SIEM: DIY or Managed Threat Intelligence

There’s no doubt that today’s security information and event management (SIEM) solutions are powerful tools. Providing the best way to defend against dangerous cyber threats, a SIEM delivers a 360-degree view of an enterprise’s technical infrastructure looking at a collection of endpoints, network, firewall, and security events or ‘logs.’ SIEMs also correlate data from threat intelligence feeds, leveraging custom feeds and feeds like those from the global Open Threat Exchange® (OTX) community.

The SIEM integrates, enriches, and cleanses the log data and threat intelligence feeds for real-time analysis and response. In doing so, it provides security professionals with context about the most dangerous cyber threats, empowering teams to respond faster to bad actors or system breaches.

DIY or a managed SIEM?

Great, a SIEM ‘seems’ to do it all! So, organizations should go out and purchase the highest rated SIEM ASAP, right? Not so fast: SIEMs are powerful and versatile tools, but they aren’t a set-it-and-forget-it solution. SIEMs require serious expertise to deploy and maintain correctly. A SIEM’s success and efficiency is directly related to the thought and effort that goes into how it is configured, implemented, and managed. So if your organization is considering going the DIY SIEM route, ask yourself these questions first.

• Do we have the time and resources for a full-scale SIEM implementation? To deliver proper threat protection, a SIEM must first be configured to pull in as many relevant log sources as possible. It needs to ingest data about assets across your organization and correlate that information to current threats intelligence using detection rules. Logs need to be collected from critical components across the network and business – firewall, servers, in particular, the Active Directory server and critical application and database servers, the web server, and logs from the IDS and antivirus systems as well. Many SIEM implementations fail because these inputs are flawed and don’t represent the full application stack. A complete SIEM implementation takes time and expertise to get right. Rushing it, or skimping, may create a scenario where the tool fails to detect the most common and damaging attacks.

• Can my security team manage 1 million plus log events per day? Assuming your team gets past the initial hurdle of SIEM implementation and configuration, there are additional steps to ensure it can identify threats. As highlighted earlier, part of the equation is event log collection across your complete application stack. A SIEM can easily collect over 1 million log events happening across your organization per day. A Fortune 500 enterprise environment can generate some 10 Terabytes of log data per month! So the question becomes, does your security organizations have the capacity to sift through more than 1 million log events per day? A SIEM can automate much of the process of correlating events across periods and device types. But, you still need a team that can place log data and threat intelligence within the broader context of your full security strategy.The reality is it takes human analysis to properly implement and tune the SIEM over time to minimize false positives and improve the system. Small or medium-sized companies that have limited resources allocated to security monitoring (who doesn’t?) should evaluate if this is the best use of time and money.

• Do we have the expertise to manage and ‘tune’ our SIEM? Even the highest rated SIEM out there will deliver little to no value if it’s not managed properly. Consider the fact that SIEMs focus heavily on what’s happening on your network at the moment and act as a holding area for historical threat feed data from various sources. The problem is that most successful attacks rarely look like ‘real’ attacks, except in hindsight, because attackers often try to remove log entries to cover their tracks. Also, multi-stage attacks that have long ‘dwell times’ require managing and analyzing large volumes of data. Because a SIEM doesn’t know or ‘record’ what happened before or after the event was detected, it’s challenging to separate false positives from true event detection. Even more, many SIEMs offer threat detection rules out-of-the-box, but they also require security experts to write good correlation rules and to customize the rules over time. Security experts are needed to continuously monitor and ‘tune’ a SIEM, managing ongoing updates, rules, new assets, and changing workloads to spot routine and more sophisticated multi-stage attacks.

• Can my team interpret results and triage threat activity? An often overlooked factor when evaluating DIY or managed SIEMs is the interpretation of security events once an alarm sounds. Organizations require clear event and incident information to understand the potential impact of threats. SIEM alerts, however, are complicated! Analysts need to be able to understand the risk of threats to prioritize events and take action. If your team can’t quickly validate alerts and identify remediation steps, your DIY SIEM program may be in trouble.

The bottom line? When it comes to SIEMs, the real value is in the expertise of the individual or group that configures and manages the tool. The SIEM and security team requires proper training to achieve accurate threat detection and to address your current threat landscape. You don’t want to underestimate the total effort and costs required to meet your SIEM project goals.  If your internal security team is strapped, your SIEM initiative could be a failure to launch. If you’d like help evaluating DIY vs. managed SIEM strategies, get in touch! At Vertek, we offer a comprehensive Managed Threat Intelligence service that does the heavy lifting – that way you can realize more value from your SIEM, detect threats, and improve your security posture all without overspending or unpredictable results.