SecuritySIEM

How to Optimize SIEM Security Effectiveness

Compliance concerns and the need to protect data from security breaches are helping to drive Security Information and Event Management (SIEM) adoption. A successful SIEM, however, requires work upfront to ensure you’re collecting the right logs, triggering alerts about the right events, and creating an accurate picture that keeps you secure over time. That’s where a good threat assessment comes in.

What is SIEM?

An SIEM enables organizations to collect logs and data from a variety of tools and applications, correlate them in real-time and then present them in a way that gives a clear, accurate picture of a business’ security and compliance posture. At first blush, it may seem that the more data and logs you collect, the better picture you’ll receive from the SIEM. Unfortunately, almost the opposite is true.

The old adage of GIGO (garbage in/garbage out) readily applies to SIEM, and many organizations fall into the trap of feeding the SIEM every log and security event — only to find they’re swimming in data and alerts. In these scenarios, SIEM only adds to the noise, rather than cutting through it.

How A Cyber Threat Assessment Drives SIEM Success

Instead, organizations need to first understand their environment to set business goals for their SIEM. Then, they can tune the logs and data collection to support these use cases over time. A threat assessment is useful here because it shows organizations:

  • Where they’re most vulnerable. Which endpoints, servers and applications tend to fall under attack and how? A threat assessment shows which systems are most at risk to focus SIEM resources where they can make the most difference.
  • Where users spend time. Which systems and applications are critical to your business? While ERP, CRM, inventory systems come immediately to mind for most organizations, many fail to realize that a great deal of user productivity is tied up in applications that tend to fly under the radar, such as peer-to-peer, social media, instant messaging and more. Wherever employees spend time is where attacks are most likely to hit.
  • What normal looks like. What are your typical network throughput, session and bandwidth requirements, and how do those change over time (seasonal fluctuations, peak utilization)? An assessment that monitors the network and creates a baseline will let you alert on changes, helping the SIEM uncover issues quickly without being overloaded by unnecessary noise.

Once you know your environment, you can then focus on the SIEM use cases that will make the most difference. For example, organizations concerned with insider threats may set the SIEM to set a baseline of expected user application usage and then alert when users stray beyond. Similarly, SIEMs can be set to alert when unencrypted personally identifiable information crosses the network to ensure compliance with PCI or HIPAA.

One caveat: SIEM is not a set-it-and-forget-it proposition. Organizations must continually re-assess their environment and use cases to ensure they align with the business as it changes over time. As a partner of Fortinet, Xiologix can help you assess the results of Fortinet’s complimentary, online cyber threat assessment program, and use them to optimize the security effectiveness of your SIEM.