To SIEM or not to SIEM? Whether or not to implement a SIEM solution generally comes down to if you have a dedicated team to care and feed it. To continuously integrate new sources of data, improve threat-intelligence, correlation rules, eliminate false-positives, perform triage on issues identified, on an ongoing basis.
The amount of manpower is often misunderstood..
Apart from the SIEM administrators and/or knowledge-managers, there are usually also Tier-1 (analysts), Tier-2 (specialists) and Tier-3 (forensics, reverse-engineers, incident-responders, etc..) to handle the events output from the SIEM, and those identified from manual analysis.
Know your assets!
Most organizations fail to maintain a current asset-list, which is ideal, to help the SIEM understand the assets it’s protecting. Also to detect when new assets have come online, existing assets have left, or have gone silent (logging processes have stopped), or are missing time-synchronization, antivirus agents, etc..
Choose your signals carefully..
It’s usually best to carefully consider which systems, devices or appliances you integrate with your SIEM solution for maximum coverage across the network.
Usually Authentication-solutions, Firewalls/IPS, Servers & Endpoints, Antivirus, Malware sandboxes, Vulnerability-Management-Systems, Threat-intelligence sources, usually provide a healthy signal-to-noise ratio.
Don’t forget to consider signals from your cloud environment as well. From AWS Cloudtrail as one example. These can also be incorporated into the SIEM to provide coverage both on-premise and into the Cloud.
These may not all exist initially, but can be added systematically, to provide deep security insight.
The most important point to ask yourself when deciding which signal to on-board, is what security-value will this add to my monitoring?
SIEM is not a replacement for manual analysis.
Although a SIEM has been implemented, it’s not a replacement for manual analysis. Incentivize manual-analysis, not only does it keep skills sharp, human reckoning/intuition can find issues the SIEM can't grok.
Respect the Tier-1’s.
Tier-1 usually performs the initial triage. Ensure there is a continuous improvement feedback loop to tune down the noise to allow Tier-1 to focus on actual threats, and operate effectively. Don’t tune too far though, being too quiet is also not healthy.
Rise of the machines!
The most recent advancement in SIEM style technology is machine-learning security analytics.
These hold great promise in empowering security professionals to piece together unusual activity that may not trigger red-flags as individual occurrences, but pieced together, could indicate signs of data-exfiltration, or other blended attacks.
Sometimes, multiple threat-actors could be conducting attacks. Having this “learning” process running via machine-learning analytics, is an additional tool in the analyst's arsenal, to identify deviations from the norm, amongst security use-cases.
In other words, the human analyst will have greater quality of information up-front, to gauge the response with.
Depending on requirements, deploying a SIEM from the outset might not be the best fit for your organisation. Whilst Splunk offers a fully-featured SIEM in its Enterprise-Security product, rich security-analytics can also be obtained from the core Splunk platform, Splunk Enterprise.
Katana1’s Splunk ninjas can help in selecting and tailoring an approach to meet your needs.