Designing your security information and event management (SIEM) strategy can be very challenging, particularly in complex environments that depend on many systems and stakeholders. For security leaders, it may seem as though this work is never complete. Indeed, maintaining an effective SIEM program requires a cyclical approach of reviewing business objectives, planning detection and response processes, and constantly tweaking the system to account for gaps and future growth.
As shown in the illustration below, a successful SIEM strategy must include well-defined goals, thorough planning, requisite resources and capabilities, and mechanisms to measure effectiveness and promote continuous improvement.
Designing Your SIEM Strategy
To get a better idea of how this cycle impacts the organization’s threat detection and incident response capabilities, let’s take a closer look at the components listed above and outline the steps security professionals must take to build an effective SIEM strategy from the ground up.
Download the 2017 Gartner Critical Capabilities for Security Information and Event Management
Defining Goals
The first step toward designing your SIEM strategy is to establish your cybersecurity goals, which are usually defined in the corporate security policies, procedures and technical standards. Mature organizations may have security operations charters that specify objectives, guiding principles, strategies, and roles and responsibilities for IT professionals.
Your SIEM goals should also align with the corporate vision and mission for cybersecurity. Often this is a balancing act between the organizational mandate and practical outcomes. It is important to continuously identify and communicate risks to senior management through a formal security operations center (SOC) governance program.
Planning Around the Cyberattack Life Cycle
Once the goals are defined, it’s time start planning. An effective SIEM plan includes defense tactics, data sources and collection, reliable threat intelligence and monitoring, and incident response. It must also include a list of resources and capabilities, and a process to monitor and improve upon gaps and inefficiencies.
When planning your SIEM strategy, your top priority should be to identify a reference framework for cyberdefense. This means understanding the stages of the cyberattack life cycle. The table below outlines five models security professionals commonly reference to understand cybercriminal techniques and tactics during a breach.
Step 1
|
Reconnaissance
|
Initial Reconnaissance
|
External Reconnaissance
|
Reconnaissance
|
Internal and External Threats
|
Step 2
|
Weaponization
|
Initial Compromise
|
Penetration
|
Weaponization and Delivery
|
Existing Access and Perimeter Compromise
|
Step 3
|
Delivery
|
Establish Foothold
|
Foothold
|
Exploitation
|
Escalate Privileges
|
Step 4
|
Exploitation
|
Escalate Privileges
|
Internal Reconnaissance
|
Installation
|
Perform Reconnaissance
|
Step 5
|
Installation
|
Internal reconnaissance
|
Lateral Movement
|
Command and Control
|
Move Laterally
|
Step 6
|
Command and Control
|
Move Laterally
|
Data Collection
|
Actions on the Objective
|
Exfiltrate Data
|
Step 7
|
Actions on Objectives
|
Maintain Presence
|
Data Exfiltration
|
|
Disrupt Business
|
Step 8
|
|
Complete Mission
|
Damage
|
|
|
Step 9
|
|
|
Self-Destruct
|
|
|
Source
|
Lockheed Martin
|
Mandiant Consulting
|
Cybereason
|
Cyberpedia
|
Cyberark
|
Scroll to view full table
Cyberthreats can lurk on networks for days, months or even years. That’s why it’s important to monitor threats not just during an attack, but throughout all stages of the attack life cycle. Ideally, cyberattacks are detected and thwarted during the initial stages, but an effective SIEM can respond to malicious activity at any point during the life cycle. However, response efforts are much more resource- and skill-intensive during the later stages.
It’s also important to plan time for monitoring and responding to threats. The coverage decision is based on the size of the organization and the criticality of business transactions. The monitoring and response plan should consider the organization’s goals and the resources available. The time window should be based on the threat rate, handling time, target response time, target service level, rate of organizational growth, technological maturity and other factors.
Download the 2017 Gartner Critical Capabilities for Security Information and Event Management
Threat Intelligence Resources and Analysis Capabilities
The next activity is to rigorously plan for and prioritize data sources and data collection. The prioritization of the log source onboarding depends on the criticality of the asset and the organization’s event collection capabilities. The three key considerations for log source onboarding are:
- Event collection capabilities and the strategy for hosting event collectors according to the network and the organization’s security architecture;
- Asset criticality and prioritization; and
- Regulations that require certain logs to be maintained and reviewed.
