Four Steps To Supercharge Your SIEM
Originally posted as an eBook here.
Adjust Expectations, Set New Goals
Getting the most from your SIEM takes more than mastering a new dashboard. Like a race car, a SIEM is a high-performance device that can’t run itself. You need a management strategy that focuses on winning outcomes. Here are four things you can do to get your SIEM on the fast track:
Reduce Noisy Traffic
When you first deployed, you probably connected everything possible to your SIEM. Now you have an avalanche of data that’s so overwhelming, you may not notice a sneaky threat buried in the ocean of noise.
Focus on the data that actually matters. Removing devices sounds counterintuitive, but when sources deliver data logs that never produce actionable results, your analysts are simply chasing their tails.
TIP 1: Plan a small project to test for sources of time-wasting red flags. If they’re not evenly distributed, isolate the sources and reduce their volume or turn them off.
Automate Repetitive Tasks
Your SIEM creates alerts for things in your system you never could see before—that’s the point of SIEM. But if your threat team is manually resolving every alert, the same way, over and over, you need to automate with intelligent scripts. When repetitive sequences are handled with scripts, your threat analysts are freed up for more highvalue tasks.
TIP: Automate scripted responses for repetitive alerts such as:
• Block a URL
• Put on a watch list
• Initiate a work ticket to clean or restart machine
• Others as you identify them
Watch for Warnings
The yellow caution flag indicating an accident on the track is just as important as any red light on your dashboard. Ignoring external warnings can be dangerous.
Attempting to identify malicious behavior without correlating network activity to known threat indicators can be just as dangerous. Integrating threat intelligence feeds may be the easiest way to improve your SIEM’s productivity. When you can associate inbound and outbound activity with a known malicious location, you’re able to quickly curtail or stop an attack or breach.
Why would you ignore known threat intelligence? According to a February, 2015, SANS survey, over two-thirds of respondents do not integrate cyberthreat intelligence into their SIEM for detection and response. If you are like most of those surveyed, seriously consider changing this soon.
...and Up Your Octane
General feeds, provided by system manufacturers, and opensource feeds are a basic start, but they aren’t nearly enough. You need to expand the number of threat indicators you are including while reducing false alarms and useless chatter generated in your system.
To do that, you need high-quality, vetted data feeds from a trusted source. Infoblox uses proven automated systems, with human review, to refine its threat indicator feeds before they hit your SIEM, allowing you to focus on observed and verified threats.
Take It Up A Notch... Or Three
Your SIEM deployment started with identifying three to five of your biggest security problems. Defining these use cases took time, and may have not been the most enjoyable step in deployment.
But now that you’ve been through a few cycles, it’s time to review your scenarios. Are you effectively dealing with your top problems? What about the lower priority use cases you chose not to address in the first go-round? Are they still causing trouble? Should they be included now?
This is a good time to review and update your original use cases. If you’re meeting your goals, bravo. If not, regroup and take another run at getting these important problems solved.
Find Your Drive
Get the most out of your high performance machine. When it comes to winning your daily cybersecurity race, your SIEM was designed to get you around the track fast. Use these best practices to stay out of the gravel traps, smoothly navigate the chicanes, and accelerate down the straightaway.
It’s remarkable what you can accomplish with the right combination of machine, fuel, and driving.