Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Giorgio di Grazia November 28, 2022
Deploying a Security Information and Event Management (SIEM) platform can be complicated, but it doesn’t need to be. It's not just a project, but a process that needs a careful evaluation of the information that will flow into the platform, the so-called "data sources". Equally, the evolution of your IT infrastructure over time and the risk scenario play an important role in the success of any SIEM implementation.
A modern SIEM solution allows the correlation of heterogeneous data sources by centralizing the log collection. IT Security teams can promptly identify suspicious behavior, but also asset malfunctions which are difficult to identify by just querying every device (for example, a sudden increase in the use of resources). Another log centralization benefit in Europe is in compliance with the requirement expressed by article 32 (d) of the General Data Protection Regulation (GDPR): "Security of processing". For other companies in the payments industry, PCI DSS requirements may have a big factor in the decision to introduce a SIEM technology.
When considering introducing a SIEM, companies must factor in economic aspects like the cost of vendor software licenses, and the hardware resources needed if they do not choose a cloud-native SIEM solution. Adequate planning and scoping of these elements is critical in order to deploy your SIEM correctly.
Additionally, there are some key questions to be answered before implementing a SIEM within your organization including:
Which network perimeter should be considered in scope?
What information should be retained?
Are the personnel aware of the possible use cases that must be defined according to the company risk scenarios?
In our experience, it is important that organizations have a plan in place before undertaking a SIEM implementation. Our recommended action plan details five-stages for successful implementation:
Configure your SIEM effectively.
You must consider your business information, and that related to your IT (authentication, security, infrastructure) to map your corporate data flows in order to find your assets. You need to identify where the information flows, where it is stored, and how you can access it, both from inside and outside the company network, in order to protect it.
Your last risk assessment, if available, will provide you with specific indications relating to your critical systems, and your security priorities and, indirectly, support the configuration of the SIEM use cases.
We live in Europe, and the GDPR includes several useful references to be taken. It also includes many other useful references to be taken into account in the design of a SIEM platform including the need to establish a log data retention policy, the need to differentiate access to log information in compliance with the least privilege, and the need to know principles, protection of logs at rest and in transit, among other things.
It is important to consider any other compliance with security frameworks and guidelines required by your business, e.g., ISO 27001, PCI DSS, COBIT for SOX compliance, etc.
Some frameworks like PCI DSS (requirements 10. x) contain detailed indications of how to configure auditing settings and retain system logs for compliance. The SIEM project team must take into account these various needs during implementation, correctly identifying the certification perimeter.
Once you have considered your data flows and compliance needs, you will have a clear picture of the possible assets and select the data sources for your log collection. Data sources are important and not all the logs are equal: some are written in open format (like the Common Event Format), and others must be interpreted and parsed by the platform.
Dr. Anton Chuvakin, a leader of the security solution strategy at Google Cloud wrote that "logs can tell you a lot of things about what is happening on your network, from performance information to fault detection to intrusion detection" including forensics. But there's an old saying: “a SIEM is only as good as the data you feed it”. Even if you don't have an internal security team managing your SIEM continuously, it’s crucial that your SIEM platform is configured properly, to allow third-party experts to understand what happened after an incident. That doesn't mean you have to collect everything. Unless otherwise requested by the local authorities or by your compliance needs, collecting too much data can be costly to store, process, and maintain. Moreover, it can lead to an overload of information that is useless in terms of security.
So, how do you decide on what to feed your SIEM? The SANS Institute published a short guide, "Top 6 SANS Essential Categories of Log Reports" to help organizations identify the most common security controls which should be considered when customizing SIEM reports. While the guide is many years in existence now it still offers useful guidance on where to start. It suggests reports that have the highest likelihood of identifying suspicious activity, in order to keep the number of false positives low. The top report categories are listed below:
Authentication and Authorization Reports
Systems and Data Change Reports
Network Activity Reports
Resource Access Reports
Malware Activity Reports
Failure and Critical Error Reports
Your organization can use these as a starting point. Additionally, don’t forget to also consider other sources that you may have to improve threat detection. For example:
Cloud platforms
Endpoint detection and response (EDR)
Network detection and response (NDR)
Mobile device management (MDM)
File integrity monitoring (FIM)
DHCP logs and databases
DNS logs
Each organization is unique and prioritizes its data differently so while setting up your own SIEM instance you need to use your own judgment on what matters most to your organization. Your organization may choose to prioritize compliance frameworks adherence, risk assessment results, MITRE ATT&CK's techniques detection section, MITRE Cyber Analytics Repository, Sigma rules, incident report outcomes, etc.
