What Your SOC's SIEM Needs To Do Next
Security information and event management (SIEM) tools are an essential part of a typical security operations centre (SOC). At the same time, they can cause as many cybersecurity problems as they solve. As former enterprise security operations manager Brad Freeman described in a previous blog post, you can invest multiple years and millions of pounds deploying and configuring a SIEM system only to end up with an “immense amount of noise.”
The core reason why is data. SIEMs can be great systems for normalising, centralising and storing event information, yet they do this job almost too well. To manually make sense of all the information a SIEM collects, you need a predictable IT environment with no time pressure and limitless human resources, and a team that’s on call 24/7, triaging every single alert, forensically and constantly fine-tuning detections.
In the real world, even a highly customised SIEM platform can overload security professionals with alerts without surfacing the information needed to investigate suspicious activity and security incidents. All haystack, no needle.
The result is security team malfunction and missed cyber threats. The only variable is how this malfunction manifests itself: as “distracted analysts playing whack-a-mole”, as growing workloads (something that over 30% of SOCs report as an issue) or even as a total SIEM deployment failure.
If you’ve just finished a SIEM deployment or are gaming out a proof of concept (POC) for a potential SIEM install, you need to head off these challenges straight away. Or, if you've been struggling with your SIEM for a while, here are the three things your SIEM needs to do next.
Deliver Business Value
SIEMs, like all security solutions, are an investment, and investments are made to generate returns. With a SIEM, return on investment is its ability to fulfil its purpose as a security solution and deliver business value.
This is what you or your CISO will need to communicate to the board: how does your SIEM solution a) make money by enabling growth in some way or b) save money through reducing risk.
The answer will be a derivative of the use cases that drove you to deploy a SIEM in the first place. You might have chosen a SIEM to do compliance monitoring or centralise log data. In that case, your metric for success will be collecting enough log sources and storing them for an amount of time. If your goal is visibility, then your SIEM will show value by generating alerts that the SOC can act on.
These goals boil down to a few core questions:
Are logs stored for long enough?
Are you getting all your logging data sources?
How quickly can a new system be added to your SIEM?
What is your security analyst’s mean time to respond (MTTR) to alerts?
How many alert tickets are ignored?
What is your SIEM able to see during red teaming or pen testing?
To check these goals versus business value, assess your security program against the MITRE ATT&CK framework.
ATT&CK is a great tool for testing SIEMs. Research shows that SIEMs typically ingest enough data to cover around 94% of ATT&CK techniques, but only a minority have a decent rule set in place to fulfil their potential. Test your SIEM by looking for evidence of MITRE’s attacks and techniques, i.e., could you detect lateral movement?
Also, look at the costs that your SIEM creates through log ingestion and storage. You could probably reduce your data processing costs by as much as £10k per month by filtering your logs.
Solve Real-World Headaches
Even after orchestration and the creation of SOPs and plans, a SIEM might still be unsuitable for a real-life IT environment. The diversity of network traffic and user and application behaviour can overwhelm your SIEM alert system with false positives without giving you the threat intelligence you need for incident response.
For example, a SIEM might alert you to security events due to thousands of login attempts. This could be either a brute force attack or an application automatically trying old passwords stored in a password manager after an employee changed their password elsewhere. Similarly, constant attempts to connect with external devices could be a potential malware delivery attempt or an ex-employee device still logged into your network.
These are some of the threat detection questions frontline SOC teams have to ask themselves daily. Often, the alerts SIEM tools send are not real threats or indicators of a data breach. The result is that security alerts get ignored, rules end up disabled, and in-house analysts burn out.
To solve these security data problems without constantly re-engineering your IT infrastructure, your SIEM needs to be augmented with artificial intelligence via user and entity behaviour analytics (UEBA) and security orchestration, automation, and response (SOAR) platforms.
Join the Dots
Real-world cyber attacks are multi-layered, complex and unpredictable. A DDoS attack might be a cover for ransomware delivery. Similarly, a missed phishing email might have left a RAT dormant in a financial terminal's memory, waiting for a quarterly connection to your critical service. Cyberattacks like the one that rocked Uber last year can even involve totally fileless compromise exploiting compromised credentials and access.
To fight back, a SOC needs a SIEM that can pull together multiple indicators of compromise from network and endpoint activity into coherent cases for threat hunting. When an alert comes in from a device, your SOC needs to be able to see it in the context of what's happening on the network and where it falls in relation to normal user behaviour.
Your SIEM needs to be augmented with network detection and response (NDR) and endpoint detection and response (EDR) capabilities and be able to show analysts information via a single pane of glass.
A mature SIEM will lean on consolidation to take away the head-on swivel chair syndrome that soc analysts can end up with due to disparate systems.
Evolve Your SOC’s SIEM with Senseon
SenseOn collects unified data from endpoints, networks and servers in a single format. Bringing the capability of SOAR, UEBA, EDR and NDR into your SIEM system, SenseOn cuts the cost of log ingestion while adding context by providing analysts with easy-to-read dashboards of information about alerts.
Try a demo of SenseOn today.