Question mark in crystal ball

5 Questions to Ask to Determine SIEM Readiness

This post was originally published on the Recorded Future blog. It was co-authored by Bill Oullette, Professional Services Consultant, and Jon Papp, Professional Services Manager at SP6. 

A SIEM (Security Incident and Event Management) solution significantly increases visibility into vulnerabilities, deviant behavior, and critical security threats.  SIEM tools can do this because they correlate logs that were previously in siloed data stores (the various security point solutions throughout the enterprise). More data sources plus the correlation of that data leads to the application of security analytics that eliminates security blind spots to perform that detection much more quickly.

This improved availability of data and data correlation ensures more rapid triage of security incidents. This enables:

  • Faster mean time to resolution for security incidents
  • An increased volume of incidents a security team can investigate
  • More time for proactive threat hunting activities

Despite the clear benefits that a SIEM delivers to significantly enhance an organization’s security posture, not every organization is ready to deploy a SIEM.

Let’s examine 5 questions to determine your organization’s SIEM readiness:

Question 1: What problem(s) are you trying to solve?
You must understand the security use cases that you want to address prior to deploying a SIEM. As important, how many security use cases are you trying to address?  If you are only trying to solve one problem – for instance, gaining visibility into Windows security event logs –  a SIEM would be overkill. If you have many security use cases to address and bring in a larger set of source data, a SIEM starts to make much more sense.

Question 2: How large is your security team?
An organization with a smaller security team, or no security team in place, would be crushed by a SIEM. Managing the generation and investigation of alerts could overwhelm a smaller team. This will increase the risk that these alerts – many of which will be critical – will become “white noise” and may eventually be ignored.

On the other hand, if you have a team of security analysts (or SOC) in place to handle events and tune the system, it makes much more sense to have a SIEM in place.

Question 3: What security tools are currently in place?
A SIEM primarily aggregates and correlates data from other sources. The more security tools that an organization is using, the greater the benefit of the SIEM to provide end-to-end monitoring via the correlation of data from these various point solutions. Organizations with limited or incomplete security data sets – for instance, just firewalls, anti-virus, and Active Directory (account activity) data — will not realize as much benefit from a SIEM as organizations with additional security tools (and data sources) in places such as vulnerability scanners, network intrusion detection, packet sniffers, threat intelligence feeds, or password crackers. Organizations with all of these tools in place would gain tremendous value from the correlation a SIEM can provide.

Question 4: How security-focused is your company?
Risk reduction, compliance, and the creation of a more secure organization comes down to culture. This is driven at the executive level and cascades down through leadership to the staff level. When your security team needs to install monitoring software on someone else’s equipment (developers’ application servers, network infrastructure, user desktops, etc.) do they get pushback? Is the request met with a lack of urgency? An uncooperative culture makes a SIEM deployment, while certainly not impossible, much more difficult.  Conversely, a security-focused culture where everyone works together to meet overall organizational security goals can drive the success and value of a SIEM deployment.

Question 5: Are your security policies well-defined and documented?
The foundation of IT security is the existence of proper security policies; rules that are built into a SIEM tool and the subsequent actions taken by security professionals are driven by an underlying security policy. In other words, these policies feed into security tools, including your SIEM. What are the most sensitive targets in your environment? What are the most accessible or likely targets? Your security policies should be designed to defend your business priorities. A successful SIEM takes these priorities and makes them actionable. If it is a priority to prevent unauthorized access to information, your SIEM should monitor for brute force attempts, impossible travel logins, or terminated user login. Without a security policy in place, actionable rules can’t be built into a SIEM tool, including downstream responses.

Security Best Practices at Your Fingertips

SP6 is a Splunk consulting firm focused on Splunk professional services including Splunk deployment, ongoing Splunk administration, and Splunk development. SP6 has a separate division that also offers Splunk recruitment and the placement of Splunk professionals into direct-hire (FTE) roles for those companies that may require assistance with acquiring their own full-time staff, given the challenge that currently exists in the market today.