Why Enterprise SIEM is like a trip to the gym
The approach that many organisations take towards Security Information Event Management (SIEM) also reflects the attitude of many towards physical fitness. Rather than go to the expense and inconvenience of setting up a home fitness studio; many “out-task” this and join a local gym. However, 20 minutes on the exercise bike with the resistance set to zero will do little to improve your fitness. If your motivation comes from a vague feeling that you should get some exercise, with no specific goals in mind, you are going to achieve little more than increase the smugness of messrs Bannatyne and Branson. The same can be said of SIEM services; if you embark on such a project with an uneasy feeling that you should be doing something with all those logs (or worse, you need to tick a compliance box) you are unlikely to achieve the visibility Event Management tools can provide. The truth is SIEM requires effort to achieve results; but obtaining them should at least be straightforward. The “resistance” comes from understanding your own organisation and operational data needs. SIEM can help you determine your operational “fitness” and improve the response and recovery whenever the system is stressed. Establishing baseline metrics is an important first step, the system can then provide a delta when things change. This may be as straightforward as discovering which events influence end-user response time or the peak system load. Consider the parameters of each metric; a 300% increase in transaction logs from a production database server may just be an end-of-quarter batch run; conversely a 90% drop may indicate client connectivity issues. These are all business issues, divorced from the technicalities of log management. It sounds obvious, but if you go into a SIEM project with a clear understanding of what business aspects you need visibility off, you are much more likely to receive them. Correlating all this information will give you a fighting chance of discovering trends. Users complaining that the system is slow may coincide with a data centre replication process. An increase in Internet usage may be measured as the organisation rolls out cloud services. Furthermore, when something truly terrible happens like a security breach or outage, you will have a solid timeline for the post-incident forensics. Going back to the analogy, getting operationally “fit” is easier if you avoid going it alone. By working with a trainer or trusted partner, you are much more likely to achieve your goals. Like going to the gym, the benefits of using a SIEM service are directly proportional to the effort put in. That way when the time comes you need to do the operational equivalent of climbing five flights of stairs, you won’t question the merits of a gym membership.