How to Improve SIEM In 3 Steps

How to Make Your SIEM Better

A SIEM platform's effectiveness is a product of its environment. SIEMs do a certain amount "out of the box," but they need the right mix of fit, understanding, configuration, and augmentation to deliver actual and sustained value.

Finding this SIEM sweet spot is a three-step process. 

Understand whether you actually need a SIEM

Fit your SIEM into your security program, not the other way around.

Without a dedicated SOC or staff able to act like a SOC, it will be difficult to see value from any SIEM deployment. The actual financial cost of a SIEM deployment doesn't matter because even "free" SIEMs are far from free. 

SIEM deployments tend to take months, and the operational maintenance of a SIEM can require two to five full-time staff depending on coverage. This is without the costs of data ingestion and processing.

If you're responsible for security in a smaller organisation (especially outside of regulated industries), you probably don't need a SIEM. To meet compliance and monitoring requirements, smaller companies might be better off implementing Powershell or Python scripts that report the events they want to log.

Depending on where you are in your SIEM deployment journey, it often makes sense to reconsider your SIEM deployment and look at a managed SOC or a security automation solution instead. 

Filter logs to reduce noise

If one rule sums up how to make a SIEM better, it's this - rubbish in equals rubbish out. 

After you decide to keep your SIEM, you need to ensure its data intake and use are efficient. Useful events to monitor are those that either tell you something terrible is happening because it happens once (i.e., disabling AV) or in exceptionally high volumes (i.e., thousands of files being deleted). 

The key to SIEM efficiency is to avoid sending high volumes of unnecessary logs that don't do either of these things. Sending useless logs into your SIEM and storing them can a) cost a lot of money in unnecessary data processing and storage fees and b) create more false positive alerts (aka "noise") than would otherwise be the case. 

First, to reduce the volume of useless logs coming into your SIEM, decide what events reflect compromise or insider threat behaviour. Then create an audit policy in Windows that removes monitoring of logs that don't align with this goal. You can follow Microsoft's official audit policy to see which events are essential to monitor.

A good example is auditing object access. You might want to get alerts when users delete files but not when they change other permissions, such as read access. To do this, it's critical to only collect logs relevant to that action and not all events related to access permissions. Cybersectalk.com has a great guide on how to do this.

You can also use an AI-powered SIEM augmentation tool like SenseOn to reduce log ingestion at the source. 

Review and update rules by attacking yourself

To stop threats, SIEMs depend on correlating events through pre-instructed rule sets. This can be very effective at picking up routine indicators of compromise. However, it's important to remember that rules are static, and threats are dynamic. 

One study found that most SIEM deployments are unprepared for 84% of the attack techniques detailed in the MITRE ATT&CK framework

To keep up, SIEM rules need constant tweaking and updating. Start with the out-of-box rules (your SIEM is likely to have several hundred rules built-in), then figure out which rules you need by testing your security posture against the MITRE ATT&CK framework. 

Testing is the key here. More rules will not necessarily create more security but will undoubtedly lead to more alerts and noise. Ultimately, you need to purple team your environment. Attacking yourself and learning where coverage gaps are is the only way to find security gaps reliably.

If your security team lacks the resources to do this, contracting a managed SIEM service might be more cost-effective. 

Improve Your SIEM with SenseOn

SenseOn's platform uses machine learning to make SIEMs less noisy, more resource efficient, and vastly more effective at detecting and reacting to threats. 

SenseOn's SIEM augmentation solution can:

  • Reduce SIEM log ingestion by 60%. 

  • Use SIEM data to detect advanced threats without manual configuration.

  • Fill in gaps left by EDRs and NDRs.

  • Automatically filter false positive alerts.

  • Present your SOC or security team with complex cases to speed up the meantime to resolution (MTTR).

Arrange a demo to learn more about how SenseOn can improve your SIEM today.

Previous
Previous

Mapping LockBit to MITRE ATT&CK TTPs

Next
Next

Does XDR Replace SIEM?