Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
November 13, 2023
Security information and event management (SIEM) programs are incredibly valuable. But in order to be effective, they require significant care and attention. For many organizations, the excitement associated with SIEM’s value wanes as the reality of the commitment sets in. In this way, a SIEM is like a new puppy that is initially an exciting addition to a new environment, but it requires commitment to become fully integrated and accustomed to the space. This blog post will further explore this comparison. I will also argue that organizations lacking the people and resources to maximize their effort should consider retaining a managed security service provider (MSSP).
When you first get a puppy, you spend lots of time playing with it. You probably buy it some toys and train it not to bark at everything and eat your shoes. You house train it and walk it, so that it gets plenty of exercise.
After you’ve had the puppy for several months, the newness wears off and you may not keep up with training. Do the dog doesn’t learn any new tricks (when it’s easiest to train). You don’t go for as many walks, and the dog may start to chew on shoes or have “accidents.” You’re still spending time with the pup, but maybe not as much. As the dog ages, you notice its annoying habits and you may start to think about how to do things differently next time.
The life cycle of a SIEM program is similar for many of our clients. The initial excitement for the new tool fades quickly as the reality of taking care of it sets in. The initial professional services (PS) engagement sets clients on a path for success, but that’s only the start of a long journey, requiring continual tweaks and system tuning to assure the best results. The process and people take time to develop. Ensuring that new log sources are onboarded and tuned, and that use cases created for them…well, you see how enthusiasm can wane.
SIEMs require continual monitoring and updating.
The commitment needed for effective SIEM management can be overwhelming.
Organizations lacking the people and resources to maximize SIEM effectiveness should consider retaining an MSSP.
SIEMs and user and entity behavior analytic (UEBA) tools require people to run them. Unlike other security systems, if someone isn’t looking at the logs periodically, then things will be missed, and the tool will become less effective over time. This is much like a puppy that you don’t continually monitor, observe, train or teach new tricks. In the case of many recent breaches, it wasn’t a tool that detected the anomalies on its own. It was an observant security operations center (SOC) analyst who saw something strange in the logs. This is only possible if time is spent knowing what “normal” looks like so that the strangeness stands out. Our SIEMs are wonderful tools for detecting abnormalities based on the use cases built into them, but threat actors move fast and keeping up can be difficult.
Grooming the SIEM is also something that seems to fade over time. We can observe several telltale signs of a lack of grooming. Less time is spent validating the logs to verify that they’re still needed (and filtered out if not). Old dashboards or reports consume resources but provide no value. Use cases built for an old vendor are still active. And many other areas of the system need love and attention.
Our most mature clients hold frequent sessions with the SMEs whose systems are generating the logs to validate use cases by taking specific actions, ensure that parsing is correct and nothing has changed, learn of any new security threats and evaluate any other upcoming system changes. Examples might include meeting with the Active Directory team to validate that all authentication and group change use cases are still working or adding and removing a user from the domain admins or other privileged group. These activities validate that rules are firing and that everyone understands and practices responding to the events. Inviting legal and communication teams to the meetings a few times a year also helps to fully test your response procedures and plans (as well as build cross-team relationships). This way, when something bad does happen, people already know each other and understand their roles in the response.
An area many clients are focusing on now is training the puppy to be a guard dog. Integrating or configuring the SIEM platform with an automation tool greatly enhances its effectiveness and lessens the load on the first tier of analysts. The tool will need to be well tuned, and enrichment sources should also be identified to gain the maximum value out of automation.
To ensure your SIEM doesn’t become a neglected puppy, it is important to build out the process required to keep it functioning well over time, not just during the initial PS deployment. If the people and processes needed to keep the system running are more than your organization is able to invest in, consider a managed security service provider (MSSP) who can help out. Think of this like hiring a dog walker or taking the pup to a training class.
Make sure your MSSP provides you with the information you need to ensure the “walks” are happening as scheduled and that they’re not just sending you alerts from the tool. You’ll still need some people on your team to work with the MSSP and investigate alerts, and your relationship will only be as good as the commitment and time that you put into it.
And just like with a feisty new puppy, frequent wellness visits / health checks are essential. Ensure that your system hums along at peak performance and that your use cases are still functioning as designed. Keep training current for all your people—and not just in the use of the tool. Fluency with other incident response and industry-specific classes help assure the security of your operation. Watch your favorite news sources for information on what threat actors are up to and build new content or onboard new log sources to detect the emerging threats.
By building out your processes and people, your SIEM technology will stay as cute and cuddly as your puppy for a long time.
May 11, 2021
Maximize your technology investments with Optiv's optimization services.
January 22, 2020
Our Security Program Foundation Assessment (SPFA) helps you holistically evaluate and focus your program.
Let us know what you need, and we will have an Optiv professional contact you shortly.