SIEM is Like a Puppy
SIEM is Like a Puppy
April 20, 2021
- Security information and event management programs are incredibly valuable, but in order to be effective they require significant care and attention.
- For many organizations the excitement associated with SIEM’s value wanes as the reality of the commitment sets in.
- Organizations lacking the people and resources to maximize their effort should consider retaining an MSSP.
When you first get a puppy you spend lots of time playing with it. You probably buy it some toys and train it not to bark at everything and eat your shoes. You house train it and walk it so it gets plenty of exercise.
After you’ve had the puppy for several months the newness wears off and you may not keep up with training, so the dog doesn’t learn any new tricks (when it’s easiest to train). You don’t go for as many walks, and the dog may start to chew on shoes or have “accidents.” You’re still spending time with the pup, but maybe not as much.
As the dog ages you notice its annoying habits and you may start to think about how to do things differently next time.
The life cycle of a security information and event management (SIEM) program is similar for many of our clients. The initial excitement for the new tool fades quickly as the reality of taking care of it sets in. The initial professional services (PS) engagement sets clients on a path for success, but that’s only the start of a long journey requiring continual tweaks and system tuning to assure the best results. The process and people take time to develop. Ensuring new log sources are onboarded and tuned, and use cases created for them… well, enthusiasm can wane.
SIEMs and user and entity behavior analytic (UEBA) tools require people to run them. Unlike other security systems, if someone isn’t looking at the logs periodically things will be missed and the tool will become less effective over time. Many recent breaches weren’t discovered by the tools themselves but by an observant security operations center (SOC) analyst who saw something strange in the logs. This is only possible if time is spent knowing what “normal” looks like so that the strangeness stands out. Our SIEMs are wonderful tools for detecting abnormalities based on the use cases built into them, but threat actors move fast and keeping up can be difficult.
Grooming the SIEM is also something that seems to fade over time. Less time is spent validating the logs to verify that they’re still needed (and filtered out if not); old dashboards or reports consume resources but provide no value; use cases built for an old vendor are still active; and many other areas of the system need love and attention.
Our most mature clients hold frequent sessions with the SMEs whose systems are generating the logs to validate use cases by taking specific actions, ensuring the parsing is correct and nothing has changed, learning of any new security threats against the system and evaluating any other upcoming system changes. Examples might include meeting with the Active Directory team to validate that all authentication and group change use cases are still working or adding and removing a user from the domain admins or other privileged group; these activities validate that rules are firing and that everyone understands and practices responding to the events. Inviting legal and communication teams to the meetings a few times a year also helps to fully test your response procedures and plans (as well as building the relationship between the teams). This way, when something bad does happen, people already know each other and understand their roles in the response.
An area many clients are focusing on now is training the puppy to be a guard dog. Integrating or configuring the SIEM platform with an automation tool greatly enhances its effectiveness and lessens the load on the first tier of analysts. The tool will need to be well tuned and enrichment sources identified to gain the maximum value out of automation.
To ensure your SIEM doesn’t become a neglected puppy, build out the process required to keep it functioning well over time, not just during the initial PS deployment. If the people and process needed to keep the system running are more than your organization is able to invest in, consider a managed security service provider (MSSP) who can help out. Think of this like hiring a dog walker or taking the pup to a training class.
Make sure your MSSP provides you with the information you need to ensure the “walks” are happening as scheduled and that they’re not just sending you alerts from the tool. You’ll still need some people on your team to work with the MSSP and investigate alerts, and your relationship will only be as good as the commitment and time that you put into it.
And just like with a feisty new puppy, frequent wellness visits / health checks are essential; ensure that your system hums along at peak performance and that your use cases are still functioning as designed. Keep training current for all your people, and not just in the use of the tool; fluency with other incident response and industry-specific classes help assure the security of your operation. Watch your favorite news sources for information on what threat actors are up to and build new content or onboard new log sources to detect the emerging threats.
By building out your processes and people, your SIEM technology will stay as cute and cuddly as your puppy for a long time.