It’s most likely no surprise to you that in 2020 businesses faced a 20% increase in cyber security threats, compared to 2019. In fact, on average there was an attempted attack on businesses every 46 seconds. As cyber criminals become more sophisticated in their targeting and attacks, businesses also need to raise the bar in their cyber security. However, this can become very time consuming for IT teams, especially if you’re just starting out.
Having a better insight into your environment and what exactly all the various servers, network devices and security products are doing will help with this. All of these are constantly creating logs that will give you this information. By collecting and processing them you can gain a valuable insight into your network.
This is where deploying a SIEM (Security Information and Event Management) solution into your environment comes into play.
But is it that simple?
You’ve probably already realised that it’s not, and that you’re feeling overwhelmed by the complexities of implementation. The following SIEM guide will help you get started.
Security logging and SIEM
A SIEM platform is generally regarded as one of the foundational solutions when starting out on the path to a formulated security strategy. The amount of logs that can be generated by the various solutions in place can be huge. So a SIEM platform is the best tool out there to correlate and present these to you in a meaningful manner.
When it comes to procuring a SIEM solution, it is not simply a case of installing the software, sending all the logs to it and magically getting the desired results. You need a clear implementation plan and understanding of what it entails. In turn, this will help ensure that your investment gives you exactly what you need. This could either be a focus on the network traffic in and out of the data centre. Or maybe you have a big concern about what is happening within your cloud platform.
Avoid this major pitfall
A common mistake is rushing an implementation by logging everything all at one once. As a result, you’re then attempting to sort through the resulting millions of logs coming into the platform. This is inefficient and, ultimately, can delay you making the most of your SIEM solution.
Instead, at Proact we recommend an incremental approach. Start out with key systems that offer high quality log data. This way you will quickly start to get valuable security insights into your network.
Our recommended approach
The number of devices and/or systems deployed in an environment is extensive. So it can often be a challenge to decide which of them to collect logs from. You could end up collecting logs from everything, which can overload your SOC team and give you less intelligence in the end.
There are always key devices or areas that should always be at the front of the list for log collection. These are mainly due to the role they provide, such as identifying the traffic around your network or who is trying to authenticate onto the systems you use (email, VPN or cloud services).
Examples of these are:
- Perimeter firewalls (with services such as VPN, IPS/IDS)
- Authentication servers (Active Directory)
- Internal firewalls and cloud platforms (such as AWS, Azure and O365)
Once these are onboarded and alarms have been enabled, a second round of logging might then focus on systems such as endpoint protection, web proxy, desktops, wireless LAN and core layer 3 switches.
Systems such as edge switches, load balancers or even hypervisors, like VMware ESXi, can generate a large number of logs. However, they can potentially offer little value. Carefully consider these types of systems, and add them on a case by case basis after performing an assessment, which will help you understand if there’s a risk to the business if it were compromised.
It is important to acknowledge that a SIEM implementation cannot be treated as a „fire and forget“ solution. Once logging is in place, continual tuning and adjustment will be needed. Tuning could take the shape of using firewall logs to determine a misconfiguration or even improving the quality of the logs being collected from Windows machines (especially if utilising Windows Event Collector to perform this task).
How can Proact help?
We’ve only really scratched the surface in this SIEM guide. The level of management overhead and potential complexity of implementing a SIEM solution can make deploying the tool a challenge. As well, resourcing a SIEM solution could prove costly. So, it is easy to understand why more organisations opt for a managed SIEM service.
Proact offers an affordable, fully managed SIEM service. You not only get the SIEM platform, but the people who can manage it for you. Our Security Operations Centre can take that pain away of trying to work out what to do when deploying a SIEM tool – helping to make your life easier.
Book a meeting with our team to find out more.