Rinse, Wash, Repeat: Defining, Planning and Continuously Improving Your SIEM Strategy

Designing your security information and event management (SIEM) strategy can be very challenging, particularly in complex environments that depend on many systems and stakeholders. For security leaders, it may seem as though this work is never complete. Indeed, maintaining an effective SIEM program requires a cyclical approach of reviewing business objectives, planning detection and response processes, and constantly tweaking the system to account for gaps and future growth.

As shown in the illustration below, a successful SIEM strategy must include well-defined goals, thorough planning, requisite resources and capabilities, and mechanisms to measure effectiveness and promote continuous improvement.

Components of SIEM Strategy

Designing Your SIEM Strategy

To get a better idea of how this cycle impacts the organization’s threat detection and incident response capabilities, let’s take a closer look at the components listed above and outline the steps security professionals must take to build an effective SIEM strategy from the ground up.

Download the 2017 Gartner Critical Capabilities for Security Information and Event Management

Defining Goals

The first step toward designing your SIEM strategy is to establish your cybersecurity goals, which are usually defined in the corporate security policies, procedures and technical standards. Mature organizations may have security operations charters that specify objectives, guiding principles, strategies, and roles and responsibilities for IT professionals.

Your SIEM goals should also align with the corporate vision and mission for cybersecurity. Often this is a balancing act between the organizational mandate and practical outcomes. It is important to continuously identify and communicate risks to senior management through a formal security operations center (SOC) governance program.

Planning Around the Cyberattack Life Cycle

Once the goals are defined, it’s time start planning. An effective SIEM plan includes defense tactics, data sources and collection, reliable threat intelligence and monitoring, and incident response. It must also include a list of resources and capabilities, and a process to monitor and improve upon gaps and inefficiencies.

When planning your SIEM strategy, your top priority should be to identify a reference framework for cyberdefense. This means understanding the stages of the cyberattack life cycle. The table below outlines five models security professionals commonly reference to understand cybercriminal techniques and tactics during a breach.

Step 1

Reconnaissance

Initial Reconnaissance

External Reconnaissance

Reconnaissance

Internal and External Threats

Step 2

Weaponization

Initial Compromise

Penetration

Weaponization and Delivery

Existing Access and Perimeter Compromise

Step 3

Delivery

Establish Foothold

Foothold

Exploitation

Escalate Privileges

Step 4

Exploitation

Escalate Privileges

Internal Reconnaissance

Installation

Perform Reconnaissance

Step 5

Installation

Internal reconnaissance

Lateral Movement

Command and Control

Move Laterally

Step 6

Command and Control

Move Laterally

Data Collection

Actions on the Objective

Exfiltrate Data

Step 7

Actions on Objectives

Maintain Presence

Data Exfiltration

Disrupt Business

Step 8

Complete Mission

Damage

Step 9

Self-Destruct

Source

Lockheed Martin

Mandiant Consulting

Cybereason

Cyberpedia

Cyberark

Cyberthreats can lurk on networks for days, months or even years. That’s why it’s important to monitor threats not just during an attack, but throughout all stages of the attack life cycle. Ideally, cyberattacks are detected and thwarted during the initial stages, but an effective SIEM can respond to malicious activity at any point during the life cycle. However, response efforts are much more resource- and skill-intensive during the later stages.

It’s also important to plan time for monitoring and responding to threats. The coverage decision is based on the size of the organization and the criticality of business transactions. The monitoring and response plan should consider the organization’s goals and the resources available. The time window should be based on the threat rate, handling time, target response time, target service level, rate of organizational growth, technological maturity and other factors.

Download the 2017 Gartner Critical Capabilities for Security Information and Event Management

Threat Intelligence Resources and Analysis Capabilities

The next activity is to rigorously plan for and prioritize data sources and data collection. The prioritization of the log source onboarding depends on the criticality of the asset and the organization’s event collection capabilities. The three key considerations for log source onboarding are:

  1. Event collection capabilities and the strategy for hosting event collectors according to the network and the organization’s security architecture;
  2. Asset criticality and prioritization; and
  3. Regulations that require certain logs to be maintained and reviewed.

Knowledge about threats, their evolution and their relevance to the organization’s environment is crucial. Structured threat data enables security analysts to spend less time searching and analyzing threats. The key to advanced threat detection, however, is buried beneath layers of unstructured data. Cogitive security solutions can help analysts reduce the time it takes to research unstructured information and minimize false positives. These tools search the web for threat intelligence and correlate it with structured information for effective insights into threats.

