Why Your SIEM Isn t Adding Value And Why It May Not Be The Tool s Fault. Best Practices Whitepaper June 18, 2014

Transcription

1 Why Your SIEM Isn t Adding Value And Why It May Not Be The Tool s Fault Best Practices Whitepaper June 18, 2014

2 2 Table of Contents LIVING UP TO THE SALES PITCH... 3 THE INITIAL PURCHASE AND SELECTION PROCESS... 3 BEST PRACTICE RECOMENDATION... 5 USE CASES, CONTENT AND CORRELATION... 5 BEST PRACTICE RECOMENDATION... 6 MANAGEMENT, CARE AND FEEDING OF THE SIEM... 7 BEST PRACTICE RECOMENDATION... 7 NEXT STEPS OR MORE INFORMATION... 8

3 3 LIVING UP TO THE SALES PITCH Security Information and Event Management (SIEM) solutions have been used for more than 15 years in an effort, as the sales pitch goes, to give organizations situational awareness by real- time monitoring of logs from across their organization. Businesses spend millions every year buying, maintaining, operating, and optimizing these solutions but regardless of the size of the organization they aren t delivering on the sale pitch. Like a lot of technology solutions, most organizations use a very small percentage of their potential capability, resulting in missed expectations at one end of the spectrum and an irrecoverable security event on the other. Let s look at why this happens and then discuss the 3 things that any organization, regardless of size and scale, can do to ensure they are getting more value out of their SIEM investment. THE INITIAL PURCHASE AND SELECTION PROCESS When looking why companies don t get all the value they should out of their SIEM purchase we have to start from the beginning or at least remind ourselves of the initial reason it was purchased. Most organizations that we come across, both private and public sector, purchase a SIEM for compliance reasons or as a reaction to concerns to security news out in the market. Others have a highly skilled senior security team that can spend months if not years convincing senior level executives about the importance of having a well thought out and executed security plan balancing people, process, and technology. In both cases, if the plan isn t laid out properly with realistic expectations from the evaluation and purchase phase to the implementation and finally the ongoing operations and maintenance of the technology, it will not be successful. It may sound trite but plan your work and work your plan is all too often ignored when it comes to IT security. Often times to meet compliance requirements or as a response of a senior executive that wants to know where we are with security, organizations pay outside/third party security assessment companies to come in and do a full security review and assessment on their environment. If a reputable company is hired, the end result is a multi- page document showing any and all security concerns and compliance issues. The problem with these assessments is they highlight all the what and don t assist the client with the how side of going forward to remediate and fix the issues. It is like telling a child over and over they are pronouncing a word incorrectly but never telling them the right way to pronounce it. These assessments will usually state that the organization should be monitoring all the logs from all applications, firewalls, etc.

4 4 From here a reseller is called and shows the organization as many SIEM technologies as it can until the client buys something with the sales pitch of Situational Awareness and a Single Pane of Glass implying that out of the box the SIEM technology will be fully operational and solve all of your compliance woes or security issues. Unfortunately most resellers aren t service providers and don t have the engineering expertise themselves to install and maintain the solutions they are selling. The client is left with usually one person to inherit the SIEM tool on top of all the other technologies in the building with limited training, time, and lack of a security partner to guide them through the SIEM implementation in their environment. A lot of times, the person will be unsuccessful in getting any meaningful return on the SIEM tool for the organization leaving the entire senior management team to doubt the purchase altogether or blame manufacturer of the SIEM technology. In the other case where an organization has an experienced security team that knows what they need but have to ensure they have the budget and buy in necessary for a successful SIEM deployment. In this case they rely on their own proof of concept of the tool to make a selection. The selection is made and the often already overburdened security team is sometimes left with no additional funds to add headcount to effectively run the technology, no time to train, and no budget to bring in expert 3 rd party consulting companies to fit the SIEM technologies to the specific use cases, etc. that are needed for their organization. Organizations in both cases need a service partner focused on making sure a proper map of process and expectations is laid out for 3 important phases in the deployment of a SIEM: 1. the initial install, 2. the first 3-6 months of optimization and customization, 3. and the ongoing management and enhancement. Imagine purchasing Microsoft PowerPoint, installing it, and being angry that it doesn t come preloaded with all of the slide decks that you need across sales, IT, Human Resources, etc. specific with text and data for your organization. It is just a tool; the organization has to take the time to format the slides, etc. in order to achieve what they need. Does PowerPoint have templates and stock images? Sure, but that is just a baseline. SIEM technology is the same way, regardless of the technology that you purchase you are going to have to customize it for your organization using internal processes and industry best practices. Without the proper planning and expectations around people and processes upfront the odds of achieving even the minimal capabilities of a SIEM solution are slim to none.

