InfoSec Insider

Building SIEM for Today’s Threat Landscape

Sivan Tehila, cybersecurity strategist at Perimeter 81, discusses the elements involved in creating a modern SIEM strategy for remote work and cloud-everything.

It’s easy to see how the changing security landscape has shaped the evolution of the security information and event management (SIEM) practice area — and how it continues to. But architecting an effective SIEM approach requires a well-thought-out strategy.

A combination of security information management (SIM) and security event management (SEM), SIEM’s development over the last 16 years has been directly tied to different market drivers and threats during any given time period.

In its early days, SIEM was shaped by new compliance drivers that dominated the era, like PCI or HIPAA. In more recent years, SIEM has evolved to handle the convergence of platforms while accelerating threat detection against sophisticated ransomware and malware.

With remote work, cloud adoption and other digitization initiatives accelerating over the last year, the spotlight is again on SIEM as organizations seek a wider net with more scalability and automation. The challenge this time is for users to understand how to assemble the appropriate SIEM solution.

Why SIEM is an Ideal Setup, Now More Than Ever

SIEM software uses analytics engines to match events against an organization’s policies. Then it indexes the data and events for a sub-second search to detect and analyze advanced threats using globally gathered intelligence.

When SIEM identifies a threat through network-security monitoring, it generates an alert and defines a threat level based on predetermined rules. For example, if someone is trying to log into an account 10 times in 10 minutes, that may be considered normal — but trying to log in 100 times within 10 minutes would be flagged as an attempted attack.

With endpoints now scattered outside the corporate network, cloud adoption on the rise and new applications meeting new needs for remote workers, SIEM has become an even more useful tool, since it gives security teams a centralized view of insights and activities within their IT environment. It provides data analysis, event correlation, aggregation, reporting and log management.

Alert Fatigue is Real

Despite the benefits, not all SIEM solutions are easy to deploy, maintain and manage. Automation is essential to SIEM adoption and ongoing effectiveness.

According to the 2020 State of SecOps and Automation survey, 92 percent of organizations agree that automation is required to address the growing number of alerts, as well as the high volume of false positives.

Still, 65 percent of organizations use only partially automated alert processing, and 75 percent would need no fewer than three additional security analysts to deal with all alerts on the same day.

This creates a lot of extra noise for a security operations team.

This is also why your organization must pay attention to your SIEM solution’s features and integrations. To avoid alert fatigue, ensure that analytics, threat intelligence and behavior-profiling are a part of your SIEM mix. This will improve success rates for detecting breaches and other targeted attacks.

The Need for Speed Requires Add-Ons

Modern security threats are driving a need for layered analytics with security platforms. AI, machine learning and advanced analysis ca automate the detection of anomalous behaviors and improve response time even more, stopping any potential attacks on the organization in real-time, proactively and reactively.

Beyond using AI and machine learning for better correlations and alerts, most SIEM systems also have a threat-detection element that monitors emails, cloud resources, applications, external threat intelligence sources and endpoints. This can include user and entity behavior analytics (UEBA), which monitors for abnormal behaviors that could indicate a threat. It can also detect behavior anomalies, lateral movement and compromised accounts.

Any capable SIEM solution will always require organizations to manage an increasing number of data sources. Due to the ongoing shortage of cybersecurity skills, it’s important to adopt a solution with vendor support in the form of ongoing updates and best practices, so your IT team won’t be forced to be SIEM experts.

Along with UEBA, extended detection and response (XDR) or security orchestration, automation and response (SOAR) can help bring the necessary visibility and flexibility a SIEM system requires. SOAR encompasses three software capabilities – threat and vulnerability management, security incident response and security operations automation.

Proper SIEM setup today means you’ll be prepared for the next evolution, and whatever challenges that may bring.

Sivan Tehila is a cybersecurity strategist at Perimeter 81.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles