Whether we want to admit it or not, we are in a race with the bad guys. In July 2022, Palo Alto released a report stating that attackers scan for vulnerabilities within 15 minutes of common vulnerabilities and exposure (CVE) disclosure. Common challenges encountered by security operation centers (SOCs) include complexity, overload of alerts and events, excessive number of false positives, and a duplication of security tools. Automation promises to solve some of these challenges, and security information and event management (SIEM), and security orchestration, automation and response (SOAR) solutions are viewed as the vehicles to drive this.
A SIEM solution can provide valuable insights for security teams and enable efficient and effective incident response activities. After all, it provides a consolidated view on a single pane of glass. For several different reasons, SIEM technologies have gained popularity in recent years. Drivers range from regulatory requirements to organizations simply wanting to improve their security risk posture and move to a more proactive position. However, although many organizations have invested in a SIEM solution, the frequency and impact of data breaches have not reduced as one would expect.
The primary inputs into a SIEM solution are event logs and threat intelligence. And it is in the process of providing these primary inputs, or rather not providing the proper inputs, that the true value of a SIEM solution is not realized. At a high level, there are three types of organizations when it comes to event logging:
- Leave it on default and hope for the best—This approach is dangerous and will result in blind spots that the SIEM solution will not address.
- Log it all and let the analyst sort it out—This approach is costly and will result in storage challenges, frustrated SOC analysts or excessive cost implications for cloud-based SIEM solutions.
- Purpose-driven logging—Although it is not the easiest, this is the ideal approach. It requires planning, use cases and playbooks to be defined upfront and supporting event logs to be identified, enabled on log sources and ingested into the SIEM solution. This is the only approach to realizes the full value of a SIEM solution.
To ensure that a return on investment is realized for any log correlation solution, it is imperative to follow a structured implementation approach. This should include identifying your requirements; deciding on a deployment approach; identifying the use cases that must be covered; defining the scope of assets and logs to support the use cases; onboarding logs; configuring reports, alerts and dashboards; and testing the functionality of the SIEM solution. To avoid a high-cost and low-value situation, regular testing of the control effectiveness is vital.
In the past, security teams missed threats because the technology and the telemetry were not available to support detection efforts. Now, security teams miss threats because there are too many events and alerts being triggered by security devices. Threat intelligence helps security analysts focus on what is important. Automating the use of threat intelligence in a SIEM solution, or any other security solution used by the SOC, provides a significant benefit as it enables security solutions to automatically prioritize events that are associated with actively exploited vulnerabilities that may impact the organization. Whichever platform is ultimately used for centralizing log data should incorporate a threat intelligence feed for enrichment and context.
During any security investigation, the questions that will come up are:
- How did the attacker gain access to my environment?
- How long have I been compromised?
- What were the attackers able to access or steal?
Applying a methodical and structured approach when implementing your SIEM solution will enable you to answer those investigative questions with ease.
Editor’s note: For further insights on this topic, read the Grant Hughes’s recent Journal article, “A Framework for SIEM Implementation,” , ISACA Journal, volume 3 2023.