SIEM success patterns – How to get it right!
One of the things I love about machine data is that it can be used in so many ways. Interestingly enough over the years I have observed a common pattern in organizations that have been successful with SIEM. The implementation of a cyber defence center should serve to increase security maturity, strengthen cyber security skills and security intelligence, enabling organisations to successfully stop complex attacks (not just malware!) and better protect customer data and the overall business. Yet in the past I have been called in to meet with prospects regarding failed SIEM deployments and it doesn’t matter which traditional vendor it is there are always similar patterns.
What are the patterns of a failed SIEM deployment?
The pattern generated by all failed SIEM deployments point to both an absence of purpose as well as a lack of human resources. This is not something fancy or new – the WHY a SIEM was bought and WHAT it aimed to do was missing from the beginning. The focus might have initially been that we think we need a SIEM, we want to send “all” our logs into it and hope that one of the different SIEM solutions we evaluate generates magic insights that solve all our problems. You can also translate a desire for magic insights into: which of the SIEMs evaluated creates the nicest dashboards and most alerts for the data sources we send in. During the evaluation phase it might look nice to have all the dashboards populated and the data hashed with the latest sha hashing algorithm with a 1:XX compression ratio. You might also see that they have 100 correlation searches and 20 compliance packs available to purchase whereas others only have 500 correlations out the box and no compliance packs available. It all sounds good so far – however the parameters might not directly link to your successful SIEM project.
What are the patterns of a successful SIEM deployment?
Luckily the first step to a successful SIEM deployment is something everyone can achieve and it’s not as difficult as you think. The best part is that it’s also not something new either with Anton Chuvakin from Gartner talking about it from practical experience for years. “You need to know your security use case first” which turns into: “You need low volume, high value Alerts” (1) with the right processes and people around to support it. Such low volume, high value alerts do not need to be super fancy or have the latest zero day exploit detection capability. One key element of success is that when you set up your use case or first see your alert in action you have a defined playbook response ready to use. If you aren’t able to define a response process or detail what to do with such an event in advance (you might hear someone saying: “it all depends”) – how is a SOC Tier 1/2 analyst going to know better on a Sunday at 5pm? If this isn’t available you should then go back to the drawing board and check if a SIEM is being used for the right purpose. Another thing to mention is that just because a use case is perfect for another organization, it doesn’t mean that this use case/playbook/response is the right one for you as well! You might have a different IT culture, different security strategy and policies; you are also likely to have a different level of security maturity. There is also a strong likelihood that you have a different operational process as well as budgets and people. That’s why I think the best use case is one you develop on your own!
If you don’t know about any security challenges and you have complete security visibility over your organization – you might not need a SIEM today!
However I wouldn’t write this if I hadn’t seen multiple SIEM use cases that are valuable and might work across a broad range of organisations:
- Privileged User Monitoring
- Why: attackers who have made their way into an organization and are looking to expand, always look for access to more privileges. If you need to get into an organization – an admin account is your first choice. So do you monitor the activity in your environment of your database and active directory admin accounts? When and from which system do they initiate changes? Do you even know which users for HR/Finance/CRM Applications have access as admins and are able to create and authorize new users and change payroll details? This is quite a simple question but is very hard to answer sometimes. This demonstrates that Privileged User Monitoring can go beyond focusing on IT. Technical areas like firewall admin accounts, active directory admins and Linux root users can often be monitored very easily, but it’s when you go up the stack to business or at least other departments extra scrutiny is required. Unauthorized access to a finance application might be treated as a higher risk then unauthorized access to a Linux server hosting your intranet.
- Response Process: If there is unusual activity going on that has been detected – do you know how to respond? If at 5pm on a Sunday admin activity is detected without any proper change request in place – can the account just be disabled? One other nice idea I have observed is instead of informing the SOC Team of such activity it might be more valuable to inform the manager of the Finance Application via e-mail. That individual might have better insight into whether this activity is ok or not. He can be your Tier 1 and then escalate to the SOC Team as required.
- My recommendation:Start with the privileged users in your department that you know of. Create the proper procedures and play books so you learn more detail. Then go down the stack and start with the most critical business applications (interview HR/Finance/Management to find out what tools they use) – identify how they work and operate and add those step by step to your use case.
Do you want to learn more about use cases? We have documented five of them and also ask your favorite Splunk Sales Manager about a Security Use Case discovery workshop! We’re here to help you to succeed with your custom use case!
More useful links to the topic:
- Starting A SIEM Project from Vendor Use Case Content: WIN or FAIL?– Anton Chuvakin – Gartner Blog
- SIEM Use Case Implementation and Tuning Process– Anton Chuvakin – Gartner Blog
- SIEM Use Case Discovery– Anton Chuvakin – Gartner Blog
(1) Quote by JohnLewis