Implementing a SIEM, or rather, Building a Programme

CyRise Elevate recently met to discuss SIEMs: Security Information and Event Management. The discussion was led by Bill Mahony, Head of Cyber Security for Athena Home Loans, who like a true security leader, considers SIEMs “a topic near and dear to my heart”.

Here’s Bill’s summary from the brains trust:

What is a SIEM?

What is a SIEM? And why do you want one?

For anyone working in cybersecurity, SIEM’s are an essential tool for managing potential cyber threats. Put simplistically; you feed data in from your systems, the SIEM looks for evidence that that bad stuff is happening, and then it generates alerts for someone to investigate.

Put less simply, NIST Special Publication 800-128 defines a “SIEM Tool” as:

“An application that provides the ability to gather security data from information system components and present that data as actionable information via a single interface.”

To me, I interpret this as: a system (or number of systems) that collect(s) event logs, audit trails and other information sources, which are then used to monitor the integrity of an organisation from a security perspective.

Typically, organisations either setup and maintain software products to do this; or contract a 3rd party to setup and run one for them (“Managed SIEM” or a Managed Security Service Provider).

Either way, the main goal is to detect security threats and/or malicious behaviour before it can cause negative impact, or at least minimise that impact. A SIEM is also intended to be used as part of incident management, to piece together what happened historically on your systems.

But wait, there’s more!

Regardless of whether you decide to setup your own SIEM or enlist the help of a service provider, the most important thing about SIEMs is:

“Having a SIEM” doesn’t mean you’ve achieved your cybersecurity goals.

Even if you have a tool or service to help you, you’ll still need some important procedures in place to maintain a decent level of cyber hygiene:

1. Good logging and event management practices. Getting sufficient, timely, quality event logs into a SIEM is key to success, and this can be trickier than it sounds. And don’t forget retention management – or how long you keep data for!
2. Ongoing management of the criteria used to define what “bad” looks like in your event data. These need to be fine-tuned over time, adapting techniques as security threats change.
3. A process to handle investigation of alerts and events of interest that come out of the platform, in the context of how your business operates. This almost always requires people who have some level of skill and training.

If no one is effectively investigating and responding to your SIEM alerts, you’re wasting time and money. Unactioned alerts do nothing to protect you from security threats!

Ok great, that’s what it is. But why would I want one?

In short: a well-managed SIEM, along with effective people and processes in support, can provide the key to a successful security management programme.

How?

If done right, SIEM can provide:

• An early warning system that minimises the impact of threats, by providing the data required to effectively contain and eradicate them from your environment.
• Insights into the nature and scale of threats either active in, or targeting, your organisation, and the efficacy of your controls against them.
• The invaluable visibility and metrics that SIEM provides can be used to measure the current state of your security posture and prioritise your efforts to where it has the biggest positive impact to that posture.

To paraphrase Peter Drucker, “you can’t improve what you can’t measure”!

In closing

This topic is a big one, and even during this CyRise Elevate collective, we only just barely scratched the surface.

But if there’s only one thing you take from this post, I hope it’s that SIEM’s aren’t a cure-all. They must be part of an overall programme to be truly effective. It’s not something you can simply purchase and forget about.

But, if you do it well, it can be a huge part of your security capability.

 

CyRise Elevate is our membership and development program for ambitious cybersecurity leaders. We’re currently recruiting members for our new CyRise Elevate tribes for GRC and technical security leaders and have limited spots available in our CyRise Elevate tribes for senior security leaders in scale-up organisations.

If you know an ambitious security leader you think might be a good fit, we’d love to meet them. For our new tribes, the perfect candidate is someone who has strategic responsibilities and (probably) reports to the CISO or the Head of Information Security. Is that you or someone you know? Send us an email at [email protected] and we can send you some more information.

Candid advice from Atlassian’s Security Chief

CyRise Elevate was joined by guest advisor and cybersecurity leader Dan Grzelak, Security Chief of Staff at Atlassian.

Grzelak made his mark as a Security Intelligence Manager, then Head of Security at Atlassian, helping to build it into an Australian success story. A startup founder in his own right, he is an advisor to a number of Australian startups, and a developer of open source security tools and research.

