aisbett, Cyber Practice Service Lead
Not only is sifting through false positives a waste of time and resources, but it can lead to missed opportunities to prevent real security incidents.
Incomplete event collection
To identify any suspicious activity within a data stream or log, it must be monitored. If certain data sources are missing or if analysis rules are not properly configured, the SIEM may fail to identify unusual behaviour or potential security incidents. This may lead to missed indicators of compromise resulting in the progression of a cyber-attack which could have been spotted earlier.
Spiralling license costs
The flipside of not ingesting enough logs is ingesting too many. This leads to increased storage and data processing needs, causing the SIEM to consume more system resources than it requires and negatively impacting overall performance of the network. Secondly, because many SIEMs charge users based on the volume of data they process, ingesting more logs than necessary will lead to higher running costs.
Threat actors not detected
When a SIEM tool lacks proper correlation rules, detection mechanisms and integrations with other tools, the Indicators of Compromise (IOCs) signalling a cyber attack in progress may not generate alerts. If these alerts are missed at an early stage, due to poor configuration, threat actors can progress their attack, inflicting even greater damage before their actions are discovered.
Limited functionality
Most good SIEM solutions integrate with other security tools for comprehensive visibility, and they can automate various manual and time-consuming tasks. However, not utilising these integration and automation capabilities restricts the SIEM’s coverage across the network and the kinds of tasks which it can automate.
Compliance failures
Poorly configured SIEM solutions may inaccurately collect and report data required for regulatory compliance requirements.
Why does this happen?
Why do SIEM platforms get deployed without the configuration and optimisation they need to run effectively? There are three common root causes:
- Lack of time
- Lack of budget and resources
- Lack of expertise
All three of these root causes are inextricably linked. Without the necessary expertise, it will take longer to configure and later optimise your SIEM. The longer it takes the more budget and resources the work of configuring and optimising it consumes. And if your team are buried under an avalanche of alerts (most of which are false positives), then they will have less time to dedicate to optimising the SIEM. It’s a vicious cycle.
It is not impossible to purchase, configure and manage a SIEM tool on your own. But many organisations choose this route because they are unaware of the complexity involved in correctly setting up a SIEM, and the skills needed to configure and optimise it so that it runs effectively, as well as the resources needed to monitor and investigate the alerts it produces.
To avoid the pitfalls of a poorly-configured SIEM, an organisation must address all three of the root causes above. To do so requires a team of dedicated experts who first configure, then monitor the SIEM, and sift through alerts to decipher false positives from genuinely suspicious behaviour. Over time, that team will further optimise detection rules to reduce the number of false positives the SIEM generates. If the existing IT or security teams lack the time and/or expertise to configure, monitor and optimise the SIEM, something suffers: either the organisation’s detection capability is diminished, or the team has less time to perform their business-as-usual tasks.
These tools need love, care and attention, otherwise they just become a source of noise and a source of frustration.”
Tom Kinnaird, Cyber Practice Service Lead
For this reason, many organisations are looking to managed security service providers (MSSPs) to configure and monitor their SIEM as part of a Managed Detection and Response service.
How to configure, optimise and manage your SIEM
What to do | How this will help |
---|---|
Choose a SIEM platform that is well-suited to your organisation and its data. | This ensures your SIEM is well-suited to ingest logs from all necessary assets across your IT estate. For example, if your organisation is Microsoft-native, and you use Azure for your cloud platform, it may make sense to use Microsoft Sentinel as your SIEM. They should also ensure that your SIEM is scalable and can grow with your data needs. |
Configure log collection from the correct sources. | Many organisations say they want to log everything with the aim of gathering as much data as possible to avert the potential of a cyber-attack. However, an expert SOC engineer, who understands your business and its data will help eliminate log sources that aren’t adding value (because the data they ingest is less useful as an indicator of compromise or is a duplicate of data coming from another source). They can also advise on those log sources that will have the greatest effect for detecting suspicious behaviour. |
Compress log sizes to save space and costs. | Syslog is a standard which normalises logs, retaining only essential information in a standardised format. Syslog lets you compress logs and retain large quantities of historical data. By tuning the inputs and the data which is stored, you can dramatically reduce log sizes to reduce licence costs. |
Feed the latest threat intelligence into your SIEM and update its detection rules in line with new attack techniques. | Expert SOC analysts use threat intelligence to make their own determination on whether an alert constitutes suspicious behaviour. But they can also programme your SIEM with new detection rules based on such threat intelligence, so it is capable of spotting the latest tactics, techniques and procedures used by threat actors. |
Further optimise correlation rules to reduce false positives, and fine-tune detection capabilities. | The purpose of optimising the SIEM over time is to ensure its configuration is still relevant, useful, and effectively meets your organisation’s specific security requirements. The correlation rules of your SIEM will therefore be bespoke to your business and its data. In practice this can mean reviewing why false positives have been generated, by working directly with you to understand what in your environment is triggering the alerts, then further fine-tuning detection rules to tune out those false positives. Even without a cyber-attack, this process of optimisation will help tighten up security policies and processes over time. |
Incorporate new technologies and infrastructure into your SIEM whenever your IT estate changes. | This will ensure the SIEM is well-equipped to handle changes in your network, whether they are permanent or temporary.
Equally, if you have cloud engineers, new resources can sometimes be created that last for a few minutes or hours at a time. These resources need to be monitored for security purposes. |
How to get the most out of working with your MSSP
If you decide to buy a Managed Detection and Response service, your MSSP will monitor alerts and advise you on the best course of action in the event of a confirmed cyber-attack. As well as configuring and optimising your SIEM, investing in a Managed Detection and Response services takes the pressure off your team to investigate all alerts, triage them and determine the best course of action.
Claranet’s Managed Detection and Response service bolsters your detection capability, so you can respond to cyber attacks in minutes, with a battleplan from an expert fighting your corner.
To get the most value out of working with an MSSP, consider these three pieces of advice:
- State your security goals clearly. What are you hoping to achieve from your Managed Detection and Response service? This will enable your provider to give you more options on how they can help.
- Allow them to work closely with your IT and security teams. The more they know about your IT estate and your users’ behaviour, the better they are able to advise you on how to detect and respond to suspicious activity.
- Work with your MSSP to define a roadmap. Do you want to set up your SIEM cover your entire IT estate from the start, or just get coverage over a section of your network or your business, to first prove its effectiveness and value, then expand from there?
To find out more about how you can improve your security posture and your ability to respond to a cyber-attack, get in touch about our Managed Detection and Response service.