Security Information and Event Management (SIEM) tools are an essential part of a modern enterprise’s information security program, but careful planning and implementation are required in order to get the most from a SIEM solution. In this blog post, we’ll look at what a SIEM tool can deliver for customers, how to get the most out of your SIEM deployment, and how Varonis can complement your SIEM tools.
SIEM: A Brief History
Today’s SIEM solutions combine what was once two distinct functions: Security Information Management (SIM) and Security Event Management (SEM). SIM products focused on long-term collection and storage of logs to spot trends, while SEM was more concerned with real-time monitoring and alerting of events. Over time, these product categories merged to provide both real-time and historical capabilities. Modern SIEM tools also incorporate a variety of other functions, from AI-driven analysis of threats to automated response and remediation.
What You Can Achieve with SIEM Tools
SIEM tools collect, correlate, and analyze log files from devices, applications, and endpoints. Depending on the information collected, SIEM can offer many capabilities, including:
Security Incident Detection
Incident detection is the classic use case for SIEM tools. By correlating log data from sources throughout the organization, a SIEM platform can detect many types of security incidents that might otherwise go unnoticed. An unusual uptick in network activity to a previously unknown destination, for example, could indicate an infection or data breach that was able to evade other defenses. Using SIEM, analysts can easily triage, investigate, and respond to threats from a single user interface, saving time and increasing operational efficiency.
Meeting Compliance Requirements
SIEM tools are an invaluable asset for organizations with special compliance requirements. Regulations such as HIPAA, GLBA, GDPR, and more commonly call for routine monitoring of logs from applications, endpoints, and infrastructure devices. For example, the HIPAA security rule requires a covered entity to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” This is a perfect use case for SIEM.
Many of these regulations also mandate lengthy data retention periods and the ability to demonstrate the effectiveness of implemented security controls. Again, SIEM tools excel in both areas. Most SIEM products can be configured to store data for a period of a year or more, though some vendors may charge extra for longer retention periods. The effectiveness of a particular security control can be demonstrated for auditors or regulators, and any gaps in compliance can easily be spotted and rectified.
Aiding Incident Response
In the immediate aftermath of a data breach, information is key. While a skilled incident responder can piece together the extent of a breach from forensic data on affected endpoints and network devices, the time it takes to do so will slow remediation efforts. SIEM tools can be of tremendous value throughout the entire incident response process. Being able to access, correlate, and analyze information from thousands of different log files across the organization allows responders to quickly evaluate the scope of an incident, take steps to contain any lingering threats, and make any appropriate disclosures to regulators or impacted parties.
SIEM tools are a great asset when proactively hunting for threats lurking within an organization. The rich level of detail and breadth of information offered by a SIEM solution allows analysts to search for suspicious activity that existing defenses missed. An analyst might look at unusual trends, hunt through logs in search of a known malicious IP address or file hash, or sift through data for signs of the Tactics, Techniques, and Procedures (TTP’s) used by advanced cyber adversaries.
Many vendors support threat intelligence feeds, which contain Indicators of Compromise (IOCs) for the latest and most sophisticated cyber threats. While these may represent an additional cost, they can be beneficial to an organization concerned with Advanced Persistent Threats.
Reporting and Visualization
In addition to being highly adept at collecting and correlating data, many SIEM tools offer numerous options for presenting it. Dashboards, charts, graphs, and other types of visualizations can help security teams interpret the vast amounts of data that these types of solutions produce. This can help prioritize the most important incidents and can even be useful in spotting suspicious events.
The visualization capabilities of top SIEM tools can be useful beyond security. IT leaders can use these tools to help plan for future growth, evaluate current patterns, and spot any areas that need improvement.
9 Tips for a Successful SIEM Deployment
SIEM solutions are often complex and come in many different flavors. Deployment can be tricky, especially in large organizations that may have hundreds or thousands of data sources. There can also be a substantial demand on your IT and Security teams.
Plan the Deployment Carefully
Carefully planning your SIEM deployment can mean the difference between realizing the benefits of the technology or adding unneeded overhead to your organization. You’ll need to choose between different vendors, deployment models (on-premises vs SaaS vs hybrid deployments), staffing strategies, and more.
Many organizations can benefit from a phased approach, beginning with a small pilot to evaluate the business case for a SIEM solution before moving to wider deployment. These types of solutions frequently need manual fine-tuning. False positives are extremely common, and a badly designed SIEM implementation can generate thousands of alerts that security teams are unable to keep up with. Business owners and management should be involved in all phases, from preparation through deployment.
Choose What to Monitor
Capturing data from a variety of sources is in a SIEM tool’s DNA. Ideally, you’d feed the solution the widest variety of data possible, but this isn’t always practical. Technical and budgetary constraints may limit the total amount of data your SIEM solution can ingest, which can result in some tough decisions as far as what logs to leave behind. For businesses where compliance is a concern, regulations or existing industry frameworks could dictate what data to collect.
As a general best practice, you’ll want to ingest logs from firewalls, file and directory servers, intrusion detection/protection systems, and potentially endpoint security products. Ingesting logs from your organization’s DNS servers can also add a great deal of context to security investigations and help spot sophisticated attacks. Don’t forget about cloud services or applications that may be in wide use.
The Varonis DatAlert Suite implements these best practices by giving you visibility into what’s happening with your data and enabling you to quickly detect and contain threats before any significant damage can be done.