Dan candidly shared his most memorable ‘hard lessons learned’ from a career at one of Australia’s most impactful and iconic technology cybersecurity companies.

 

Think Bigger

For a long time, Grzelak thought he was achieving big things as Atlassian’s Head of Security. He’d successfully built a team, had a solid track record, and seemed to be meeting the expectations of customers.

Then, Atlassian recruited a new CISO, with a bigger vision for the security team.

“Adrian [Ludwig] had an unconstrained mindset. He pushed for the security team to double, and then double again. I realized I had been constraining my own vision for what we could achieve. Those artificial limitations weren’t helping the company or our customers, and the realization changed my whole perspective”.

Don’t try to just ‘meet’ expectations – a ‘value add’ CISO is thinking bigger.

Don’t just rebuild. See the opportunity.

As security leaders, we can’t always prevent adversity, but we can certainly choose how to respond. In January 2010, Google admitted they had been the victim of a cyber-attack; one which had given attackers sweeping access to users’ private Gmail accounts, amongst other sensitive data. Attackers had also stolen Google’s intellectual property, and a review of the incident revealed embarrassingly weak security in many of Google’s systems.

Daniel pointed out that instead of wallowing in their mistakes, Google used the failure as an opportunity to build one of the most secure platforms in the world; pioneering the Advanced Protection Program and launching a multi-million dollar bug bounty program within just a few months of the attack. Their security program remains a model many organizations aspire to today.

It’s important to move swiftly after a security incident, and enact reforms before the incident is forgotten!

Don’t #@!% the customer

Atlassian’s company values are refreshingly transparent and candid, and include ‘Open company, no bullshit’, ‘Be the change you seek’, and our personal favourite: ‘Don’t #@!% the customer’.

Daniel shared that ‘Don’t #@!% the customer’ has become a guide by which to quickly assess identify risks:

“Just ask yourself; “Will this #@!% the customer?’ before you proceed with an action, and you’ll drastically reduce the chance of releasing an insecure feature”.

This helps reduce the demands on Daniel’s security teams; as every staff member at Atlassian is mindful of creating secure products that won’t ‘#@!% the customer’ – ensuring cybersecurity is built into the design process, rather than an afterthought.

Don’t overthink it

There’s an overwhelming number of new tools and systems available on the market, and you don’t always have time to agonize over which one is the ‘perfect’ fit. It can be tempting to hold off making a decision rather than take a risk, and Grzelak found the selection process for new tools was sometimes overlong. By the time a decision had been made to adopt a new product, the company’s needs had begun to change.

To keep up with the rapid pace of change, focus on staying flexible and adapting. When choosing a new tool, remember that products will come to the natural end of their life, and new tools will become available – so make your selection with the intent to iterate as needed. One choice isn’t going to make or break your security, but indecision can leave you unprotected.

The TL;DR –

Dan’s underlying message is that a great security leader thinks beyond their job description, and takes on the role of imagining what could be. Whether you’re in a time of ‘business as usual’, or are facing adversity, a security leader – like any great leader – is focused on pushing the business further.

 

CyRise Elevate is our membership and development program for ambitious cybersecurity leaders. We’re currently recruiting members for our new CyRise Elevate tribes for GRC and technical security leaders and have limited spots available in our CyRise Elevate tribes for senior security leaders in scale-up organisations.

If you know an ambitious security leader you think might be a good fit, we’d love to meet them. For our new tribes, the perfect candidate is someone who has strategic responsibilities and (probably) reports to the CISO or the Head of Information Security. Is that you or someone you know? Send us an email at [email protected] and we can send you some more information.

Three Things a Value-Add Security Leader Should Be Doing.

This month, CyRise Elevate was joined by guest advisor Geoff Belknap, CISO at LinkedIn.

Geoff has had an interesting career. Whilst he sits as cyber security chief for the world’s largest professional network – guarding the personal data of over half a billion users – he is also no stranger to the entrepreneurial hustle of building security teams from the ground up. He began his career at Palantir, before moving on to become Slack’s very first Chief Security Officer. He joined Slack just two years after the company was founded and hot on the heels of a major security incident. Geoff eventually joined LinkedIn in 2019 as CISO and VP of Engineering, and is also advisor to a number of startups and philanthropic organisations.

