Principles for SIEM Operational Processes and Architecture
by Dave Westbrook,
Security information and event management (SIEM) is one the most important parts of an organisation's Security Operations Centre (SOC). SIEM collects data from various sources, analyses them to detect incidents, generate alerts, enforce policies, and report on the status of an organisation's cyber security posture. It does this by using a rules engine to process log files or other IT infrastructure events that are delivered in near real-time over different data sources such as firewalls.
SIEM tools can be implemented at any phase of an organisation's growth cycle because they provide customisable solutions. SIEM functionality enables organisations to collect logs from multiple sources in their environment and transform them into actionable intelligence. SIEM also provides an in-depth view for a holistic cyber security strategy. It plays a vital role in detecting advanced threats and providing an effective incident response to attacks such as reconnaissance, scanning, exploitation of vulnerabilities, and lateral movement.
It is important for organisations to have the right SIEM operational processes and architecture setup before deploying SIEM tools in their environment. Operational processes include planning implementation of SIEM infrastructure installation, configuration and operation. It also involves risk assessment, ongoing performance monitoring with support from consulting partners, or a SIEM vendor during critical phases of operations such as initial rollout, implementation and operations. SIEM architecture is used to guide design and decisions on infrastructure such as SIEM data sources, rules and alerts. It also protects against disruptive events by implementing high availability strategies through clustering or replication of SIEM information stores (i.e. databases).
SIEM helps enterprises detect compromises quickly, perform root cause analysis on incidents at speed and reduce the cost spent on false positives that are generated by events.
Security Information Event Management Operational Processes
Conduct a risk assessment with your leadership team that involves identifying the threats faced by the organisation, assets that are valuable to the organisation's operation, risks associated with those assets and level of protection required for each asset. Perform a gap analysis between cyber security controls in place and risks identified during risk assessment.
Perform cross-impact and scenario analysis for alerts and work with your SIEM vendors to initiate design, implementation, testing and validation of SIEM infrastructure before beginning the SIEM operational process. This is also called the Proof of Concept or PoC phase. Establish a team comprising of system engineers, security architects, auditors, and data scientists that will perform ongoing SIEM monitoring and maintenance tasks. Develop an Incident Response Plan (IRP) at this stage because it captures what to do in case of security breaches so they can be managed effectively.
Leadership teams should form a Cyber Security Policy Council (CPSC) for creating an organisational cyber security strategy and defining how each department within an organisation works towards protecting the organisation's cyber assets. SIEM should play a key role in this council by providing visibility into cyber attacks and vulnerabilities within an organisation.
Additionally, SIEM operational processes include continuous training pertaining to low-level events, alerts and reporting formats.
Management teams should use performance metrics generated by SIEM tools during operation phase so that it can be used to identify security issues within a deployment and the need for change or additional investment to improve SIEM effectiveness. It is important to note that continuously improving infrastructure through the use of new software releases, hardware upgrades or other security technologies enhances the value of existing SIEM deployments.
In order to keep up with threats, SIEM solutions must be able to detect and respond to cyber attacks in real time. SIEM architecture supports operational processes by providing infrastructure, management tools and information stores or databases for storing data and should adhere to ISO 27001 at minimum. Architecture should be reviewed at least annually or whenever SIEM solutions are updated to ensure infrastructure is optimised.
Engaging with SIEM Consultants
Consulting firms can assist customers with cyber security strategy, design and implementation of SIEM tools within an organisation. It is important that consultancy services provided by vendors/consultants do not create conflicts of interest because they provide products and maintenance support for installations as well as consulting services. Best practices for SIEM consultancy include:
- Engaging third party consultants as well as internal IT team members to avoid audit failures due to vendor lock-in
- Consulting partners must sign NDAs in order to prevent confidential information from being shared with others unless the process has been clearly described by consulting partners in the SIEM consulting contract.
- Management teams must follow-up with consultants on how well SIEM architectures support ongoing operational processes because it remains a critical tool for cyber security operations.
Datamango works with internationally renowned partners to deliver effective and reliable SIEM deployments. Contact us to find out more.