Remember that security logs are simple facts of limited utility that tend to be available in large volumes. You must process your information to make it actionable intelligence and develop a defense strategy suitable for your unique environment.
Once you’ve identified your assets, you should be able to determine the most appropriate deployment models and SIEM solutions that fit your needs: on-premise, cloud-native, SIEM-as-a-service (using a third-party supplier), self or hybrid-managed.
A SIEM-as-a-service (Managed SIEM) option can offer several benefits to your organization including reducing SIEM deployment cost (simply paying a subscription fee), leveraging the existing infrastructure of the provider to speed up deployment, service scalability, gaining access to the SIEM provider’s skilled staff for tuning, and limiting internal personnel requirements.
To support your technology decision-making, you can use resources such as Gartner's "RFP for Security Information and Event Management" toolkit, the Gartner Magic Quadrant/Market Guide for SIEM, or other free online user reviews and comparisons of the industry-leading marketplace vendors.
Configuration of the data sources (e.g., the servers that generate logs) is as important as configuring the SIEM platform itself.
SIEM solutions are first and foremost containers of information from selected sources. The more complete this information is, the more it will increase the efficiency of the monitoring process. To that end, correct hardening policies are paramount, since systems and applications must provide accurate and meaningful auditing information while minimizing the impact on performance. For example, use Windows advanced audit policy settings only, do not rely on default, and explicitly configure the desired value for each setting.
Do not forget to involve your internal teams (DBAs, systems engineers, application owners, etc.) to correctly choose the auditing parameters without compromising the functioning of the production systems and consequentially your business. Make daily security log reviews a routine for your staff and improves automation. Use threat intelligence feeds and user entity behavior analytics (UEBA) features, if available.
The importance of customizing the correlation rules and default reporting should be emphasized. SIEM vendors prepare generic use cases that customers must customize in order to adapt them to the specific reality in which they operate. Failure to customize use cases can generate a large number of false positives and generic alarms which tend to be difficult for security staff to manage and hence, inadvertently become ignored or disregarded. It is recommended to assign a priority to use cases before deploying them, organize them into hierarchical families, establish a lifecycle, and pay attention to the quality.
Once configured, it’s important to carry out a daily review of security events to establish a security monitoring process based on your own unique SIEM platform.
Modern SIEM platforms are alive and kicking. A recent Market Guide for Managed SIEM by Gartner notes the increasing uptake in Managed SIEM which “has a compelling adoption rate and increasing customer demand”. It states that “SIEM technologies are becoming more accessible and more mid-security-maturity buyers are entering the market having accelerated their security needs and maturity by adopting cloud-based IT. Gartner expects the market to grow over the next 24 months as an increase in custom application development and SaaS adoption demands the flexibility of a SIEM tool for monitoring purposes.”
Depending on the maturity of your organization, a SIEM solution can offer the necessary benefit needed to increase visibility in your network, help you to filter massive amounts of data, and help you to detect incidents faster, among other benefits.
If your internal security team is not considered mature, adding more complexity with tools such as a SOAR (Security Orchestration, Automation and Response) platform won’t add extra value to the effectiveness of your protection.
A more suitable protection depending on your organization can be the adequate planning of SIEM implementation and the ongoing update process of data sources to ensure that your log collection process is not quickly compromised.
I've encountered too many SIEM platforms in my career which were set up and forgotten about. In order to safeguard company information assets a SIEM must be continuously tuned to offer valuable and actionable information over time.
Our Managed SIEM offering can help your organization to speed up incident investigation by automatically triaging alerts and correlating threats to maximize security analyst efficiency and focus.
Our industry-leading SIEM technology for your organization covers on-premise, cloud, and hybrid environments with over 700 use cases. Custom use cases can also help you to cover a wide range of unique data sources to ensure that threats are more efficiently discovered and resolved. All alerts are tagged with the related MITRE ATT&CK framework tactics and techniques.
Please fill in our contact form if you would like to speak to our team about configuring your SIEM for success.
.png?width=722&height=229&name=MicrosoftTeams-image%20(62).png)
I have more than 25 years of information technology experience, with a focus on information security since 2004 (penetration testing, compliance, pre-sales activities, and product management). My technical background includes IT security assessment, IT audit, IT service management, vulnerability management, and the Payment Card Industry Data Security Standard (PCI DSS). I am an enterprising professional, business and commercially aware, who loves to develop knowledge and skills every day to improve the quality of my work.
Comments