Authors: Eric Itangata and Mike Daniels
A Security Information and Event Manager (SIEM) is in the traditional sense, used for central log storage. It provides a central location for an organization to review logs from disparate systems and also is a place to retain these logs per the organization’s compliance needs. The purposes of a SIEM can vary but at its core, its main purpose is log review, storage and meeting regulatory compliance. Out of the box, a SIEM immediately provides value for identifying security risks, malicious activity, and even system misconfigurations within the organization’s environment.
SIEMs fail to meet some organizations’ expectations
However, many organizations deploying a SIEM fail to get more than the initial out-of-the-box value and end up having a negative experience with the platform. In most of these cases, the issue does not stem from the SIEM itself, but from either a lack of proper planning during the deployment or not having skilled and knowledgeable IT staff to maintain the SIEM[KJ1] . This is why many organizations outsource their SIEM administration and tuning to a third-party Security Operations Center that has the expert staff to properly manage it.
Some organizations view the SIEM as a “Magic Box.” They assume that the SIEM is an artificial intelligence (AI) system where logs are collected and that it will automatically detect true positive security incidents with absolute accuracy and consistency. While some SIEM technologies make use of AI, it still should not be assumed that the SIEM is a set and forget system. Collecting log data is one advantage of a SIEM, but having that data provide relevant information is the true value add. The reality is, a SIEM is far from static—it is an evolving ecosystem, which requires continuous care and feeding to ensure it is providing the organization continued value. That ongoing value is realized by proper tuning.
Tune a SIEM to match the organization’s needs
SIEM tuning is the process of curating the data being received to identify security risks, system or controls failure, compliance, and archival needs for an organization. Each organization is unique and has different exposure to security threats. A SIEM should be tuned to help identify when the security controls in place for the organization are failing or need to be adjusted. The importance of SIEM tuning is for the organization to get the best value out of the SIEM as a tool as part of its arsenal of defensive cybersecurity tools.
Tuning the SIEM requires knowledge into your user audience and a good understanding of what this audience needs or requires as output from the SIEM.
Consider your key audience:
- Information Security (IS) Team/Department
- Security Operations Center (SOC) Analysts
- System/Network administrators
Other tertiary groups like internal auditors, human resources, and management may utilize the SIEM at lower levels but their needs are often met if tuning has addressed the needs of the previously mentioned key audience groups. Appropriate SIEM tuning helps these groups be more efficient, get the data they need and respond to incidents promptly.
When to tune a SIEM
The tuning review process should be part of the initial setup of the SIEM. Never assume the rule or alert configurations are valid as-is and nothing needs to be changed. This is a common misunderstanding (Magic Box scenario) because any configurations are usually in a default state to meet a wide or general user base. So, without tuning to your unique environment, you may be correlating against rules that constantly fire off false positives. The log event type is matching the rules detection syntax, for example, but the log source is not correct for this detection.
Tuning out of the box is essential in preparing the SIEM to better understand your organization’s environment. Asset categorization and network hierarchy configurations are key areas that tend to be overlooked. These are dynamic areas in your organization, and as such, configuring the SIEM with this information is an important aspect of tuning. This information enables your security teams to identify affected hosts and which networks they belong to, tag alarms/alerts appropriately, and communicate the detected incidents correctly.
Tuning a SIEM is not a one-time thing
There are multiple other reasons why SIEM tuning is important, and these will be covered in future blog posts. An initial focus on the organizational uniqueness (security exposure), the audience (who will consume SIEM data), assets, and network hierarchy, sets the foundation for a successful SIEM platform that will undoubtedly produce the best value for the organization.
Keep in mind, tuning is not a one-time thing and requires continuous evaluation as the log data and the organizational network is dynamic. The SIEM system is not meant to be a set-it-and-forget-it system but it is an ongoing security process and practice. If you lack the staff and expertise to properly tune and monitor your SIEM, seek the assistance of a vendor that specializes in SIEM management.