SIEMs, the Diamond in the Rough

diamond on black background

SIEMs, the Diamond in the Rough

We all have Security Information and Event Management (SIEM) systems tucked away in Security Operations Centers (SOC) used by cyber security analysts to keep your network safe.  SIEMs pronounced the same as the word “seams” as in the seam of your shirt, are chock full of all kinds of data.  Some SIEMs are so full that they are practically useless!  Is yours one of these SIEMs?  Do your security analysts spend minutes, hours, and sometimes even days to pull a simple number from your SIEM?  Let me share some ideas on how to make your SIEM more useful.

SIEMs can be broken down into two classes: tactical and strategic, also known as compliance.  Each one has its purpose. 

The purpose of a tactical SIEM is to provide quick answers to the burning questions that any Chief Information Officer (CIO) may have:

  • How many attempted break-ins have we had in the last year? 
  • How many of those attempts were successful? 
  • What was the most common method of breaking in? 
  • How mature is our SOC? 
  • Have we lost any data due to a network compromise? 
  • What data has been lost? 
  • What is the financial impact of losing that data?

The questions can go on and on ad infinitum, but the point is that the information is available in a single system that can be quickly searched for the answers.

A strategic or compliance SIEM is different and serves a different purpose than a tactical SIEM.  A strategic SIEM may be required if you are processing credit card information following the Payment Card Industry Data Security Standard (PCI DSS) and hence are required to log certain things and store those logs for a given amount of time. 

Due to misunderstanding the PCI DSS a compliance SIEM is often packed full of EVERYTHING that can be logged hoping that all of the required information to meet compliance is in there.  This SIEM is a nightmare for any security analyst trying to search through it for an answer to a question.  But there is a better solution that will allow you to keep all of your compliance data and still make your cyber security analyst happy.  Create a tactical AND a compliance SIEM!

The tactical SIEM should be a lean, mean, security analyzing and alerting machine!  It should be under the control of the SOC manager who can decide what information they need to capture and keep to do their jobs correctly.  The tactical SIEM will be constantly tuned to eliminate false positives and hone in on the bad guys.

For more information on this topic reach out to me at www.baileyitconsulting.com or consider attending the new SANS course SEC555: SIEM with Tactical Analytics.