Network managers can choose from an expansive array of security tools to protect their companies’ digital assets. But bundling these tools together under a single management console and linking them with existing security policies remains challenging.
Enter security information and event management (SIEM). Could this software, which collects and correlates security information from both on-premises and cloud networks in real time, be the answer?
For Chris Hippensteel, director of IT at New Resources Consulting, SIEM can provide the visibility his company needs into its environment.
“A well-implemented SIEM can indeed provide 360-degree visibility across hybrid network environments,” Hippensteel said. “In our company, we’ve integrated SIEM with both our on-prem infrastructure and cloud services like Microsoft 365 and Azure AD. This enables us to correlate logs, detect anomalies and respond to threats regardless of their origin.”
The company attained that visibility through connections and integrations that tied the company’s Active Directory (AD), endpoint protection, firewalls and cloud services to the SIEM platform. These integrations enabled centralized monitoring and response.
“We have SIEM agents deployed across Windows, Mac and Linux systems, and we maintain real-time visibility into endpoint activity across the board,” Hippensteel said.
This illumination into the network can solve a plethora of issues for companies and public entities. Consider academia, which is the third most-targeted industry for malicious attempts and compromises, according to an ESET report. It’s paramount to protect research and intellectual property. But it’s not always easy to track user activities spread across a hybrid university network spanning multiple clouds, departments and campuses.
Each of these work locations might have its own cloud and physical networks. As a result, it’s difficult to lock out intruders if security monitoring can’t go end to end through the labyrinth of networks each user is on. Would-be intruders know this, too.
Rate of SIEM Adoption
SIEM adoption rates continue to rise, with the sector expected to record a compound annual growth rate of 12% between now and 2030, according to research firm Mordor Intelligence.
Organizations are fueling the market’s growth, particularly larger enterprises that comprise more than half the SIEM market. These larger companies — primary targets of attackers — also have the budgets and personnel necessary to implement SIEM.
Other trends from the Mordor survey included the following:
-
Over 55% of SIEM deployments are for on-premises networks only.
-
SIEM cost of ownership is extremely high, with an estimate of 4-plus years for the average company to recoup a SIEM investment.
-
It takes companies two to four years to train or recruit the network personnel required to oversee a SIEM platform.
Tackling SIEM Challenges
In addition to high deployment costs, many organizations grapple with implementing SIEM.
A primary challenge is SIEM configuration — given that the average organization has more than 100 different data sources that must plug into the platform, according to an IDC report.
It can be daunting for network staff to do the following when deploying SIEM:
-
Choose which data sources to integrate.
-
Set up SIEM correlation rules that define what will be classified as a security event.
-
Determine the alert thresholds for specific data and activities.
It’s equally challenging to manage the information and alerts a SIEM platform issues. If you fine-tune too much, the result might be false positives as the system triggers alarms about events that aren’t actually threats. This is a time-stealer for network techs and can lead to staff fatigue and frustration. In contrast, if the calibration is too liberal, organizations run the risk of overlooking something that could be vital.
Network staff must also coordinate with other areas of IT and the company. For example, what if data safekeeping and compliance regulations change? Does this change SIEM rule sets? What if the IT applications group rolls out new systems that must be attached to SIEM? Can the legal department or auditors tell you how long to store and retain data for eDiscovery or for disaster backup and recovery? And which data noise can you discard as waste?
These are questions Hippensteel had to answer at New Resources Consulting.
“Integrating SIEM with existing infrastructure can be time-consuming,” he said. “We encountered [group policy object]-related issues during deployment that required deep troubleshooting. Also, we had to deal with data overload and alert fatigue, because without proper tuning, SIEMs can generate excessive noise. We had to refine our alert rules and correlation logic to focus on actionable intelligence.”
Best SIEM Practices
As more organizations deploy SIEM, a set of best practices is emerging to help guide enterprises considering SIEM. Here are three important factors to consider.
1. Define the specific business use cases for which SIEM will be employed
Determine the organization’s primary security issue. Is it guarding against ransomware? Improving visibility into user activities across multiple cloud and on-premises systems? Locking down intellectual property? Or is it something else? The clearer the picture you can paint to illustrate how SIEM can eliminate a key business risk factor, the more likely senior management will agree to fund and implement SIEM — and invest in the required training for network staff.
2. Understand the potential effect of integrating SIEM with legacy technology
There’s a reason so much legacy technology exists — it is still viable. These systems aren’t going away, and they continue to support many enterprises’ most critical systems. But these systems predate SIEM. They might lack the logging functions that can feed into SIEM, rendering true 360-degree visibility difficult to achieve.
3. Integrate, automate and train
According to Hippensteel, the first step is to integrate relevant data sources. The next step is to customize alerts with a focus on reducing noise and pinpointing high-fidelity signals. Automation follows after that.
“Then you use built-in automation for response actions like isolating endpoints or notifying teams,” Hippensteel said. “Above all, never forget that SIEMs are only as good as the people using them. We’ve created internal training materials and lunch-and-learn sessions to upskill our team and ensure consistent response protocols.”
Speak Your Mind