![\"\"](\"https:\/\/ieeecs-media.computer.org\/wp-media\/2022\/12\/13170911\/Stratgies-to-deploy-SIEM.jpg\")
One of the most valuable tools security professionals use is Security Information and Event Management (SIEM), which combines event management with security information management to provide real-time monitoring, analysis, tracking, and logging of security data. SIEM systems help guard against modern-day cybersecurity threats while observing data logs and incident data to achieve overall security compliance. Many organizations, however, lack an effective SIEM deployment strategy that allows them to maximize the benefits of SIEM. Given the number of available use cases as well as the volume and complexity of SIEM operating variables, it\u2019s likely organizations will remain vulnerable and generally unsatisfied with their SIEM deployments. While it\u2019s tempting to compensate for this by building out a SIEM strategy that attempts to accomplish multiple security use cases, the unfortunate reality is IT teams simply cannot accomplish every organizational goal\u2014even when their SIEM is being maximized. Typically, it is more effective to consider a targeted approach to use cases that provide the best tactical advantages over one\u2019s adversaries, thereby taking a more strategic approach to achieving the overall security mission of an organization.<\/p>\n
\u00a0<\/p>\n
Explaining SIEM<\/h2>\n
\n
According to Gartner, SIEM is \u201ca technology that supports threat detection and security incident response through the real-time collection and historical analysis of security events from a wide variety of event and contextual data sources.\u201d SIEM programs are sold, marketed, and advertised as tools that can do anything and everything to enhance security. The truth is SIEM is not just a repository where data can be sent without a specific agenda being attributed. Therein lies the true challenge many face with SIEM\u2014most industry professionals don\u2019t know what to do with their collected data or how to consume it for security purposes once it\u2019s collected in SIEM. While it\u2019s true that SIEM can ingest large amounts of data, it is dependent on a deployment strategy, as with any security platform. Uncovering some associated complexity with how to conduct an appropriate rollout can be achieved by building a list of use cases that need to be solved. Based on the use cases selected, the deployment approach can be determined and a roadmap for adoption and data ingestion can be built. For example, if a use case is \u201calerting on multiple failed login attempts,\u201d data would need to be ingested from Windows Event Logs.<\/p>\n
\u00a0<\/p>\n
Identifying SIEM strategies<\/h2>\n
\n
Frequently, defining use cases is an area of confusion for those who acquired a SIEM tool and are seeking the most appropriate way to initiate deployment. Specificity is an important component to establish SIEM use cases that will address an organization\u2019s most pressing security needs. Does the organization want to monitor user behaviors? Does it want to conduct surveillance for insider threats? Is the organization planning to conduct external security threat-hunting by looking at external attacks and then using that data to learn if there is any presence of that threat background within the organization? Based on developed use cases, data sources can be utilized to ingest logs, enabling use cases within the organization\u2019s environment. For example, if the use case is employee online behavior monitoring, a plan will need to be devised about how to ingest login and logout activity. That data related to user activity must be captured and logged centrally into the SIEM monitoring tool. If the use case is based on threat intelligence, it will be necessary to ingest data from firewalls, network devices, and other threat-intelligence feeds.<\/p>\n
\u00a0<\/p>\n
\n
\u00a0<\/p>\n
Want More Tech News? Subscribe to ComputingEdge<\/i> Newsletter Today!<\/strong><\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n Often, today\u2019s organizations are in a position of trying to recover from failed deployment attempts. To do so, it\u2019s important to define what is important to the business so that use cases can be prioritized and implemented. Consider the following potential areas of need:<\/p>\n \u00a0<\/p>\n Some SIEM challenges are real and some are perceived. Real challenges include a lack of budget to acquire SIEM, a lack of staff to manage SIEM, and a lack of processes and\/or an established framework to address deployment and network complexity. Perceived challenges include polar-opposite fallacies such as SIEM is \u201cjust another way of conducting log management\u201d or that SIEM \u201ccan solve every security challenge.\u201d It\u2019s true that log management is a central function of SIEM, but this is just one feature. If the organization\u2019s requirement is to store log data, aggregate logs, and perform log management, then the cost to acquire the SIEM is difficult to justify. That said, the notion that SIEM is \u201ctoo expensive\u201d or \u201ctoo complex\u201d is also unfounded. Uncovering some of the complexity that challenges many organizations can be achieved by refining use cases as a means to developing a roadmap for adoption and data ingestion.<\/p>\n \u00a0<\/p>\n At its core, SIEM represents a cycle of an organization\u2019s continuous improvement. Security operation centers should invest in SIEM software to streamline visibility across their organization\u2019s environments, investigate log data for incident response to cyberattacks and data breaches, and adhere to local and federal compliance mandates. Examples of effective frameworks that can be adopted to assist in the deployment and maintenance of SIEM include those devised by the National Institutes of Standards and Technology, Center for Internet Security, MITRE ATT&CK\u00ae, and Lockheed Martin. Available data sources to consider when building a security monitoring program include endpoint security, application security, and cloud security. Whether investing in SIEM for the first time or attempting to recover from a failed SIEM deployment, organizations can begin the SIEM process by building use cases into the business context and developing a data onboarding system. From there, they can generate effective security strategies.<\/p>\n \u00a0<\/p>\n Jayant Kripalani is a cybersecurity professional with 20 years\u2019 experience working for global security companies such as Splunk, Cisco, Rapid7, and Wipro. He holds a bachelor\u2019s degree in Computer Engineering in addition to multiple industry certifications. He has worked extensively with SOC teams and currently specializes in cybersecurity strategy and consulting. For further information, contact: kripalani.jayant@gmail.com.<\/p>\n \u00a0<\/p>\n Disclaimer:<\/strong> The author is completely responsible for the content of this article. The opinions expressed are their own and do not represent IEEE\u2019s position nor that of the Computer Society nor its Leadership.<\/p>\n<\/div><\/div>\n
\n\n
SIEM challenges and misconceptions<\/h2>\n
\nThe growing importance of SIEM<\/h2>\n
\nAbout the Writer<\/h2>\n
\n