Unfortunately success and SIEM are not common words used in the same sentence, instead its usually failure and SIEM. The bigger question is why? as Gartner puts it, failure to plan before buying, failure to define scope and lack of sufficient context. When the Israeli government built their security program by implement a SIEM in a project labeled “Tehila.” The SIEM was unable to handle large volumes. After the deployment was scrapped the Information Security Manager used these exact phrases, “We did it poorly”, “Poor planning” and “Poor management”.
There is a lot on the line for lack of success in the SIEM world, when 40 million credit card records were stolen from retail giant Target’s servers just between 27 November and 15 December. Eventually leading to a 46% drop in Target’s fourth quarter profits. It was clear even with a heavy investment in an SIEM and MSSP they were breached and severely impacted.
If these two examples tell you anything, it’s that time and again, companies fail to deploy SIEMs effectively. Even though big SIEM players have been around for over 15 years, organizations continue to make the same mistakes with choosing and deploying them.
SIEMs are not built for compliance management. Sure, they assist in achieving compliance, but that’s not what their primary aim is. Their primary aim is threat management. So the moment you start configuring your SIEM for compliance, it loses its real-time detection edge due to the amount of logs it has to store.
A lot of organizations configure their SIEMs to give them the same logs that their IDS can give them anyway. The heart of an SIEM is correlation, which must be integrated to all your security feeds, including IDS/ IPS, antivirus, vulnerability assessment and DLP.
A lot of organizations purchase an SIEM and the related hardware keeping in mind their average transaction volume. However, if you’re in the kind of business that have volume spikes during certain seasons (e.g. retail), have you ever wondered what happens when the volumes go up considerably? Obviously, the SIEM deployment is unable to cope with this and either malfunctions or stops functioning.
Even if you have the best SIEM implemented, finding the right team that can follow incident and event management procedures after a threat has been detected is crucial to mitigate a threat. Many organizations lack such resources due to a lack of budget or expertise in the local market.
This one is a mistake that SIEMs themselves make. Some SIEMs flood user dashboards with a lot of “stock events”. An example of a stock event is “five consecutive failed logon attempts”. It’s an event, but a security personnel is not going to investigate this because it happens so often without being a real threat. A security team can only hear amidst the noise when the SIEM throws out exceptions that really look like threats.
Choose an SIEM that delivers real-time threat management. I’d like to sum it up with this diagram.
Capabilities of a Real-Time Threat Management SIEM
Ultimately it’s an evolution in both the buyer and making sure planning, implementation and management of the SIEM needs the right investment both time and dollars, but it’s not just on the buyer. Technology also has a major hand to play in this equation. Traditional solutions need to evolve.
Your SIEM should be able to give you real-time threat detection. Period. Choose a SIEM that has global threat intelligence, advanced threat protection, noiseless log management and reporting with user friendly dashboards and actionable incident management steps. These are the basics of real-time threat management.
But don’t stop there. Think of the following questions too:
When the answer to all these questions is a resounding “Yes!”, you know you have found yourself the right SIEM.
Our in-house researchers have delved deep into the sea of SIEM failures to develop the right use cases for an SIEM deployment. Read our whitepaper on key SIEM use cases to get all the information you need to plan and scope your SIEM deployment correctly. The whitepaper includes a toolkit that you can use to evaluate your organization’s current SIEM deployment focus to help you plan your next steps better.
After all, looping this back to the beginning of this blog post, you don’t want to reiterate the same mistakes many organizations make – failure to plan before buying, failure to define scope and lack of sufficient context.
© 2015-2016 All Rights Reserved. NETMONASTERY™ and CNAM™ is a registered trademark of NETMONASTERY NSPL.