When peppered with questions from the CyRise Elevate membership, Belknap revealed what may be a non-obvious truth:

Whilst many security leaders may be seen as a handbrake on growth, true ‘value-add’ security leaders aren’t employed only to prevent security breaches.

So, what should a security leader be spending their time on?

According to Geoff, great security leaders should see themselves as supporting and growing the business.

Geoff himself had this realisation whilst working at Palantir:

“I thought that safety – making sure there are zero breaches – was my #1 job. It turns out, that’s not the case. My job was to help the business grow quickly and thrive”.

During our session, we managed to extract from Geoff three jobs that he thinks a CISO should *really* be focused on…

1. Risk Assessment

Sometimes, helping your company grow means taking risks.

A high-value security leader is adding value by articulating how improving security will help the business to grow. A great CISO provides advice on which risks their company should be taking, and why you believe those are ‘good’ risks. This means staying laser-focused on the mission your business is trying to achieve, and acting as a translational layer between technology and business operations.

Bear in mind that no leader should take risks blindly. How you manage risk should be based on either compliance or your own ethics. If you’re fulfilling your regulatory and moral obligations, it’s probably an acceptable risk.

Remember, you’re not there to eliminate all risks. Sometimes, the best thing you can do to manage a known risk is do nothing.

“It’s not actually helpful to be Chicken Little, saying the sky is falling. Although it can be fun, it’s not actually useful to the business”, says Geoff.

02. Chief Storyteller

A Security Leader must tell the ‘security story’ of their company.

It is your job – and no one elses – to build a corporate culture where the security team is seen as an essential part of closing deals. To do this, Geoff says you must relentlessly tell the security story at every opportunity, until every employee can articulate what the security team is doing. When you hear your story coming back from people, you’re getting close to the point you can stop telling that story.

But until then – repeat that story!! Repeat! Repeat!

Be transparent

Belknap reiterated that telling your story means being transparent; a quality which can be difficult for any corporation. It is understandable that many companies don’t see the benefit in highlighting a security breach, but hiding it can damage trust:

“It is important for cloud providers — startup or not — to show that security is at the forefront”, says Belknap.

Belknap believes that cloud-based companies such as LinkedIn can only maintain their social licence to operate through radical transparency. A breach at any cloud service provider — even competitors — hits LinkedIn’s business. The public stigma attached to a security breach is often hard to shake.

“One of us being left insecure hurts everyone,” he said.

Communicate to your customers, too

What is the most valuable thing a security team can do? In Geoff’s opinion, the answer isn’t just preventing breaches – it includes implementing workflows for communicating to customers.

As a security leader, YOU are responsible for building customer trust.

“We all think security is important, but the business is important too – you have to find a path that is technically correct, and that also is good for the business. That’s also good for your customers”, says Belknap.

03. Business Ally

It is important that your company doesn’t see you as only the most technical person in the security team, or worse – a barrier to growth. The best security leaders help their company succeed, which means understanding the company’s finances, and the strategic role of security in the context of those figures. Put plainly – you must understand how your security function contributes to the business bottom line.

“So many times people in the security space forget that there are other people in the company where security is just not in the top five of the things that they are worried about. Do you really want the accountants to be thinking about security before they think about financials? No, you don’t”.

The TL;DR –

Geoff’s underlying message is that exceptional security leaders understand they’re not only there to prevent security breaches, they are there to help the business grow. The best cybersecurity leaders are able to articulate their role in terms of advancing business objectives, streamlining operations rather than stifling, and building customer trust by transparently outlining how the company is keeping their data safe. LinkedIn grows by remaining secure, building trust, and having thoughtful systems in place that enable it to move quickly – a world-class model for any fast growth company.

 

CyRise Elevate is our membership and development program for ambitious cybersecurity leaders. We’re currently recruiting members for our new CyRise Elevate tribes for GRC and technical security leaders and have limited spots available in our CyRise Elevate tribes for senior security leaders in scale-up organisations.

If you know an ambitious security leader you think might be a good fit, we’d love to meet them. For our new tribes, the perfect candidate is someone who has strategic responsibilities and (probably) reports to the CISO or the Head of Information Security. Is that you or someone you know? Send us an email at [email protected] and we can send you some more information.