Tel Aviv Stock Exchange CISO: Making Better Use of Your SIEM

If rule writing for SIEMs isn't managed properly, it can lead to false positives and misconfigurations, which create extra work for the SOC team.

For Gil Shua, getting the most out of the security information event management (SIEM) system for the Tel Aviv Stock Exchange comes down to getting the signal-to-noise ratio right. That, and writing the right rules.

Signal-to-noise ratio, as every radiofrequency engineer knows, boils down to the amounts of actual content (signal) to static and other sonic disruption (noise). For Shua, the goal is to minimize the amount of noise getting sent to the SIEM in favor of actionable content. He's looking for something that makes him get up from his desk with the realization, "We have a problem; we have something that we want to address now and fix it."

Shua has worked in various security positions at the Tel Aviv Stock Exchange (TASE) for more than a decade and was appointed CISO in 2022. During that time, he says it's been a "constant chase for data resources" to ensure that the signal-to-noise ratio skews in favor of signal data to maximize the capabilities and benefits of the exchange's SIEM.

Tel Aviv Stock Exchange CISO Gil Shua
Tel Aviv Stock Exchange CISO Gil Shua. Source: Gil Shua, Tel Aviv Stock Exchange

Filtering the Noise

Shua and his team have their work cut out for them since with most SIEMs, "you see a lot of noise, and not a lot of signal." This leads to false-positives and misconfigurations, which, in turn, creates extra work for the SOC team, reduces productivity, and is an impediment to trying to getting a SIEM working.

To minimize this, Shua says the SOC team can write rules for how the SIEM handles incoming data, but creation of those rules takes up valuable SOC team time as well.

But writing SIEM correlation rules is relatively easy if the SIEM solution already has predefined log parsing and rules for the reporting application, says Shua. But before rules can be written, the SOC team must: 

  • Figure out the data structure and identify relevant fields needed for the rule.
  • Understand the logic of the reporting systems as they may have their own log standards.
  • Create an exact rule correlation and analyze exceptions.
  • Perform quality assurance and testing.

These action items can take a few hours each, but if they're more complex, they can take days to complete, Shua adds.

"When you establish a SIEM, you have two concerns. One is 'Do I have the rules that protect me against relevant attacks … am I covered with effective rules?' The second thing is, 'Do I get the information from our log sources and other telemetry that will trigger these rules?'."

The recent addition of CardinalOps' platform has improved the Splunk Enterprise at TASE; Shua says the process of writing rules has been massively reduced, with 85 rules produced in the few months this particular technology has been in use. "The team is more focused on implementing rules and testing them and not writing them, which was the most time consuming process in the link," he adds.

So are SIEMs worth the time and money spent on correlation and rules writing? Shua admits that maintaining a SIEM is a demanding task, as there's a need for constant updates and modifications. Despite all the effort, some attacks may go unnoticed due to lack of visibility or matching rules.

"I expect future solutions would adopt automation capabilities for autonomous rule creation and response, out of the box," Shua says. 

And because SIEMs draw data from many sources, they must become more efficient with processing, analyzing, and storing data that's in different formats. "You have to make adjustments to maintain," Shua says, adding that improper change management means an organization is likely to miss some security events.