Become a hunter: fi nding the true value of SIEM.

Transcription

1 Become a hunter: fi nding the true value of SIEM.

2 When Security Information and Event Management (SIEM) hit the security scene, it was heralded as a breakthrough in threat detection. However, SIEM is just a tool. While initially designed to bring data together for a more comprehensive threat view, it has become, like many other security technology solutions before it, reactive and siloed. SIEM gains its true value when coupled with expertise, becoming one tool in the proactive hunt for actionable intelligence. SIEM is only as smart as the people analyzing its data. SIEM is an excellent technology, and it is core to any security architecture. However, on its own, SIEM is still a reactive tool layered on top of other reactive data-generating tools. For SIEM to function to its promise enabling security analytics to provide actionable intelligence the technology must be coupled with people. It s people that can build the use cases that give SIEM context. It s people who understand the enterprise environment globally. It s people who can take that global view and progress towards actionable intelligence. If organizations start from the premise that they have been or probably will be breached, reacting is no longer enough. Organizations must become proactive hunters, constantly mining data and seeking insight that inspires action. 2

3 Actionable intelligence leads to executable actions: one organization s journey to SIEM value. A major Canadian retailer had multiple organizations providing segregated pieces of its security, including a reactive SIEM service, intrusion prevention and fi rewalls. As a result of the siloed nature of the solutions, the organization s security team struggled to uncover actionable intelligence. The security team was leveraging the SIEM solution. Its SIEM provider had built rules and correlations around SIEM that triggered reactions to certain events and generated alerts that were forwarded to the internal security team. However, with many of its security technologies being managed independently, there was little cohesion between the different providers and the organization, as well as between the data sources providing security posture information. It s an error common to many organizations as security has evolved different technologies, going in different directions, with little to no communication or interaction. Without interaction, a global view is impossible, which makes it challenging to effectively mine the data. The SIEM investment had been made, and the solution was functioning to a degree. But the organization was not realizing its true value because the internal security team was still in reactive mode, rather than being a proactive hunter. The retailer partnered with TELUS Security Solutions. TELUS security specialists made some simple changes to consolidate key components of the retailer s security environment. They confi gured the SIEM solution to report and alert on things that the organization prioritized. They then took the data coming out of the SIEM solution and applied advanced monitoring. The resulting outcome was twofold the TELUS security team was able to apply threat information to the data and wrap it within the context of the retailer s environment. With this change, the retailer has transitioned to proactive hunter -- creating a process whereby all security alerts, major and minor, are being reviewed on a consistent basis. The security team now has a mechanism for taking billions of points of data and transforming those into actionable intelligence that leads to executable actions. 3

4 Advice for aspiring hunters. In security, defense is important. Collecting data is also important. But hunting is critical looking for anomalies, understanding their causes and investigating incidents and events. It s important to have a plan to hunt proactively and respond proactively. TELUS security experts provide three key pieces of advice. 1 Take a programmatic approach to security. Maturing along the continuum to actionable intelligence requires a programmatic approach to security. You can t have one without the other. What does that mean? It means that your security program must be built in a holistic way. Over time, most organizations have been adding siloed solutions to solve problems. However, perpetrators don t take a siloed approach to their attacks. They look at everything all tools and processes. Looking at security from a programmatic perspective enables you create an interconnection between tools, processes and people. With that interconnection, you can correlate data from your entire infrastructure, whittle it down and examine specifi c components in order to identify real issues with potential impact, which may not have been evident when viewing individual silos. 2 3 Take the leap of faith away from reactive to proactive. By defi nition, all technologies are reactive. They are designed to react to an event or multitudes of events. Organizations that are serious about security are getting serious about being proactive in their approach. The irony is that they thought they were being proactive by implementing reactive tools, yet they only initiated more problems by creating technology silos. Proactive is defi ned differently now. With the architecture and technologies in place and doing their thing, it s critical to inspect the data coming from different technologies to understand what s happening globally in your environment and to hunt for anomalies. Empower your SIEM solution. The SIEM solution itself includes: Device monitoring, management and maintenance Security alert notifi cation Device tuning and optimization (understanding false positives) Central log collection Use case development and deployment, created in partnership with the client or business unit Report development and distribution Custom device support True actionable intelligence comes from advanced monitoring and security analytics compiling data from the SIEM solution, customer environment (e.g. industry, location, political environment) and security in general to determine whether an event is truly a security event. To maximize the value of the SIEM, it is critical to consider: Proactive threat intelligence capabilities for data analytics Proactive research and profi ling Log analytics and monitoring Data contextualization The business, its people, technology and processes 4

5 Moving beyond SIEM s technology capabilities. SIEM falls short of expectations and fails to deliver value when it is leveraged only as a technology. To fi nd the true value of a SIEM investment and to position it as an enabler of proactive hunting, it is important to: Leverage the power of SIEM to build strong use cases that address organizational gaps Understand the output of SIEM and use cases to provide an actionable response Provide advanced monitoring and security analytics to leverage the data within the context of the organization s security environment If you are thinking of deploying SIEM technology or have already deployed but are struggling to realize the value of actionable intelligence, visit telus.com/siem to learn more about our SIEM consulting and management services. 5