Are You Letting SIEM do its Job?

Information is power, and Security Information Event Management (SIEM) promises you a lot of information. That’s incredibly tempting.

Most of us already think SIEM seems like a good investment. Collecting and analysing logs from every device on the network should result in better awareness and, most importantly, a more secure infrastructure.

But information alone isn’t power. Awareness isn’t insight. And with thousands, hundreds of thousands, and even millions of alerts every single day, few people are taking full advantage of SIEM. They make a sound investment – but fail to draw out its real value.

In my experience, getting value from SIEM is easier than it sounds. There’s no need to slowly plod through millions of alerts. Instead, ask yourself just three simple questions;

What, Why, and Who

What information has value?

Don’t just collect a mass of data and analyse it randomly. Instead, begin with a clear idea of what it would be useful to know.

Let’s take a common example – a firewall. All too often, there’s a tendency to treat deny logs (the things the firewall blocked) as highly important. But why? These are the times when the firewall did its job.

Instead, when looking at firewall data, we need to know what has entered or exited the network. So, before we start looking at data, we know the most valuable information is what was allowed in and out.

Why does this information matter?

When you’ve decided what information you’re interested in, take a step back and ask yourself why. What is it about these events that are useful? What do they imply, and what insight can they provide into your infrastructure?

Because if you don’t know why you need the data, chances are you don’t need it at all.

Let’s go back to our firewall example. Information about what was allowed in and out provides insight because it shows potential weaknesses. If traffic we’d rather block is coming in or heading out, we can respond accordingly.

Equally, there may be traffic that fits a normal profile, like web packets. But this permitted traffic could be connecting to a server known to carry malware, or using your resources as part of a distributed denial of service (DDoS) botnet. So, as well as identifying weaknesses in our firewall configuration, we also want to collect allowed connections because they may correlate with known threats.

Often, the why is naturally linked to the what. But take time to articulate it anyway. When you know what the point of looking at the SIEM data is, you’ll be ready to spot patterns and potential concerns.

Who is involved in this event?

We already know what subset of data we’re going to look at, and why it makes sense to do so. But here’s the hard part – we need to consider who is involved in the transfer of data.

This is where traditional SIEM tends to fall down, and more recent solutions can take advantage of their integrated nature.

Consider my fictional firewall for one last time. We’ve pulled masses of information on what traffic is being permitted into and out of the network – so we’ve taken a targeted approach that’ll save us time and effort.

But we still need to identify which traffic is legitimate, and which poses a threat.

BlackStratus solutions that include SIEM have access to wider threat intelligence that correlates your data against known malware, exploits, and compromised external hosts. They provide a single tool that can give you the who you need to know, so you don’t just obtain information – you get useful, practical, and actionable insight into it.

Written by