By Amy Pace
Whenever you’re talking shop with a cybersecurity analyst or insider, security information and event management (SIEM) comes up. CISOs and security analysts say SIEM hasn’t lived up to its promises, citing alert fatigue and failure to catch critical attack indicators, among other issues. But organizations shouldn’t write off SIEM technology—not just yet.
To get the most out of your SIEM, you need to realize that it’s not a magic Band-Aid. But with the right care, a SIEM product can be a powerful weapon in your security arsenal. Think of SIEM as a Triple A ballplayer who with proactive coaching and the right system goes from riding the pine to crushing in the All-Star Game.
Do data right
SIEM products are only as good as the information they receive. You could buy the best platform, add every possible integration, and it still could fall flat if it’s not configured and integrated with your organization’s assets. The problem is, the average SIEM deployment isn’t fed enough data to identify threats in the early stages of an attack.
But recently, SIEM platforms have stepped up their game. They’ve improved integration capabilities, increased scalability, and upped performance, helping organizations get the right data. It’s up to enterprises to take advantage of these capabilities.
Three areas that companies can target to enhance their SIEM capabilities are:
Integration with advanced endpoint protection (AEP) solutions
User and entity behavior analytics (UEBA)
Threat intelligence feeds
Tuning is key
While a SIEM platform is only as good as the data it’s being fed, choosing the right sources of information is the first step. Too often, organizations won’t dedicate the time or resources needed to build the right correlation rules to utilize data sources and integration points.
Organizations often rely on out-of-the-box SIEM correlation rules, along with overly sensitive threat feeds. These surface-level solutions don’t provide enough context, which only leads to more noise.
Remember: The best-tuned platform won’t do you any good if no one is acting promptly. If a critical alert is triggered by a security system but goes ignored for days or even weeks, then the return on investment of the platform equates to nada. This is what happened with the 2013 Target breach—the staff ignored their alerts, and next thing you know, Target is sending out a few million “we need to talk” emails. So, unless the SIEM product is monitored by people ready to respond, don’t count on any drastic results.
Automate and speed up response
Building a team with a real understanding of SIEM technology is easier said than done. Assembling the right crew with experience is hard—one of the biggest challenges is finding skilled security analysts and incident responders.
To alleviate these staffing challenges, enterprises should set up their SIEM stacks and processes to be as automated as possible. SIEM is one of several tools that exists within today’s cybersecurity architecture. Organizations must do a better job of formalizing mitigation and change control plans. The goal should be to speed up the response process and close vulnerabilities.
Get out of crisis mode with relevant threat intelligence
SIEM’s greatest partner in crime is threat intelligence. If you’re looking to boost security effectiveness, threat intelligence becomes the power behind the data running through your SIEM. But not all feeds are created equal. Most commercial external threat intel feeds rely on simple indicators of attack:
Bad IP addresses
While these add context to SIEM correlation rules, they aren’t enough to detect polymorphic malware drops, zero-day attacks, or multi-stage assaults throughout the cyber kill chain. The average threat feed pushes out a “shallow” set of data in large volumes, causing noise, false positives, and alert fatigue. These feeds dole out data about generic attacks, not just those relevant to an organization.
SIEM is what you make it. Giving up hope on the platform is selling SIEM short. There’s a lot of upside to the technology; you just need to have realistic expectations. If you’re still looking for solutions regarding your SIEM platform, download our new white paper, SIEM: The New Force Multiplier. Inside, we cover the topics featured above while exploring how NSS Labs can help your security team achieve more.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.