While threat intelligence is a certainly key component of any good SIEM strategy, it is not sufficient by itself. Organizations looking to build robust cyberdefense capabilities need a defined process for proactive threat hunting and analysis. This enables security teams to identify threats that may circumvent security solutions deployed in the environment.

The use of machine learning can help analysts navigate through the large volumes of data and make faster, more accurate decisions during threat hunting activities. Efficiency is crucial since resources for performing threat analysis are often limited. The process involves formulating statistical hypothesis testing, investigating threats, discovering patterns, making inferences and accepting or rejecting the hypothesis accordingly. Machine learning algorithms require security professionals to have complex analytical skills. However, organizations can also opt to use threat hunting tools, which are commercially available and more user-friendly.

Evaluating Use Cases to Measure Effectiveness

Measuring the effectiveness of an SIEM solution starts with defining metrics and key performance indicators (KPIs) that align with business goals. Organizations can define the metrics and KPIs for prioritized focus areas rather than looking at the entire SIEM environment. These focus areas should be identified based on the risks, priorities and resources available.

The compilation of use cases represents another key activity in the SIEM strategy. The use case design should be methodical and aligned with business goals and capabilities. It should also include inputs from business stakeholders. During this stage, the formal use case life cycle is established to ensure that the defined cases are relevant and support the organization’s mission.

Fostering a Culture of Continuous Improvement

The threat landscape is constantly evolving and growing more complex. It is insufficient to simply deploy an SIEM solution — organizations must continuously improve their capabilities to keep pace with increasingly sophisticated cybercriminal techniques.

The metrics and KPIs set the tone for this continuous improvement. SOC managers should define a periodic plan for assessing and reviewing the deployment against business goals. This can also be a part of formal governance activities that are periodically performed as part of security operations.

Choosing the Right SIEM Solution

Selecting the right SIEM product is no easy task. Gartner’s Magic Quadrant for SIEM is a good starting point to help security leaders monitor market trends while they shop for the best solution to serve their organization’s needs.

When evaluating SIEM tools, security teams should look for solutions that:

  • Align with the organization’s defined goals and budget.
  • Prioritize data sources and events.
  • Account for organizational growth.
  • Support log onboarding for most systems.
  • Deliver services as hardware, software or cloud-based resources.
  • Support third-party threat intelligence feeds.
  • Support regulatory compliance efforts through reporting, use cases and forensics.
  • Enable faster detection with data analysis and visualization capabilities.
  • Deliver behavior profiling and anomaly detection capabilities.

Embracing a Platform Approach

With the right integrations, your SIEM system can dramatically reduce the effort and time required to respond to security events. Platform-based solutions integrate various products to provide better visibility and reporting. This platform approach streamlines the incident response process by delivering advanced analytical information and prioritizing relevant threats.

For example, an SIEM integrated with a vulnerability management system, network risk manager, incident response tool, log manager and configuration management database can provide security analysts with valuable structured data to help them contextualize threats accurately and efficiently. Analysts can use the extra time to research unstructured data, which is mostly a manual activity.

Behavioral Analytics and Anomaly Detection

While rule-based SIEM deployments are static in nature, modern systems are dynamic and able to identify suspicious activity in real time. Detecting advanced persistent threats (APTs) is next to impossible with a static SIEM configuration. Behavioral analytics and anomaly detection are crucial to help security professionals spot unusual patterns and abnormal traffic.

You Get What You Give

An SIEM strategy is only as good as the technology that surrounds it and as efficient as the analysts and processes that execute it. It’s neither a one-size-fits-all solution nor a magic bullet to solve all your security woes — it requires significant elbow grease from both security professionals and business executives to be effective. However, a strong SIEM strategy, complete with well-defined goals, careful planning, prioritized threat intelligence, regular reviews and a culture of continuous improvement, will repay your efforts tenfold and drastically reduce the time it takes to analyze and respond to threats lurking on your network.

Download the 2017 Gartner Critical Capabilities for Security Information and Event Management

Share this Article:
Tousif Syed

Senior Managing Consultant, IBM

Senior security professional with experience in information security, infrastructure security, cyber risk advisory, regional business planning and development, practice management, competency growth, service delivery, managing customer relations, leading teams, executing large and complex projects and designing new service offerings/ products