DatAlert ingests and combines events from disparate data streams such as on-prem data stores, cloud sources, Active Directory, Azure AD, email, DNS servers, VPNs, and web proxies—adding unique context to alerts, like file sensitivity and account type, making them more actionable than traditional SIEM alerts
Be Mindful of Your Existing Security Stack
All of the top SIEM tools offer various integrations, but the extent of those integrations and the difficulty in configuring them can vary wildly. When selecting a SIEM tool, it’s crucial to choose a product that is highly compatible with the unique mix of products already in use at your organization. Failure to do so can result in operational complexity and administrative burdens. Choosing a SIEM product that doesn’t play nice with your firewall vendor, for instance, can highly limit the advantages that a good SIEM tool should provide
In many cases, SIEM integration is a highly manual affair and can require several steps. This is important to keep in mind when shopping for a solution, as the cost of labor involved in getting everything set up correctly can easily erase any cost savings promised by the vendor.
Understand the Pricing Model
SIEM vendors have instituted a variety of different pricing models for their products. Some charge per user, some charge per event, and some charge based on a tiered or flat rate model. It’s crucial for both technical and business decision-makers to understand how these pricing models work and what model makes the most sense for their organization. In particular, per-event pricing models can result in some nasty surprises for companies that don’t take a close look at their existing environment.
Decide What Features You Really Need
Many SIEM solutions are offered on an a-la-carte basis, allowing an organization to choose the features or functionality most relevant to them. Basic functionality like log management and alerting is usually offered at the lowest tier, but more advanced features may come at a premium. Threat Intelligence, automated remediation capabilities, and long-term data retention are all things that frequently cost extra. It’s important to perform a cost-benefit analysis not just on the SIEM solution as a whole, but also on any add-ons your organization may be considering.
Know That It Won’t Replace Humans
Increasingly, SIEM tools are leveraging automation and artificial intelligence to bring about new capabilities and enhanced efficiency. This doesn’t necessarily translate into a reduced need for human talent, however. In fact, SIEM solutions can require a great deal of human interaction to resolve alerts, perform additional investigation when required, and maintain the solution in general. Some tools may also require a fair amount of training and specialized skill sets. If you’re looking to SIEM to reduce costs, know that it’s unlikely to come in the form of a reduced headcount.
While the human component in the alerting process isn’t obsolete (yet), the Varonis’ DatAlert Suite helps reduce the amount of human interaction and manual labor required to sort through the enormous number of data security events that arise. DatAlert puts alerts into broader context by tying users to devices and locations, learning their behavior, and layering on additional information including… is this alerted user on a watch list? Have they triggered any other alerts recently? Do they normally access sensitive data? This additional context allows you to quickly determine whether an alert represents a real threat or a minor anomaly without spending hours stitching together logs
Acknowledge The Limits
SIEM tools provide a great deal of visibility across an organization but often come with blind spots. Mobile devices, remote workers, and cloud applications are all examples of areas in which SIEM often does not perform well. It’s important for enterprises to recognize these limitations and take appropriate actions.
Even in areas where SIEM tools do well, such as network monitoring, it’s not uncommon for the tools to lack important contextual data. Remote access tools like VNC and TeamViewer are a great example. It’s easy to spot the network traffic generated by these tools, but without sufficient context, a SIEM solution can’t distinguish between a legitimate user and an attacker using the same tool to exfiltrate data. A SIEM tool may also have difficulty spotting attacks that weaponize legitimate services, such as malware sending command and control traffic back to a server hosted on a Content Delivery Network (CDN) or public cloud service.
Test and Tweak the Solution
With new types of threats appearing daily, it’s important to continually evaluate your defenses and address any weak spots. SIEM tools are no exception. Engaging an internal red team or external penetration testing service can help you assess the real-world effectiveness of your SIEM solution. New rules can then be added to address any threats that failed to generate an alert. Tools like Atomic Red Team and MITRE’s Caldera can be used in between full-scale penetration tests to continually analyze performance.
Alert fatigue is a common issue in many security operations centers. If you don’t set alerting thresholds appropriately, your analysts may become so used to seeing false positives that they fail to react in cases of genuine threat. It’s important to tweak any SIEM solution to find a good balance between too much noise and not enough visibility.
Don’t Use It Alone
As with all security products, SIEM tools should never be relied upon exclusively or in place of other types of safeguards. While SIEM platforms can increasingly take automated actions in response to certain types of events, they do not replace frontline defenses like anti-virus software and firewalls. SIEM tools also work best when organizations have a well-thought-out information security program already in place.
How Varonis Can Help
SIEM tools can be an invaluable addition to an organization’s overall security posture, but they’re not a panacea. Solutions like the Varonis Data Protection Platform can complement your SIEM tools and bring additional context into the picture to reduce alert fatigue and maximise actionable insights. Varonis DatAlert takes a data-centric approach to threat detection, complementing the network-centric approach of SIEM and bringing additional context through powerful User Entity Behavior Analytics (UEBA) capabilities. DatAlert integrates with all of the top SIEM tools, including ArcSight, Splunk, LogRhythm, and IBM QRadar.
For organizations with compliance concerns, Varonis DatAdvantage complements the reporting capabilities of SIEM tools with advanced remediation features, and reduces overall business risk by identifying overprivileged users.
We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.How it works
Robert is an IT and cyber security consultant based in Southern California. He enjoys learning about the latest threats to computer security.