Safety info and occasion administration expertise has lengthy been a cornerstone of the SOC — gathering, correlating and centralizing safety knowledge to allow extra environment friendly and efficient risk detection and incident response.
SIEM integrates with instruments, providers and endpoints throughout a corporation and handles large quantities of knowledge, making migration a major endeavor. The excellent news is that considerate and strategic planning could make the distinction between a rocky and easy deployment. For those who’ve just lately bought SIEM expertise or are within the means of doing so, let’s study some greatest practices for implementation.
Key SIEM deployment steps
Whereas each deployment is exclusive, the next key steps are advisable throughout most or all SIEM implementations.
1. Design the SIEM’s structure
The SIEM structure contains all of the supporting programs that SIEM depends upon and interacts with. On this part, rigorously contemplate the platform’s present and future efficiency, resilience and safety wants.
Determine and prioritize your group’s prime SIEM use circumstances, which ought to inform choices in regards to the structure. When you’ve got use circumstances that SIEM would not handle by itself, contemplate adopting further complementary applied sciences or methods. Organizations at present generally mix SIEM with different instruments, akin to SOAR and XDR, for instance.
Notice each major and tangential prices when designing the SIEM structure and planning its deployment. Potential unanticipated prices embrace the next:
- Cyber risk intelligence feeds the SIEM ingests.
- Migration of saved log knowledge from the prevailing SIEM to the brand new SIEM.
- Parallel operation of the legacy SIEM and new SIEM resulting from a phased migration or log retention necessities.
- Lengthy-term log knowledge retention.
- Workers coaching on the brand new SIEM.
- Information ingestion-based pricing fashions, which might trigger unexpected price will increase. Within the case of an uncommon safety occasion, for instance, large jumps in logging may end in skyrocketing prices.
2. Plan the deployment
The planning part could be surprisingly advanced because of the quantity of programs that work together with SIEM. For instance, a SIEM platform should combine with all of the applied sciences it depends on for info, together with logs, intelligence feeds, vulnerability and asset administration programs, and some other applied sciences that present vital inputs.
Deployment additionally wants to incorporate all of the applied sciences the SIEM itself feeds — for instance, safety orchestration, automation and response; endpoint detection and response; and different incident response instruments.
When you’ve got a legacy SIEM in place, additionally, you will want to contemplate the next:
- Which customized dashboards, configurations and workflows might want to migrate to make sure continuity and guarantee necessary safety alerts do not fall via the cracks.
- Whether or not your group must retain legacy log knowledge, akin to to satisfy regulatory necessities or set up efficiency baselines. If that’s the case, decide how and the place the legacy knowledge will reside — e.g., within the previous SIEM, the brand new SIEM or a third-party knowledge administration platform.
- Whether or not recognized or unknown customers exist past SecOps, with use circumstances that would broaden the scope of migration and introduce further challenges.
3. Carry out a phased deployment
Quickly switching over to a brand new SIEM may end up in chaos and confusion, making it practically unattainable to pinpoint the reason for a given drawback and repair it in a well timed method.
It is best, due to this fact, to run the previous and new SIEMs in parallel and progressively check and combine extra programs with the brand new platform. Handle any glitches as they come up. Take a look at the SIEM to gauge efficiency, resilience and safety.
A caveat: Working two SIEMs in manufacturing for an prolonged time can overload employees. Safety leaders might want to stability the necessity for methodical deployments towards environment friendly ones.
4. Configure and tune
SIEMs require a whole lot of preliminary handbook configuration — with fixed reconfiguration over time — to maintain false-positive and false-negative alerts at cheap ranges. Create and refine rule units and filters; tune alerts, thresholds and triggers; and develop and refine dashboards and studies to satisfy the group’s wants.
5. Replace insurance policies, processes and procedures
Ideally, this work begins within the earlier steps and concludes as SIEM nears full-production rollout. Prepare personnel on the use and upkeep of the brand new SIEM.
Karen Scarfone is a normal cybersecurity professional who helps organizations talk their technical info via written content material. She co-authored the Cybersecurity Framework (CSF) 2.0 and was previously a senior pc scientist for NIST.
