How to Successfully Hit Reset on your (Underperforming) SIEM
These 7 tips outline the capabilities organizations need in a security information and event management solution for the modern datacenter.
Plenty has been written about the frustration that security teams have with their legacy SIEM deployments. These solutions, which have been around since the late 1990s, promised to deliver early detection of hacking attempts, malicious activity and data breaches by applying correlation rules to disparate data generated across the enterprise.
Unfortunately, SIEM projects have largely failed to fulfill this promise because the corporate data center has shifted away from being largely an on-premise environment housing it’s own hardware and software. Modern data centers include employee-owned devices, mobile endpoints, SaaS applications, cloud storage and hosted infrastructure components. As a result, organizations are taking a hard look at ripping and replacing their legacy SIEM with a more modern security management platform. Here are a seven pointers to consider as you evaluate the possibilities.
1. Adjust to the new data paradigm
A big challenge for legacy SIEM products is coping with the explosion of data that has occurred across enterprise datacenters since the early 2000s. With the advent of cloud environments, the mobile revolution, SaaS applications and social networks, hackers no longer rely on simple tactics. Today, they deploy sophisticated techniques to achieve their goals. For example, the cybersecurity correlation of yesterday was based on static rules in legacy SIEM, or signature-based malware detection. The SIEM for the modern era requires advanced machine learning and artificial intelligence to defend against sophisticated adversaries who take advantage of massive increases in data volume.
2. Track unused accounts
Access credentials to user accounts on key systems are the new currency for hacking and data theft. One particularly vulnerable area are the abandoned user accounts that exist on critical servers and systems after employees have left the organization, moved to a different role, or via cloud resources they spun up temporarily. Hackers exploit these leftover accounts to uncover, silently attack, and use as a base for lateral movement across enterprise hardware and software resources. To stand a chance, SOC analysts must be keenly aware of the access granted to users across the organization. Behavior based analysis to find unused accounts that are being used for malicious purposes is a good technology for this task.
3. Monitor attacks in the cloud
The rapid adoption of cloud services, applications and resources adds a unique challenge. The latest attacks, and often the hardest to detect, are now coming from the enterprise’s exploding use of cloud services. A recent report from the Cybersecurity Insiders indicates that the risk of security breaches in cloud environments is almost 50% higher than in traditional IT environments. Consequently, your next gen SIEM must be able to closely monitor enterprise usage of cloud services by directly integrating with these cloud-based resources. You must ensure that employee activity across cloud infrastructure, cloud storage, and cloud applications doesn’t provide a hiding spot for malicious actors.
4. Find and remediate compromised accounts
In the enterprise environment, regular employees — or more specifically their access privileges — can be compromised and used without the legitimate user’s knowledge. These compromised accounts, while hard to detect by legacy SIEM products, are relatively easily found by next gen SIEMs. These modern solutions bring the relevant data, context, and behavior-based techniques to identify employee accounts that are victims of compromise.
5. Ensure visibility across the enterprise and cloud
Legacy SIEM products suffer from scale issues as they are stretched to cover the data volumes of modern IT environments. This means that many on-prem and cloud resources go unmonitored across enterprise IT resources, users, and data. Hackers rely on IT resources that are unmonitored by the SOC. In order to reduce the risk, your next gen SIEM must be able to provide enterprise-wide visibility for collecting and analyzing the vast amounts of data generated by the modern enterprise.
6. Where is your data?
To protect sensitive data stored across file servers, databases, and hard-drives, security and IT teams must have knowledge of where all such data is stored. In many cases, sensitive data often resides on machines and resources of which the IT or security team is completely unaware. Therefore one of the key activities of your next gen SIEM project must be a comprehensive data discovery and classification exercise. You can’t protect what you don’t know exists. Once the location and types of sensitive data in your organization is known, you can put the appropriate controls around it.
7. Build or Buy?
The modern data center is extremely complex. As the security team goes about planning and building your cybersecurity program, resist the temptation to develop a home grown SIEM, UEBA and security data lake system cobbled together with various IT and security tools within your enterprise that haven’t been tried and tested in the real world. The failure rate of these projects, according to Gartner, is shockingly high and they usually end with a massive data breach.
Aarij M. Khan is vice president of marketing at Securonix. Aarij combines a deep understanding of the security market and security requirements with over 15 years of technology and marketing leadership at high growth, innovative cybersecurity vendors. Previously, Aarij let marketing efforts at RiskIQ. He also led product and solution marketing at Tenable Network Security, Threatmetrix, and spent over 4 years at ArcSight/HP where he was instrumental in the rapid adoption of ArcSight SIEM products.
About the Author
You May Also Like
Cybersecurity Day: How to Automate Security Analytics with AI and ML
Dec 17, 2024The Dirt on ROT Data
Dec 18, 2024