A SIEM Is Like a Puppy

Security information and event management (SIEM) programs are incredibly valuable. But in order to be effective, they require significant care and attention. For many organizations, the excitement associated with SIEM’s value wanes as the reality of the commitment sets in. In this way, a SIEM is like a new puppy that is initially an exciting addition to a new environment, but it requires commitment to become fully integrated and accustomed to the space. This blog post will further explore this comparison. I will also argue that organizations lacking the people and resources to maximize their effort should consider retaining a managed security service provider (MSSP).

Why a SIEM Is Like a Puppy

When you first get a puppy, you spend lots of time playing with it. You probably buy it some toys and train it not to bark at everything and eat your shoes. You house train it and walk it, so that it gets plenty of exercise.

After you’ve had the puppy for several months, the newness wears off and you may not keep up with training. Do the dog doesn’t learn any new tricks (when it’s easiest to train). You don’t go for as many walks, and the dog may start to chew on shoes or have “accidents.” You’re still spending time with the pup, but maybe not as much. As the dog ages, you notice its annoying habits and you may start to think about how to do things differently next time.

The life cycle of a SIEM program is similar for many of our clients. The initial excitement for the new tool fades quickly as the reality of taking care of it sets in. The initial professional services (PS) engagement sets clients on a path for success, but that’s only the start of a long journey, requiring continual tweaks and system tuning to assure the best results. The process and people take time to develop. Ensuring that new log sources are onboarded and tuned, and that use cases created for them…well, you see how enthusiasm can wane.

Properly Managing Your SIEM

SIEMs and user and entity behavior analytic (UEBA) tools require people to run them. Unlike other security systems, if someone isn’t looking at the logs periodically, then things will be missed, and the tool will become less effective over time. This is much like a puppy that you don’t continually monitor, observe, train or teach new tricks. In the case of many recent breaches, it wasn’t a tool that detected the anomalies on its own. It was an observant security operations center (SOC) analyst who saw something strange in the logs. This is only possible if time is spent knowing what “normal” looks like so that the strangeness stands out. Our SIEMs are wonderful tools for detecting abnormalities based on the use cases built into them, but threat actors move fast and keeping up can be difficult.

Grooming the SIEM is also something that seems to fade over time. We can observe several telltale signs of a lack of grooming. Less time is spent validating the logs to verify that they’re still needed (and filtered out if not). Old dashboards or reports consume resources but provide no value. Use cases built for an old vendor are still active. And many other areas of the system need love and attention.

Our most mature clients hold frequent sessions with the SMEs whose systems are generating the logs to validate use cases by taking specific actions, ensure that parsing is correct and nothing has changed, learn of any new security threats and evaluate any other upcoming system changes. Examples might include meeting with the Active Directory team to validate that all authentication and group change use cases are still working or adding and removing a user from the domain admins or other privileged group. These activities validate that rules are firing and that everyone understands and practices responding to the events. Inviting legal and communication teams to the meetings a few times a year also helps to fully test your response procedures and plans (as well as build cross-team relationships). This way, when something bad does happen, people already know each other and understand their roles in the response.

SIEMs and MSSPs

An area many clients are focusing on now is training the puppy to be a guard dog. Integrating or configuring the SIEM platform with an automation tool greatly enhances its effectiveness and lessens the load on the first tier of analysts. The tool will need to be well tuned, and enrichment sources should also be identified to gain the maximum value out of automation.

To ensure your SIEM doesn’t become a neglected puppy, it is important to build out the process required to keep it functioning well over time, not just during the initial PS deployment. If the people and processes needed to keep the system running are more than your organization is able to invest in, consider a managed security service provider (MSSP) who can help out. Think of this like hiring a dog walker or taking the pup to a training class.

Make sure your MSSP provides you with the information you need to ensure the “walks” are happening as scheduled and that they’re not just sending you alerts from the tool. You’ll still need some people on your team to work with the MSSP and investigate alerts, and your relationship will only be as good as the commitment and time that you put into it.

And just like with a feisty new puppy, frequent wellness visits / health checks are essential. Ensure that your system hums along at peak performance and that your use cases are still functioning as designed. Keep training current for all your people—and not just in the use of the tool. Fluency with other incident response and industry-specific classes help assure the security of your operation. Watch your favorite news sources for information on what threat actors are up to and build new content or onboard new log sources to detect the emerging threats.

By building out your processes and people, your SIEM technology will stay as cute and cuddly as your puppy for a long time.