Slash Security Admin
Ploughing through log reports isn’t for the faint-hearted. It perhaps doesn’t improve the situation to know that the security information the report contains is already redundant. Or that the person reading the report may not fully understand what they are looking at. Unfortunately, we can’t avoid the reality that information security is built on information, and with information comes administration. So, how can security managers best address the administrative function required for SIEM (security information and event management)?
Why do this to ourselves?
Security monitoring and log management are seen as a necessary evil for many organisations. For the enlightened however, capturing many millions of logs every day does more than achieve compliancy. Log data can be processed and correlated into events, which in turn are translated into alarms for action. Ultimately, logs can help to control risk and mitigate threats. Admin-intensive log management is in fact the foundation of security intelligence. Security intelligence is not something that can be bought off the shelf; it is entirely data-centric and contextual to the organisation. Understanding this value chain can have a very positive effect on team motivation for log management and correlation – with information at your fingertips, important decisions can be made quickly and confidently to actively manage the security landscape of your organisation. If it means less call outs, better service availability and consistency, engaging in log management and housekeeping begins to seem worth the effort.
How to make SIEM really easy
The volume of log data generated in just one day is easily able to swamp an average sized IT team and that’s before anyone has been able to start analysing it. Our recent industry research identified 40% of security professionals have serious concerns about their business’s ability to report on internal systems and the time it takes to analyse data and logs. Tools and automation are vital for a number of different SIEM functions. There are numerous technologies which automate much of the log management and correlation functions, providing visibility on everything from filename patterns to IP addresses to individual user activity to financial transactions, all correlated to identify trends and flag security events. The other critical function of log management tools is not to flag things that aren’t consequential – we want a lot of noisy logs going into the system, but a sensible conversation of events and alarms to come out of it. Setting rules and benchmarking normal behaviour patterns within your network are essential to using correlation tools effectively. Set this up in the right way, and millions of logs will literally turn into a handful of alarms which require further investigation.
SIEM needs 24/7 monitoring
The next admin-heavy challenge for SIEM is to monitor alarms and contextualise what they mean to determine whether there is a legitimate threat. This type of administration is harder to automate – it requires real people with genuine security expertise. With a security expert at the helm, a dashboard of events in needed to trace log forensics all the way back from the alert through the chain of events to the raw logs which could have been collected over a long period of time. This analysis seeks to reveal what is behind the threat, when it first appeared and how it can be mitigated. Attacks as we well know don’t confine themselves to working hours. Inconvenience is another curse of security admin which has to be addressed. If you have your own 24/7 operations centre then there’s nothing to fear, but if not, you have to decide how security alerts will be monitored against the acceptable level of risk. Will tomorrow be acceptable to alert the CEO that there was a major incident this evening for instance? Pragmatism is important in working through how to best monitor security events within SIEM. The objective of total security is noble, but the idea of dedicated IT resource, watching and waiting all day, every day in case an alarm is triggered isn’t appealing to many organisations. Admin for platform monitoring and alert analysis costs time and money – remember however that the time doesn’t have to be your own. Look at the TCO of working with specialist partners to manage SIEM versus the cost of resourcing it in-house, and review the service agreement to see whether uninterrupted monitoring is more cost-effective through a third party, than a compromise solution under your own roof.
It’s not admin, it’s improved service availability
Orange Cyberdefense have made the case for addressing security admin head-on, but making it a strategic issue is the key to successful SIEM. Think about how you describe logs within your team, how you flip a coin for who gets to read this week’s report or how you dread being on call this weekend. Half the battle for threat management is in extracting better information from the devices already in place, and the other is in making teams want to do it. The bigger picture is that security admin, information and intelligence protect the business from internal and external threats far more effectively than devices alone ever can. Empower your teams with what they are really doing – enabling service availability and consistent IT platform performance, one log at a time. To find out how SIEM can help slash your security admin in 5 steps, download our guide to sorting out SIEM