Knowledge about threats, their evolution and their relevance to the organization’s environment is crucial. Structured threat data enables security analysts to spend less time searching and analyzing threats. The key to advanced threat detection, however, is buried beneath layers of unstructured data. Cogitive security solutions can help analysts reduce the time it takes to research unstructured information and minimize false positives. These tools search the web for threat intelligence and correlate it with structured information for effective insights into threats.
While threat intelligence is a certainly key component of any good SIEM strategy, it is not sufficient by itself. Organizations looking to build robust cyberdefense capabilities need a defined process for proactive threat hunting and analysis. This enables security teams to identify threats that may circumvent security solutions deployed in the environment.
The use of machine learning can help analysts navigate through the large volumes of data and make faster, more accurate decisions during threat hunting activities. Efficiency is crucial since resources for performing threat analysis are often limited. The process involves formulating statistical hypothesis testing, investigating threats, discovering patterns, making inferences and accepting or rejecting the hypothesis accordingly. Machine learning algorithms require security professionals to have complex analytical skills. However, organizations can also opt to use threat hunting tools, which are commercially available and more user-friendly.
Evaluating Use Cases to Measure Effectiveness
Measuring the effectiveness of an SIEM solution starts with defining metrics and key performance indicators (KPIs) that align with business goals. Organizations can define the metrics and KPIs for prioritized focus areas rather than looking at the entire SIEM environment. These focus areas should be identified based on the risks, priorities and resources available.
The compilation of use cases represents another key activity in the SIEM strategy. The use case design should be methodical and aligned with business goals and capabilities. It should also include inputs from business stakeholders. During this stage, the formal use case life cycle is established to ensure that the defined cases are relevant and support the organization’s mission.
Fostering a Culture of Continuous Improvement
The threat landscape is constantly evolving and growing more complex. It is insufficient to simply deploy an SIEM solution — organizations must continuously improve their capabilities to keep pace with increasingly sophisticated cybercriminal techniques.
The metrics and KPIs set the tone for this continuous improvement. SOC managers should define a periodic plan for assessing and reviewing the deployment against business goals. This can also be a part of formal governance activities that are periodically performed as part of security operations.
Choosing the Right SIEM Solution
Selecting the right SIEM product is no easy task. Gartner’s Magic Quadrant for SIEM is a good starting point to help security leaders monitor market trends while they shop for the best solution to serve their organization’s needs.
When evaluating SIEM tools, security teams should look for solutions that:
- Align with the organization’s defined goals and budget.
- Prioritize data sources and events.
- Account for organizational growth.
- Support log onboarding for most systems.
- Deliver services as hardware, software or cloud-based resources.
- Support third-party threat intelligence feeds.
- Support regulatory compliance efforts through reporting, use cases and forensics.
- Enable faster detection with data analysis and visualization capabilities.
- Deliver behavior profiling and anomaly detection capabilities.
Embracing a Platform Approach
With the right integrations, your SIEM system can dramatically reduce the effort and time required to respond to security events. Platform-based solutions integrate various products to provide better visibility and reporting. This platform approach streamlines the incident response process by delivering advanced analytical information and prioritizing relevant threats.
For example, an SIEM integrated with a vulnerability management system, network risk manager, incident response tool, log manager and configuration management database can provide security analysts with valuable structured data to help them contextualize threats accurately and efficiently. Analysts can use the extra time to research unstructured data, which is mostly a manual activity.
Behavioral Analytics and Anomaly Detection
While rule-based SIEM deployments are static in nature, modern systems are dynamic and able to identify suspicious activity in real time. Detecting advanced persistent threats (APTs) is next to impossible with a static SIEM configuration. Behavioral analytics and anomaly detection are crucial to help security professionals spot unusual patterns and abnormal traffic.
You Get What You Give
An SIEM strategy is only as good as the technology that surrounds it and as efficient as the analysts and processes that execute it. It’s neither a one-size-fits-all solution nor a magic bullet to solve all your security woes — it requires significant elbow grease from both security professionals and business executives to be effective. However, a strong SIEM strategy, complete with well-defined goals, careful planning, prioritized threat intelligence, regular reviews and a culture of continuous improvement, will repay your efforts tenfold and drastically reduce the time it takes to analyze and respond to threats lurking on your network.
Download the 2017 Gartner Critical Capabilities for Security Information and Event Management
Senior Managing Consultant, IBM