Implementing a SIEM, or rather, Building a Programme
CyRise Elevate recently met to discuss SIEMs: Security Information and Event Management. The discussion was led by Bill Mahony, Head of Cyber Security for Athena Home Loans, who like a true security leader, considers SIEMs “a topic near and dear to my heart”.
Here’s Bill’s summary from the brains trust:
What is a SIEM?
What is a SIEM? And why do you want one?
For anyone working in cybersecurity, SIEM’s are an essential tool for managing potential cyber threats. Put simplistically; you feed data in from your systems, the SIEM looks for evidence that that bad stuff is happening, and then it generates alerts for someone to investigate.
Put less simply, NIST Special Publication 800-128 defines a “SIEM Tool” as:
“An application that provides the ability to gather security data from information system components and present that data as actionable information via a single interface.”
To me, I interpret this as: a system (or number of systems) that collect(s) event logs, audit trails and other information sources, which are then used to monitor the integrity of an organisation from a security perspective.
Typically, organisations either setup and maintain software products to do this; or contract a 3rd party to setup and run one for them (“Managed SIEM” or a Managed Security Service Provider).
Either way, the main goal is to detect security threats and/or malicious behaviour before it can cause negative impact, or at least minimise that impact. A SIEM is also intended to be used as part of incident management, to piece together what happened historically on your systems.
But wait, there’s more!
Regardless of whether you decide to setup your own SIEM or enlist the help of a service provider, the most important thing about SIEMs is:
“Having a SIEM” doesn’t mean you’ve achieved your cybersecurity goals.
Even if you have a tool or service to help you, you’ll still need some important procedures in place to maintain a decent level of cyber hygiene:
- Good logging and event management practices. Getting sufficient, timely, quality event logs into a SIEM is key to success, and this can be trickier than it sounds. And don’t forget retention management – or how long you keep data for!
- Ongoing management of the criteria used to define what “bad” looks like in your event data. These need to be fine-tuned over time, adapting techniques as security threats change.
- A process to handle investigation of alerts and events of interest that come out of the platform, in the context of how your business operates. This almost always requires people who have some level of skill and training.
If no one is effectively investigating and responding to your SIEM alerts, you’re wasting time and money. Unactioned alerts do nothing to protect you from security threats!
Ok great, that’s what it is. But why would I want one?
In short: a well-managed SIEM, along with effective people and processes in support, can provide the key to a successful security management programme.
If done right, SIEM can provide:
- An early warning system that minimises the impact of threats, by providing the data required to effectively contain and eradicate them from your environment.
- Insights into the nature and scale of threats either active in, or targeting, your organisation, and the efficacy of your controls against them.
- The invaluable visibility and metrics that SIEM provides can be used to measure the current state of your security posture and prioritise your efforts to where it has the biggest positive impact to that posture.
To paraphrase Peter Drucker, “you can’t improve what you can’t measure”!
This topic is a big one, and even during this CyRise Elevate collective, we only just barely scratched the surface.
But if there’s only one thing you take from this post, I hope it’s that SIEM’s aren’t a cure-all. They must be part of an overall programme to be truly effective. It’s not something you can simply purchase and forget about.
But, if you do it well, it can be a huge part of your security capability.
CyRise Elevate is our membership and development program for ambitious cybersecurity leaders. We’re currently recruiting members for our new CyRise Elevate tribes for GRC and technical security leaders and have limited spots available in our CyRise Elevate tribes for senior security leaders in scale-up organisations.
If you know an ambitious security leader you think might be a good fit, we’d love to meet them. For our new tribes, the perfect candidate is someone who has strategic responsibilities and (probably) reports to the CISO or the Head of Information Security. Is that you or someone you know? Send us an email at [email protected] and we can send you some more information.