A security information and event management (SIEM) system is about as complicated as a security tool can get, pulling in log and threat data from a wide range of sources to look for signs of a cyber attack.
Not surprisingly, they can be challenging to manage. A recent Gurucul survey of over 230 security pros at the recent RSA Conference found that managing and configuring SIEM solutions can be an overwhelming task.
More than 42 percent of respondents said it takes weeks, months, or longer to add new data sources to their SIEM, and over 30 percent said they don’t know how to do so. Almost 17 percent said they aren’t confident their SIEM can detect unknown threats, and almost 21 percent simply don’t know if it can or not.
Over 61 percent of respondents said they get more than 1,000 security alerts a day, and almost 20 percent said they get too many alerts to count.
In an interview with eSecurity Planet, Gurucul vice president of product marketing and solutions Sanjay Raja said getting control of that flood of information – and making good use of it – requires effective configuration and customization.
See the Top SIEM Solutions
Cloud Data Adds to SIEM Challenges
The cloud is a key factor in the SIEM configuration challenge. As organizations move more and more infrastructure to the cloud, the amount of data available for analysis just keeps growing, Raja said.
“Each architecture in the cloud is offering its own datasets, and it’s actually offering a lot more detail…and there’s a lot more alerting going on because of that,” he said.
At the same time, Raja said it’s often unclear whether the data security teams are getting from the cloud is actually what they need. “Are you getting the right datasets? Are you getting a complete set of datasets? People are struggling with trying to understand, ‘Am I really seeing everything from the cloud that I need to?’”
That can quickly become overwhelming. “A lot of the folks on the SOC team aren’t experts on the cloud,” Raja said. “Sure, the cloud team is really responsible for moving anything over to there, but now, as a security administrator, I have to be able to understand what that data means.”
So security experts now have to become cloud experts as well. “Before, I didn’t really have to know a ton about the app, or about the server – those are more simplistic. The cloud is much more complex,” Raja said. “And it becomes even worse when you’ve got multi-cloud environments.”
Also read: Implementing and Managing Your SIEM Securely: A Checklist
Detection Engineering
Helping security analysts parse the data that comes in is also an ongoing challenge. To address that challenge, Gurucul is seeing the rise of detection engineering groups, Raja said. “They’ve always been there, but they’re becoming more important to organizations to be able to configure and refine down the amount of data that gets sent to the security analysts.”
Raja said Gurucul also sees a lot of organizations struggling to support new devices, or new versions of devices. “The data changes, and now I need to be able to look at it differently, and yet the data parsers that were included with my platform don’t support that new version, so what do I do? This is where they go back to a detection engineer and build a parser that way.”
It’s also critically important to build effective detection models, monitoring for activity that crosses specific thresholds such as repeated login attempts. “You need the ability to either create your own models, or ideally to customize existing models, because now you can tweak them for your organization and your IT and governance rules,” Raja said.
That’s inevitably an ongoing process, with models having to be modified in response to new threats. “If I see a really high-profile attack out there that does some known behavior, I want to be able to tweak that in my model to go, ‘Okay, I’ve seen this is a problem – let me change the model a bit, and now I’m ready for it,’” Raja said.
Five Key Areas of SIEM Configuration
Ultimately, Raja said, there are five key things to keep in mind regarding SIEM configuration if you want to avoid the kind of overload and frustration found among the security pros surveyed at RSA.
- Configure the full set of data sources you want to pull in: “Configuring your SIEM to be able to pull in all that data across cloud, across regions, remote, is very important, because otherwise you’re not getting a complete picture.”
- Configure the SIEM to parse incoming data effectively: “That means, as a SOC, I’m monitoring the things that are important from a security standpoint, and sifting through all the other data to figure out, is this important or is it not important?”
- Configure cloud sources to send the right data to the SIEM: “A lot of times, the security admin doesn’t know whether what the cloud is sending is correct or not, so they have to work with the cloud team to make sure they’re getting the right data for monitoring purposes.”
- Configure the SIEM to leverage identity data effectively: “If you can pull that data into your SIEM and view it in your SIEM, you can start to look at that dataset and be more effective at determining what’s allowed and what’s not.”
- Build an effective and comprehensive set of threat models: “The included models in most SIEMs are pretty light, and they’re pretty limited. If you can get detection engineering to build a set of robust threat models, that’s going to help detect a threat faster.”
Effective configuration makes the rest of your job much easier. “The more you can do up front around configuring things right, getting things working and deployed properly, and being able to parse data properly, the more it makes all the other functions easier within a SOC,” he said.
Read next: Security Data Lakes Emerge to Address SIEM Limitations