5 5 BEST PRACTICE RECOMENDATION If you are buying a SIEM make sure you get it from a service provider that has extensive experience architecting that specific SIEM technology. If you have an existing SIEM technology that isn t providing the value you want, then it might be a good time to bring in someone to look at re- architecting the solution or coming in to clean things up. First, when selecting a service provider I would recommend that you don t chose one that only knows one type of SIEM technology or only in one industry. There are huge advantages in working with all of the major and some less known SIEM technologies as it increases the likelihood that the organization is going to benefit from the service provider s experience architecting SIEM solutions across many different industries both public and private. Second, make sure all stakeholders are present during the demo, proof of concept, and selection phases to ensure user adoption across all functional areas. The nature of the SIEM means it must work with many things across the network and if the organization s network team is separate from their security team, then it is important that the network team is a part of the selection process and understands the goals and objectives around purchasing a SIEM. At the end of the day you ll need buy- in from all system owners to ensure a successful deployment that meets everyone s expectations and criteria. Finally, before the purchase an organization should make sure they have a clear understanding of their current environment. What is on your network currently? Who has admin rights on your network? What applications are running on your network? What are the compliance drivers for the organization? This information should be compiled prior to the purchase of a SIEM and is the foundation of what will be come the SIEM rollout plan. Most of the time these road maps are built during a 3 rd party assessment or security posture analysis and they are a key part of ensuring a successful deployment of a SIEM technology. Project manage the road map and highlight specific success milestones that can be measured to ensure the deployment is on schedule. Typically this road map is no less than 6 months and often times extend out a year. USE CASES, CONTENT AND CORRELATION Not all use cases are created equal. Again, out of the box almost all of the SIEM technologies in the market today come with the basic connectors that help the user to bring in basic use cases pulled from the most common security and other technologies on the market. Organizations use SIEM technologies for many different reasons so some of what I am saying here won t apply to all, but in general a SIEM has the ability to be used for not only security monitoring but pperational monitoring, and executive/compliance monitoring if quality use cases and content are generated and added into the solution. If the user has the time and knowledge to use the built- in API s/connectors/etc. to get most of their firewalls, servers, and other point products flowing into the SIEM tool they are ahead of the game but they are still a long way away from the situational awareness and single pane of glass promise on the outside of the box or in the subject line from the reseller.

6 6 Use cases are an area where an organization can see the most return on their investment after the proper installation and roll out of the SIEM technology. There are many types of use cases. Across over 70% of all the SIEM engagements we perform on an annual basis we find the majority of use cases address bringing only one technology into the SIEM and maybe setting an alert based on the built- in content included. That may be a valid use case but is it getting the organization what they need, is it helping get them to a place of situational awareness and compliance automation? Often it isn t, use cases should have more than one function. Most use cases we see are created from one technology or only take into account one or two items without any context to the rest of the environment. Properly correlating events from multiple systems and vulnerability scan results will give you the visibility into the entire attack chain and provide true situational awareness. BEST PRACTICE RECOMENDATION Regardless if an organization is going to deploy the SIEM technology or if a 3 rd party is going to do it, well thought out use cases can make or break the success of a SIEM. Situational awareness is very possible if strong use cases and content are built into the system. In every SIEM technology there are plenty out- of- the- box connectors and API s that will make bringing in most critical infrastructure fairly easy but in the case that there are proprietary or other technologies that aren t supported by the SIEM tool s API, it might be necessary to do some custom parsing or scripting to match the output of the source of the logs to the input of the SIEM. Once an organization gets all of that data feeding into the SIEM it is important to create meaningful and tuned use cases to limit the amount of alerts firing. Alerts should be actionable and important to not just the security team but also for the operational health of the organization as well as the executive view of compliance and top of mind threat intelligence that today s boards and executive teams are keying on. The SIEM can be a window into all of these things through the creation of the proper use cases. As we discussed earlier, most use cases are created to look at only a single feed when they really need to weigh multiple feeds against each other to measure what may or may not be happening. The single feed works in some cases but is often stopping short of what the system is capable of doing costing many engineering and analysis hours to manually do what should be automated. Imagine if the strategy of a defense was to only watch what one single player did on offense and ignore all other receivers, running backs, etc. That may work for certain plays that the offense runs but for the remaining plays the defense will never be able to stop the offense. It is better to create plays and formations that allow the defense to cover the entire field. That is what good use cases should do for not only the security team but for the entire IT, Finance, and Compliance organizations. Prior to hiring a 3 rd party to develop content and use cases ask them to show you examples of what they would do make your SIEM more efficient.

