Perfect security is a geographically distributed set of follow-the-sun security operations centers, a large team of security analysts staying on top of every potential threat, and a governance and policy management program that makes compliance an afterthought because you will always pass that audit. This is the ideal situation – but apart from the top one percent of security departments this is a dream and the reality is drastically different.
In the majority of organizations, security departments consist of one administrator trying to stay on top of security updates, manage security products, and deal with basic block and tackling. There is always room to do so much more but there just isn't time.
Security information and event management (SIEM) has long promised to provide that automated, “security operations center (SOC) in a box,” virtual army of security analysts, actionable intelligence, situational awareness, continuous compliance – the buzzwords and the hope goes on and on. But over the years, failed deployments, consultation money pits and time sucking challenges have cast doubt on SIEMs ability to truly fulfill its promised value. There is hope though and there are successes. For smaller security department, careful consideration of SIEM options can bring the relief and capabilities that everyone is looking for.
Embrace the possibilities
When most organizations think about SIEM, they think expensive and time consuming. While that may be true with enterprise SIEM products placed into environments that don't have the capability to manage them, technology does exists for smaller security departments. Without a sophisticated SOC and an army of security analysts, SIEM provides artificial intelligence and automation to emulate those functions without continuous care and monitoring. So to start, know it is possible to strengthen security with intelligent monitoring, gain relief from manual compliance reporting processes and ultimately sleep more soundly at night.
Organizations that take the time to clearly define their objectives for SIEM have a much better chance of selecting the right product and getting it optimized. Key questions to answer before embarking upon budget championing and the vendor selection journey include:
- In priority order, what are the key objectives for adopting a SIEM? These can include compliance reporting, internal monitoring, stronger attack recognition capability, IPS alert validation, and incident response management. It is important to clearly identify the most important use cases for a specific environment because SIEM has infinite possibilities. Prioritizing objectives will help to save time, avoid distraction during the selection process and create a deployment and optimization plan that will succeed.
- What level of interaction is expected with the SIEM product? For overstretched security departments this question is crucial. If the desire is to establish the SIEM as a virtual SOC and allow it to churn through data and identify and prioritize security issues value should be placed on out of the box content, ease of tuning, ease of investigations and powerful visualization.
Don't get distracted by edge use cases
The configuration possibilities and use cases of SIEM are endless. There's no question that highly customized, “might” be useful someday use cases are good to consider but it's also important to be realistic about the level of customization and subsequent time commitment required. If a department is struggling just to keep the security wheels on, focus on the basics that provide great functionality and peace of mind.
Make Action a Priority
Once an issue arises, how is it going to be solved? Most SIEM technologies are passive – pointing out issues so the fully resourced SOC can follow their well laid out, multi-step incident response process, but for the tightly resourced security program there simply isn't the time for this. In addition to the intelligence, efficiency and automation that SIEM can provide, a SIEM solution with action further shrinks time to respond and reduces risk. Evaluate and place a priority on value added functions that can block, quarantine and actively protect the organization – both automatically and on-demand.