7 7 MANAGEMENT, CARE AND FEEDING OF THE SIEM SIEM technologies definitely do not fall into the set it and forget it category of technology. These technologies are often sold incorrectly, they are sold as the solution, the all knowing, and instead we need to sell them as the meeting point or canvas for all security information. Just because you have paints, brushes, and a canvas doesn t ensure great art. Organizations must plan for an internal resource or outsourced service to monitor and maintain the SIEM solution on a regular basis. Some of the many things to manage on the SIEM include internal health of the individual components, ongoing content development and analysis of the actual security events. We recommend at least two formal health checks on the SIEM from an experienced SIEM focused service provider per year and sometimes more for larger organizations. Like cars, computers, firewalls, etc., SIEM technologies break and require an experienced professional to fix the issues while continuing to advance the sophistication and visibility of the system. BEST PRACTICE RECOMENDATION The ongoing development and management of the SIEM tool is key to ensuring that an organization gets the most out of their SIEM technology. In order to manage the technology ongoing properly the organization has to decide if they are going to allocate enough time for an internal resource to do all of the tuning, testing, and repair of the SIEM day to day. Too many organizations put a well- qualified professional in a position to fail by making them a jack- of- all- trades in security. One person often times has responsibility over the SIEM, IDS, IPS, firewalls, etc. Depending on how many devices are reporting in to the SIEM, it is often too much to put both the management of the SIEM and the development of use cases and content on one person in the organization. There are several trends that have emerged in the security space around outsourcing that makes sense for both large and medium sized organizations that feel it is important to control where their logs are being stored and who has access to them. The traditional model of the MSSP has always required the customer to send their logs to the MSSP for analysis and import into their white- labeled SIEM tool. This often creates issues around making sure that the 3 rd party is set up to securely receive and store that often sensitive information. Another challenge sometimes present is getting data exported from the MSSP into your own data analysis systems. That trend is changing with the emergence of service providers that now enable their clients the ability to own

8 8 their own SIEM tool and other technologies and control their log information more closely by not requiring them to send them offsite but rather the service provider connects in and manages and writes content for the organization remotely from their own security operating center. This a highly efficient and cost effective method that is allowing customers to focus less on the day to day care and feeding and expansion of the SIEM technology and more on interpreting the intelligence generated by all of the tools in the environment. Organizations can find success managing and advancing the SIEM technology using internal staff or outsourcing to this new breed of service providers but the key is setting expectations and not putting too much on one person s plate allowing them time to constantly improve the technology. Ongoing management is key to the success of a SIEM in an organization given how fast the security world changes and evolves someone has to be driving the SIEM to make sure the organization is keeping up. NEXT STEPS OR MORE INFORMATION ReliaQuest, a pioneer in IT security solutions, ensures organizations remain secure and compliant as the IT world changes; empowering IT professionals with the latest relevant security technology innovations and services that simplify often complex interactions between security, risk and compliance in order to minimize loss of data, business disruptions and reputation. The ReliaQuest team has a unique ability to deliver optimal solutions combined with our talented staff and documented best practices that unify people, process and technology in both on- premise as well as managed service requirements. Check out our website at or contact us today at (800) to schedule your security assessment and find out what can be done to improve your SIEM today.